PRIVACY POLICY
GRAND PRIX INTERNATIONAL PUBLIC COMPANY LIMITED

1. General Principles
1.1 General
Grand Prix International Public Company Limited (“GPI” or “Company” or “we”) firmly adheres to operating our businesses in compliance with the relevant laws. Considering the importance of protecting personal data belonging to the parties relevant to GPI’s business operations, we have developed a personal data management and up-to-date information technology system to ensure that personal data is safely and efficiently protected. In this regard, GPI only allows certain designated personnel or relevant person(s) to access personal data. Moreover, GPI has established a system where we rigorously inspect the access and use of personal data, which includes regular repairs and updates of the collection and maintenance of personal data to ensure that the system is accurate and trustworthy in order to prevent a breach, unauthorized modification of personal data, or use of personal data for purposes other than what GPI has identified the relevant parties.

This document explains about the types of personal data and purposes of the collection of personal data to be used or disclosed, the time period which the data is stored, types of person or department which GPI may disclose the personal data which we have collected, rights of the personal data subject, including the safety measures for protecting personal data that are relevant to the applicable laws and any other information relevant to GPI’s management of personal data.

This document is part of the agreement and conditions for using GPI’s services. GPI reserves the right to revise, amend, update, add, or change the policy contained within this document through prior notification and request for your consent in accordance with the relevant laws relating to personal data.

1.2 Definition
To ensure clear communications with the relevant parties to our business operations and to prevent concerns over the interpretation of certain terms in this document, we have defined the terms used in this document, as follows:

“GPI” means Grand Prix International Public Company Limited.

“Personal Data” means information relevant to a person which enables the identification of such person, whether directly or indirectly.

“Sensitive Data” means sensitive personal data specified in Section 26 of the Personal Data Protection Act B.E. 2562.
“Data Controller” means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

“Data Processor” means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.

“Partner” means a person or a juristic person, either individually or collectively, who is authorized or has been empowered to perform on behalf of a juristic person to become a party to a commercial agreement with GPI in a capacity as Partner. This includes a supplier, seller, service provider or consignor.

“Exhibitor” means an exhibitor who has entered into an agreement to exhibit products or cooperate together with GPI in business, marketing, public relations, or other activities which GPI has organized.

“Visitor” means a person who has an interest in participating in an activity or visiting an exhibition which GPI has organized, whether such an activity or an exhibition is through online channels or at an exhibition center. This includes a person who participates in answering the questions, survey, satisfaction survey when visiting the website, online media or GPI’s exhibitions.

1.3 Relevance
GPI will carefully consider that the collection, use and disclosure of Personal Data of the relevant persons is within its legitimate business purposes, as follows:
1.3.1 is in accordance with the relevant laws;
1.3.2 is necessary to perform the duties under the contract which the Personal Data subject has entered into with GPI as a commercial party; and
1.3.3 for purposes which are considered necessary other than what the laws provide, or is necessary to perform contractual duties or for the benefit or advantage of the Personal Data subject which is greater than that of a general contractual party’s.

2. Principles of Limited Data Collection
2.1 Personal Data Being Collected
This policy applies to Personal Data which the Company may collect, including where the Personal Data subject has given consent, as follows:
(a) General Personal Data. For example, surname, last name, signature, birth date/ month/ year, national identification card number, passport, government issued identification card, address shown in the national identification card, residential address, current address, mobile phone number, online platform user account, electronic mail, bank account number, account or list or history of company stock ownership or securities, national identification
card photo, activity participation photo, PSN_ID number used when participating in a competition or an activity, employee’s identification number, voice recording of conversations where the Company’s employees or customers are involved.
(b) Sensitive Personal Data. For example, racial, ethnic origin, religious beliefs, blood group, family status, medical examination data, medical history, accident history which is related or unrelated to employment but has been disclosed to GPI, medical diagnosis result, heath data, union information, sexual behavior, disability, criminal records, work performance outcome, opinions expressed through online social media, facial scan, eye scan, finger print, genetic data, biometric data and any other data which may have an impact upon the Personal Data subject in accordance with the relevant laws.
(c) Other Personal Data. For example, educational history, employment history, vehicle registration plate, motorcycle which is registered with the government department, occupational number or code which is specified by the law, product reference number which product users have registered to obtain warranty for such product or service, financial status, income, debt, consumer behavior, review demonstrating an opinion or satisfaction or experience in using the product, opinion when participating in an activity, visiting information for online and offline activity, still image recording, moving image recording of Visitors, registered interviews, prize coupons and any other data which cannot directly identify Personal Data subject on its own but when incorporated with other data, the Personal Data subject identifiable.

