Personal Data Privacy Policy - Lufthansa Services (Thailand) Ltd.

Privacy notice

Announcement : Personal Data Privacy Policy

Lufthansa Services (Thailand) Ltd. (the “Company”, “we” or “our”,) realize the importance of the Personal Data protection and have implemented Personal Data management system consistent with Personal Data Protection law and the related laws. Therefore, the Company would like to notify you of our compliance with Personal Data Protection law as follows:

1. Definition
“Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including information of deceased persons;

“Sensitive Personal Data” means Personal Data pertaining to racial, ethnic origins, political opinions, cult, religious or philosophical beliefs, sexual orientation, criminal records, health data, disability, trade union information, genetic data, biometric data such as fingerprints or facial recognition, or, of any data which may affect the data subjects in the same manner, as prescribed by the Personal Data Protection Committee; and

2. Collection of Personal Data
The Company may collect your Personal Data as follows:

General Personal Data:

a) Personal Data including, among others, name, surname, date and place of birth, marital status, picture, video recording, signature, information as appeared in Identification Card or passport, copy of Identification Card and Identification Number;

b) contact information including, among others, address, telephone number, LINE ID, contact information on social media identification account, and workplace contact details;

c) security-related information such as CCTV footage and identification of your assets such as vehicles and its registration number in the case of entry to the areas and premises of the Company;

d) work-related information such as job title and position, business or organization you represent or work for, educational background, professional experience and training history;

e) financial information such as bank account number, financial transactions and tax-related documents pertaining to any transaction you may have with the Company;

f) information related to the use of and access to electronic systems relating to the Company including without limitation such email, IP Address, geolocation, browsers, Log file, Cookies inclusive of chat history in various applications and any comment on or reference to the Company or its businesses on the internet or other media;

g) other information provided during your contact or participation in activities relating to the Company inclusive of video recording, photographs, voice recording, comment, feedback, satisfaction and other recommendations related thereto.

Sensitive Personal Data:

a) Sensitive Personal Data such as health and disability information, biometric data or behavioral, attitude and aptitude assessment.

However, the Company will seek for your consent for the collection and processing of any such Sensitive Personal Data, with the exception of certain cases as prescribed by the Personal Data Protection Act BE 2562 (the “PDPA”).

Verification of your identity: The Company hereby inform you that in the event that we are required to request copy(ies) of your personal identification data such as identification card, passport or other documents which may contain Sensitive Personal Data such as religion or blood group, the Company have no intention to collect any such Sensitive Personal Data. Therefore, the Company kindly request that you delete or redact any such Sensitive Personal Data. Otherwise, you authorize the Company to delete or redact such Sensitive Personal Data provided that the relevant personal identification document remains in full force and effect. In the event that we are unable to delete or redact any such Sensitive Personal Data due to restrictions, the Company hereby reaffirm that the sole purpose of the collection and use of your of the copy(ies) of your personal identification data is the verification of your personal identity and that the Company have no intention to collect or use such Sensitive Personal Data.

3. Respect of Personal Privacy
The Company respect Data Subject right of Personal Data and we are also aware of the Data Subject intention for the due protection of their Personal Data. As such, any Personal Data submitted to the Company will be used only for the stated purposes. In addition, the Company have strict security measures and protection to prevent unauthorized access to or use of your Personal Data.

4. Collection of Personal Data
In the direct collection of your Personal Data, inclusive of the use and disclosure thereof, the Company shall obtain your consent should it is required by law and shall use the Personal Data only as necessary and only in accordance with the purposes specified.

However, the Company may collect your Personal Data from other sources but only as necessary and carried out in accordance with legal requirements such as from relevant service providers or public media, for instance.

5. Purposes for the Collection, Use and Disclosure of Personal Data
The Company collect, use, and disclose your Personal Data for the following purposes:

This notice applies to individuals at clients or potential clients, suppliers or potential suppliers, and partners and potential partners of ours in respect of whom we hold personal data. This notice does not form part of a contract to provide services or any other contract. We may update this notice at any time. With the following information, we would like to give you an overview of how we will process your data and of your rights according to data privacy laws. The details on what data will be processed and which method will be used depend significantly on the services applied for or agreed upon.

Purposes

a) to take steps at your request prior to entering into a contract or for the performance of a contract:
• sign-up, enrollment or registration of any kind with the Company;
• procurement or sales of products;
• providing or receiving services in various forms;
• performance of obligations in relation to financial transactions with the Company; and
• administration of contractual relationships and contract management.

b) for legal compliance:
• compliance with existing and future laws or regulations applicable to the Company such as tax law, labour law and electronic transaction law; and
• compliance with lawful orders of relevant government authorities, regulators or competent officers.

c) for the legitimate interests of The Company:
• verification and authentication of your identity;
• satisfaction survey and assessment of the services of The Company;
• access control and security control in and outside of the buildings, premises, areas and production units including its information and IT systems of The Company;
• risk management and prevention thereof, including internal and external audit of The Company;
• commencement and exercise of legal claims or legal action and related proceedings;
• participation of and arrangement of activities or events of The Company;
• administration of complaints, suggestions, or requests; and
• communication and coordination of and within The Company.

d) for the vital interests:
• prevention of life-threatening situations or incidents which may harm the health or cause bodily injury to the data subject or others.

e) for the public interest:
• prevention and control of diseases.

f) by consent of the data subjects:
• collection, use and disclosure of Sensitive Personal Data the use of is not permitted by any lawful basis, except for your explicit consent;
• in case of a minor, incompetent or quasi-incompetent person requiring consent from, as applicable, his/her parent, guardian, or curator.

g) establishment, exercise, defense of, or compliance with legal claims:
• to establish, exercise, defense or comply with the legal claims.