2.2 Collection of Personal Data
2.2.1 General Personal Data
Regardless of whether the personal data protection law allows GPI to collect Personal Data from the relevant parties in their capacity as direct contractual parties, or authorized persons to act on behalf of a juristic person, or authorized persons through power of attorney to enter into an agreement without having to obtain their consent, GPI still maintains that these relevant parties have the right to participate in the data collection process. In this regard, GPI will ensure that the relevant parties are notified that the contractual party will have to disclose only the Personal Data which is necessary in entering into a contract with GPI. That said, the relevant parties must also comply with the applicable laws regarding the performed legal action or contract. Moreover, GPI may collect data without having to obtain prior consent from the Personal Data subject in the following circumstances:
(a) the collection is for scientific, historical, or statistic research purposes where suitable measures have been provided to protect the fundamental rights, interest and freedom of the data subject as prescribed by the laws;
(b) the collection is to prevent or suppress a danger to life, body or health of a person;
(c) the collection is necessary to perform duties in the contract which the Personal Data subject has entered into with GPI, or to comply with the request of the Personal Data subject before entering into any contract with GPI;
(d) the collection is necessary to perform Data Controller’s duty to serve the public interest, or to perform the public duty in accordance with the power which has been granted by the government to GPI;
(e) it is necessary for the legitimate interest of GPI or a person or a juristic person other than GPI, unless such interest is less important than the basic fundamental right of a data subject in regards to Personal Data;
(f) it is necessary to comply with the laws which GPI has a duty to comply.
2.2.2 Sensitive Personal Data
GPI may collect sensitive Personal Data without having to obtain prior consent from the data subject in the following circumstances:
(a) the collection is necessary for GPI to prevent or suppress a danger to life, body or health of a person, where the data subject is incapable of giving consent by whatever reason;
(b) it is information that is disclosed to the public with the explicit consent of the data subject;
(c) it is necessary for the establishment, compliance, exercise or defense of legal claims for GPI;
(d) it is necessary for GPI to perform its legal duty relating to preventive medicine or occupational medicine, work capability assessment of an employee, medical diagnosis, the provision of health or social care, including requirements under employment protection, social security, national health security, social health welfare of an entitled person by law, the road accident victims’ protection, or social protection, statistic studies or other public interest, including where the collection of Personal Data is necessary to serve a significant public interest in which GPI has established appropriate measures to protect the fundamental rights and interest of the Personal Data subject.

2.3 The Collection and Receipt of Personal Data
GPI firmly complies with the legal requirements by collecting Personal Data from the data subject only, unless the data subject cannot or is not the person who collected Personal Data. In this case, GPI may collect such data from other sources but only to the extent where GPI has received prior written consent from the data subject. Generally, circumstances in which GPI may collect Personal Data directly from the data subject and other sources are listed below.
2.3.1 Job Applicant or Employee
(a) Collection of Personal Data relevant to the health or disease of a job applicant in which the Company has specified a requirement for potential employees to undergo a medical check at a medical institution prior to commencing an employment with GPI and such institution is to report the outcome directly to GPI.
(b) Collection of Personal Data relevant to convicted crime or criminal record. In this regard, GPI may require a job applicant of any position to undertake a criminal record check or allow GPI to obtain a criminal record on behalf of an applicant or
an employee and allow GPI to maintain such data for a certain period in accordance with GPI’s requirement.
(c) Collection of Personal Data relevant to employment history prior to joining GPI where the data subject has given prior explicit consent each time. In this regard, GPI will inform third parties that the data subject has given consent before the data is transferred to the Company.
2.3.2 Customer and Product User
Where the data subject is interested in a product or has ordered a product from GPI, including where the data subject has communicated with GPI to receive after-sales service, provided a review, an opinion, or a satisfactory product experience, such communications between the Personal Data subject and GPI, whether via phone, e-mail, GPI’s application used in communications, customer service, or any other methods of communications, GPI may record the communications for various purposes. For example, to use as evidence, to improve and develop our service, to follow up on the Personal Data subject’s satisfaction, to train personnel, to conduct tests on personnel, to analyze data and to improve GPI’s systems.
2.3.3 Partner
In circumstances where a Partner has authorized an individual or a group of persons to engage with GPI in accordance with the terms and conditions of the relevant agreement, whether in capacity of a seller, consignor, service provider, agent, product distributor, including service center under GPI’s name which specifies standards relating to the capability of relevant persons to provide service or respond to the use of product or service, GPI will collect, use or disclose Personal Data of such relevant persons for the purposes which GPI has mentioned in this document or in accordance with the terms and conditions of the relevant agreement.

3. Data Quality Principles
Before or during GPI’s collection, use or disclosure of Personal Data belonging to the relevant parties, GPI’s Personal Data management system will analyze various Personal Data in accordance with the standards to ensure the data is correct, complete, ready to be used, not misleading, up-to-date, distinctive and accurate.
In relation to the abovementioned Personal Data process, GPI has organized relevant personnel to conduct an analysis and planning to arrange the collection of specific, distinctive and accurate data which is appropriate for the use or disclosure of Personal Data belonging to the relevant parties to ensure optimum benefit. This process includes an inspection to ensure the accuracy of data received before collection, including recording the data in physical or electronic copy to ensure the data is complete and accurate. Additionally, we check for data accuracy by requesting the same from other reliable sources or from sources which, in accordance with the legal requirements, are departments
which are responsible to manage the relevant Personal Data. Moreover, the process protects Personal Data to ensure the safety and integrity of data to prevent future legal and commercial claims.

4. Principles on Purposes
GPI specifies purposes which are necessary for the collection, use or disclosure of Personal Data belonging to the parties relevant to the business operations in accordance with the legitimate purposes. In order to together achieve the provision of service and benefit to the Personal Data subject, the parties relevant to GPI’s business operations are as follows:
4.1 Shareholder, Managing Director and Authorized Director on behalf of GPI
GPI will collect, use or disclose Personal Data in its capacity as shareholder, managing director, authorized director to perform actions on behalf of GPI including to enter into a binding commercial agreement, general agreement, to grant approval to perform various actions, to authorize a person or persons to perform actions in relation to business, legal, banking and finance purposes, to communicate with the government department, to perform general actions relevant to providing meeting invitations, notifying the meeting resolutions, managing dividends, issuing business performance report in accordance with the required regulations or laws, and to donate or to organize corporate social responsibility events.
4.2 Employee and Family Member
GPI will collect, use or disclose Personal Data belonging to an employee to the extent that is applicable to the recruitment, selection, entering into an employment agreement, confirmation to commence employment or to access the internal communication system, calculation and payment of salaries, benefits, performance assessment, salary adjustment, record of disciplinary action including penalty, training and management of employee in accordance with the employment agreement, checking criminal record, transfer or relocate position, reimbursement in accordance with the work rules, liaise with management employee regarding medical appointment, airline ticket reservation, visa application, accommodation reservation, service provider reservation, medical health examination in accordance with the legal requirements and which Company provides, including to arrange for welfare and benefit for employees and their family members, sending information to external party in accordance with the legal requirements relevant to the revenue department, social security department, labor skill development department, legal execution department, internal Company management, internal communication, reimbursement, asset ownership, building administration management, postal management, entry and exit office record, inspection and assessment from both internal and external parties, including the sending or transfer or disclosure of data to the relevant service provider to liaise and communicate with the customer.
For employee’s family member, GPI will collect, use or disclose Personal Data only to the extent that is necessary in circumstances where GPI has to comply with the laws or to perform other actions which are for the benefit of the employee or family member. In this regard, GPI will seek to obtain consent from the family member which GPI will collect, use or disclose Personal Data through the employee. In any event, where the employee fails to act in
accordance with the appropriate procedures to allow GPI to comply with the laws, this may have an impact upon the employee, including the employee may be unable to use the benefit or welfare which is provided by GPI. In this regard, GPI reserves the right to organize, deliver, pay benefit or welfare if the employee or the family member fails to act in accordance with the laws.
4.3 Partner and Exhibitor
GPI will collect, use or disclose Personal Data belonging to a Partner and Exhibitor. This includes supplier, consignor, distribution agent, employer, manufacturer, product exhibitor and person(s) under their command, assigned person(s). Exhibitor here also extends to meanings relating to new accounts receivable, new accounts payable, price quotation, negotiation, agreement, promotional activity, meeting, training, domestic and international seminar, business certification, domestic and international exhibition or debut or demonstration of product, sales management, training, assessment on technical abilities, advertisement, print media production, sales rewards, seller registration, procurement, seller assessment, outsourcing service agreement, document and product delivery. For lecturer or speaker giving advice on the training process, seminar, meeting, personal record, educational record, work experience, special skills, photos when participating in an activity. For auditor to conduct an assessment from an external organization, GPI will collect Personal Data of the auditor only to the extent necessary for certified public accountant registration identification.
4.4 Customer, Product User, GPI’s Activity Participant
GPI will collect, use or disclose Personal Data belonging to a customer, product user and GPI’s activity participant for the benefit of customer, including to offer product, to coordinate sales, to apply for magazine membership, to register new customer, to determine customer’s credit limit, to conduct pre-sales service, during sales service and post-sales service, to inspect surname, last name and phone number, delivery address and evidence of payment, to conduct reviews (expressing an opinion, public relations, expressing feelings, notifying result after use of goods and/or product), to survey customer satisfaction, to confirm or identify identity in order to visit product exhibition both domestically and internationally, to participate in an activity, to proofread, to create print media design, create online media, creating content, product exchange, managing customer complaint, promotional offer, notifying benefit to customers, activity participation, receiving reward, gift, souvenir, business certification, to create activity between customer and product owner through live or video conference which GPI will collect, use and disclose activity participants in accordance with the conditions which the Company or the product owner specifies, including the assignment, transfer or disclose data to a delivery service provider to deliver products, communicate with customer to collect return product, or to financial institutions to reimburse product payment to customer, including to analyze HTTP cookies to improve online marketing capabilities.

5. Principles on Limited Use
GPI will carefully consider the use of Personal Data belonging to the relevant parties to the extent that is limited to the purposes which GPI has notified the relevant parties before or during the collection of such Personal Data.
Other than GPI’s regard to the privacy and fundamental right of the relevant parties in their capacity as Personal Data subjects, together with the provisions, regulations, rules, and relevant government requirements, GPI will consider using the Personal Data for the benefit or to serve the relevant parties in their capacities as service recipients in accordance with the purposes which are limited to the followings:
(1) to contact and ask questions from customers and Partners;
(2) to deliver product, service or ordered goods, including to deal with the order, exchange and return;
(3) to manage and comply with the agreement with GPI which the Personal Data subject is a party to;
(4) to conduct market research and to develop new product and service;
(5) for purposes other than what was mentioned above; if it is necessary for GPI to collect or use Personal Data for purposes other than the abovementioned, GPI will request for consent to be given before the collection, use and disclosure of Personal Data strictly in accordance with the relevant laws.
Nevertheless, for Personal Data belonging to the relevant parties which GPI has collected, used or disclosed before the enforcement of the personal data protection laws, GPI will continue to collect and use the data in accordance with the previous purpose(s) which GPI has already notified and requested for consent in line with GPI’s business operational method. In this regard, GPI has applied said process to the relevant parties prior to the personal data protection laws came into force in accordance with the period specified in this document, unless it is a case where a specific time period is provided. If GPI were to disclose or use Personal Data for purposes which GPI has previously notified, GPI would strictly comply with the laws and significantly consider the privacy of Personal Data subject.

6. Principles on Data Safety
6.1 Safety and Security of Data Stored in Normal Document System
GPI has specially specified standards for the safety and security of Personal Data that is recorded in hard copy by way of collecting the relevant data in accordance with the policy and practice guidelines for operational control and information security policy (“Informational Security Policy”) where the Company has clearly outlined the method of practice in GPI-ITP-DN-01-220464.
6.2 Safety and Security of Data Stored in Electronics System
GPI has specified standards for the safety and security of Personal Data by taking into account the fundamental right of the relevant parties whose such Personal Data belong to. In this regard, GPI has designed the most appropriate and secure telecommunication, network and computer system to continuously support the Company’s operations, which is in line with the relevant legal requirements and which offer protection to the threats which may cause damage to GPI.
1. GPI has arranged to establish Informational Security Policy in writing and communicate such policy with all relevant parties to enhance understanding and compliance, especially
between the information technology department and the rest of the departments within the Company to enable cooperation and business operations to achieve set goals.
2. GPI has arranged to review Information Security Policy at least once a year, or whenever there has been a change which affect the security of the Company’s information technology.
3. GPI has arranged responsible person(s) to especially manage information technology risk to ensure that the Company is able to create methods or guidelines on informational technology to reduce the risk or manage the existing risk, and present the same to the executive member for consideration.
4. GPI has stipulated the risk relevant to information technology to cover significant risks, for example, risk from personnel, risk from software and information from the network and the internet, risk from hardware and computer equipment, financial risk, flood, windstorm, earthquake, collapsed building, theft and power outage.
5. GPI has established a risk management method to manage the risk to the level which the Company deems acceptable by creating a characteristics table containing details on the risk including heading, name of risk, type of risk, nature of risk, risk factor and impact, etc. It also contains the degree of possible occurrence and the severity of the impact from the risk.
6. GPI has specified an information technology risk indicator and has arranged to follow up and report on the indicator to the responsible person(s) to enable GPI to manage the risk appropriately and in time.
7. GPI prohibits its personnel from using the computer network to commit illegal acts and acts which are contrary to public morals, for example, to create a website to sell or distribute illegal products or products which are contrary to public morals.
8. GPI prohibits the use of computer network or a computer by using someone else’s account; this includes circumstances where the consent has been obtained and has not been obtained from the account owner.
9. GPI prohibits the use of computer network and protected data to prevent modification, erasure, addition or copy of such data.
10. GPI prohibits the dissemination of data belonging to others or the organization without consent from the data subject.
11. GPI prohibits harassment, interruption, or action which cause damage to the Company resources and computer network. For example, sending computer virus, feeding program which causes computer or network equipment to become disabled.
12. GPI prohibits interception of communication within its computer network and other computers which are involved in the sending and receiving of information.
13. Before using portable media or opening e-mail attachments or downloaded files from the internet, user must perform a virus check by using an antivirus program each time.
14. GPI has delegated the responsibility to ensure the safety and security of the telecommunication system to its technology users. This includes control over operations to maintain the efficacy of the policy and practice guidelines for information technology safety and security.
15. All GPI’s employees must follow the Company’s policy and practice guidelines for information technology safety and security and must not commit offences relating to computer.
16. GPI does not allow users to install, modify or make changes to computer programs on GPI’s computers, unless the users have consulted or received advice from system administrator or have obtained permission from a person with highest authority in the department.
17. GPI has a designated network connection route for the internet. To access the network, one must go through a security system which includes a firewall. Before users connect GPI’s computer to the network, they must install antivirus program and repair loopholes in the operating system. Also, after users have finished using the internet, users must close the web browser to prevent unauthorized access.
18. Users must be able to access the source of information in accordance with their designated responsibility to promote the efficiency of network system and the safety of the Company. Users are prohibited from disclosing the Company’s important confidential data unless such disclosure was made in accordance with the Company’s policy.
19. Users must use the internet in a manner which does not encroach on others’ rights and does not inflict damage upon the Company. Also, users must refrain from doing an act which is considered an offence under the Computer Crime Act or other relevant laws. In this regard, when users use the internet to perform the tasks assigned by the Company, users must at all times strictly follow the procedure which the Company has prescribed.
20. Classification of confidential data: there must be a classification of type of data in accordance with its mission and importance. The classification must specify methods to manage each type of data, including methods to manage confidential data or important data before termination or reuse. When sending important data through a public network, the connection must be encoded by using, for example, secure socket layer or virtual private network (VPN).
21. GPI has standards for assessing the data accuracy which is collected, imported, assessed and displayed. In circumstances where the same data is stored in multiple locations or where a correlated data set is stored, control must be asserted to ensure that the data is complete and accurate. The safety and security of data standards also extend to where GPI’s computers are brought outside the Company, for example, to be repaired. In this case, data stored in the recording media must be destroyed first.
22. GPI has established control over data access and equipment used in assessing data by taking into account the use and safety and security of the information technology system. As such, GPI has prescribed rules relating to permission access, setting permission rights so that users at all levels acknowledge, understand and are able to strictly follow the practice guidelines. GPI also acknowledges the importance of safety and security of information technology system. As such, GPI has set permission rights to use data and information technology system, for example, GPI has given users the right to use information technology system program and the right to use the internet to suit their positions and responsibilities. Such rights were granted to the extent that was necessary to perform the tasks under their responsibilities and have been approved from authorized personnel in writing. GPI also regularly reviews permission rights.
23. In circumstances where it is necessary for users whose important data belong to have assigned the right to other users to access or modify their data, for example, when users shared files, such assignment must be given to a specific individual or group only and must be terminated when it is no longer necessary. Moreover, the data subject must have evidence of the assignment, must specify the use time period and must immediately cease usage once such time period expires.
24. In circumstances where it is necessary for users to assign rights to others or to permit the right to use information technology system in an urgent or temporary manner, users must follow the steps or procedures in place. Additionally, users must request permission from an authorized person each time and record the reason behind the use and necessity, including prescribe the use time period and immediately cease usage once such time period expires.
25. GPI has a sufficiently secure authentication system and access rights for users before they access the information technology system, for example, GPI set passwords which are difficult to guess. Additionally, GPI requires each user to have own account. In relation to GPI’s consideration of whether a password is difficult to guess or whether password control is secure, GPI will use the following factors for overall consideration.
26. Before accessing the system, user must go through an authentication process by providing the password which was prescribed by an administrator. Password must be changed regularly and during each time of changing the password, the new password must not be the same as the password which was used the last 3 times. Password must be kept confidential; cannot be written on a piece of paper and displayed on the monitor. In a case of shared users, the administrator must notify the users to change the password when there is a change in affiliated users.
27. GPI has established a regular inspection of the systems’ list of users and has inspected list of users who are no longer permitted to use the system. These are, for example, list of users who no longer work at the Company and list of users which came with the system. GPI suspends usage as soon as irregularity is detected, such suspension involves, for example, disabling access to cease function or deletion from the system or changing the password.
28. GPI has allocated a data center room, dividing the network system into host computer, uninterruptible power supply, battery for uninterruptible power supply, to promote operational convenience and support ability to efficiently control access to important computer equipment.
29. GPI has prepared an agreement to transfer data by taking into account the safety and security of the data and system administrator who controls the operations. The purpose is to ensure safety in 3 aspects: to maintain confidentiality, to maintain data accuracy and to maintain readiness to provide services. Confidentiality agreement has been organized to be signed between the Company and external party to not disclose the Company’s confidential information. Additionally, standards to follow up and inspect the operations and quality of the external party’s services have been arranged in accordance with the terms and conditions of the agreement.

7. Disclosure Principles
GPI may disclose Personal Data to relevant parties as mentioned above or to other persons or juristic persons to achieve the abovementioned purposes in accordance with the followings:
7.1 Person or juristic person who owns the product brand for the purpose of collecting purchase history, which GPI will only disclose to the brand owner only or only Personal Data necessary to perform this purpose;
7.2 Government department which the Company must comply with its announcements, rules, legal provisions, including the Revenue Department, Social Security Department, Department of Business Development, Office of the Consumer Protection Board, Thai Industrial Standards Institute, Customs Department, Department of Employment, Department of Labour Protection and Welfare, Department of Skill Development, the Stock Exchange of Thailand and Bank of Thailand.
7.3 Allied partners of Company: Company may disclose your Personal Data to others who have agreed to be its allied partners, for example, financial institutions, insurance companies, medical institutions, securities companies, fund management companies for the benefit and welfare of the relevant parties.
7.4 Professional service providers, including financial consultant, legal consultant, quality system consultant, account auditor and internal auditor.
7.5 Providers of services relating to infrastructure and information technology, data storage and cloud service.
7.6 Provider of services relating to marketing, statistical data preparation, advertising, public relations and communications.
7.7 Any other person required by the laws whereas the relevant laws, regulations, rules, orders from the government department, responsible department or orders from the judiciary department require the Company to disclose your Personal Data and the Company has to comply by disclosing such Personal Data.

8. Principles of Data Subject Participation
Other than the data subject’s fundamental rights relating to GPI’s collection, use or disclosure of Personal Data, including the right to be informed, right to access, right to rectification, right to erasure, right to restriction, right to notification, right to data portability, right to object, right not to be subject to automated decision-making, the data subject also has other rights in accordance with the relevant legal provisions, including the followings:

8.1 Right to give consent. The data subject has the right to choose to provide or not to provide any Personal Data which GPI requests, and give consent to GPI to collect, use or disclose such Personal Data. However, the data subject should be aware that not providing complete Personal Data in accordance with GPI’s request or refusal to collect, use or disclose such Personal Data may lead to the data subject’s limitation to use the Company’s certain service, or result in the Company’s inability to provide service to the data subject if such data is necessary for the provision of service.

8.2 Right to access and request for copy of Personal Data, or right to request the Company to send Personal Data to the data subject or other Data Controllers (if the data is in the form which allows such an action), including the data subject’s ability to request for information regarding the collection of Personal Data if the data subject did not give consent to the collection of such data.

8.3 Right to object. The data subject has the right to object to the use, collection or disclosure of the Personal Data relevant to the data subject, if the Company is able to collect such data without obtaining your consent or such data is collected, used or disclosed for the purpose of direct marketing or research studies.

8.4 Erasure, extinguish, or restriction of use. The data subject has the right to request the Company to erase or restrict the use of his/her Personal Data the Company maintains, or request the Company to convert such data into anonymized data where the data subject cannot be identified if the data subject revoke or object to the use and disclosure of his/her Personal Data, or where it is no longer necessary to keep, use or disclose in accordance with the purposes which the data subject has given consent, or when the Company is not complying with the relevant Personal Data protection laws.

8.5 Right to rectification. The data subject has the right to request the Company to rectify the Personal Data which the Company stored to ensure that such data is correct, up-to-date, complete and not misleading.

8.6 Withdrawal of consent. The data subject has to right to withdraw consent to the collection, use or disclosure of Personal Data, but the consent withdrawal shall not affect the collection, use or disclosure of Personal Data which the data subject has given prior consent. In any event,
such withdrawal of consent may result in the Company’s inability to continue providing you with our service.
In regard to exercising your rights, you acknowledge that your rights as data subject mentioned in Clause 8.1-8.6 above are limited rights in accordance with the relevant laws and the Company may refuse to the use of your rights if the Company has legitimate grounds to do so.

Nevertheless, your exercise of rights as data subject as mentioned in this document is only limited to the provision of fundamental service where the Data Controller would not incur unnecessary expenses. If, in the course of the relevant Personal Data subject’s exercising his or her rights, incur fees or expenses to process Personal Data subject’s requests, the Personal Data subject must be responsible for reimbursing the Company for such fees or expenses.

9. Principles of Data Subject Participation
9.1 Time Period which GPI Stores Personal Data belonging to the Data Subject
Unless otherwise specified in accordance with the legal requirements, GPI will collect Personal Data belonging to the relevant parties to its business operations for a period of 7 years commencing from when GPI’s legal relationship with such relevant parties comes to an end, unless in circumstances where it is necessary to using or making counterclaims in accordance with the laws, the execution thereof, asset placement or where the laws specifically provide.

9.2 Monitoring System for Erasure and Extinguishment of Personal Data Once Storage Period Expires
GPI has established a monitoring system to erase or extinguish Personal Data belonging to the relevant parties once the storage period expires or becomes irrelevant or exceeds the necessity in accordance with the purposes or in accordance with the Personal Data subject requests or withdrawal of consent, unless it is a case where GPI must maintain for the purposes of freedom of expression or in accordance with a specific legal exemption, including making counterclaims in accordance with the laws or to comply with the laws.

9.3 GPI’s Relevant Data as Data Controller
If you wish to contact GPI to exercise your Personal Data rights or if you have any other questions regarding your Personal Data, you can contact GPI in the details provided below.

Data Controller
Grand Prix International Public Company Limited
4/299 Moo 5 Soi Lat Pla Khao, 66 Lat Pla Khao Road, Anusawari Subdistrict, Bangkhen District, Bangkok 10220
Tel: 02-522-1731-8