In the event that the Personal Data collected by the Company in relation to the aforesaid purposes are required for the performance of contractual obligations or in accordance with applicable laws. In case of your refusal to provide the Personal Data required, the Company may not be able to proceed with your request to enter into a contract with us, or to perform its obligations under contracts, or it may be considered as an infringement of relevant laws and may cause the Company not to be able to facilitate services for you.

Should there be any modification to the purposes for the collection, use or disclosure of Personal Data, the Company will inform you of any such modification and comply with other legal requirements, including the recording as evidence of the amendment of the purposes stated in this Policy. In addition, where you provide the Company with the Personal Data of other person(s) such as you acting as a personal assistance or coordinator of a Data Subject, the Company request that you notify the Data Subject of this Policy, inclusive of seeking for the Data Subject consent. Where necessary, the Company reserve the rights to ask for relevant document or other evidence demonstrating your notification to the Data Subject of this Policy and the relevant consent(s).

6. Retention Period of Personal Data
The Company will retain your Personal Data only as necessary in connection with the specified purposes, and will collect, use and disclose your Personal Data, as defined in this Policy, in accordance with the duration criteria, namely the period during which you are still related to the Company; provided that, the Company may further retain your Personal Data as long as needed for legal compliance or as per legal prescription, for the establishment of legal claims, legal compliance or exercise of legal claims, or defense of legal claims, or for other purposes in accordance with policies and the internal regulations of the Company.

In the case where it is not possible to specifically specify the retention period, the Company will retain the Personal Data as may be reasonably expected per data retention standards such as the longest legal prescription of 10 years.

7. Security Measures
The Company have in place adequate and strict security measures, in accordance with Policy and Guidelines on Information Technology of the Company, to prevent loss, access, destruction, use, alteration, correction, and to prohibit unauthorized or unlawful use of Personal Data.

8. Your Rights as a Data Subject
As a Data Subject, you have the rights as prescribed in the PDPA and other rights as follows:

Rights

a) right to withdraw consent, unless your revocation of consent is restricted bylaw or contract to your benefits as a Data Subject;

b) right to access to the Personal Data and obtain a copy of your Personal Data under the Company care and responsibility as well as to request the disclosure of the acquisition of your Personal Data without your consent;

c) right to request for sending or transferring the Personal Data (Right to Data Portability);

d) right to object to the collection, use, or disclosure of Personal Data;

e) right to request the erasure of Personal Data (Right to be Forgotten);

f) right to restrict the use of Personal Data;

g) right to request for the correction, up-to-date, complete, and will not incur any misunderstanding of the Personal Data;

h) right to be informed in case of modification of this Policy;

i) right to complain to authorized officials or authorities as prescribed by the PDPA.

In the event that the Data Subject lodges his request to exercise the rights as prescribed by the PDPA, upon reception of such request, the Company will proceed within the duration of time as prescribed thereby. However, the Company reserve the right to deny or not to proceed with the request if allowed by law. In addition, in the case that the Data Subject has chosen to provide the Company with only certain Personal Data, the Company may not to be able to collaborate with or to provide full services to or to perform contractual obligations that we have with the Data Subject, if the Data Subject does not consent to the provision of information as required by the Company.

9. Disclosure of Personal Data to Third Party
The Company may need to disclose Personal Data within its group of companies – Lufthansa Group – or to other persons or business units that are strategic allies in Thailand or in a foreign country cooperating with the Company in the procurement and/or delivery of services, or as necessary to comply with the Company rules and regulations or any contractual obligation in providing goods or services and any business operation related thereto; or, in case of reorganization, merger and acquisition or sales of the Company. In addition, the Company may be required to disclose Personal Data to external auditors or relevant authorities or public agencies or organizations concerned as prescribed by law or by court order or by the order of authorized officials, provided, however, that, in respect of the Company, the Personal Data will be kept confidential, either in paper form or electronic form, including during its transfer.
In case of an international transfer of Personal Data, the Company will strictly comply with the conditions laid down by the PDPA.

10. Data Protection Officer
The Company have complied with the PDPA by appointing a Data Protection Officer (DPO) to review the Company collection, use and disclosure of Personal Data to ensure conformation with the PDPA and related laws.

11. Contact
Lufthansa Services (Thailand) Ltd.
Address: 999 Moo 1 A4-091A Concourse Building Bangna-Trad Hwy.KM.15, Rachathewa, Bangpli Samutprakarn 10540 Thailand
Tel: 02-134-2210

________________________________________

Data Protection Officer (DPO)
Address: 999 Moo 1 A4-091A Concourse Building Bangna-Trad Hwy.KM.15, Rachathewa, Bangpli Samutprakarn 10540 Thailand
Email: dpc@lst-thai.com

12. Amendment of the Policy and Guideline on Personal Data Protection
The Company may, from time to time, review this Policy in compliance with guidelines and applicable laws. In case of changes, the Company will provide a public notification through appropriate channel.

Given this day, 1st April 2025

Moritz Merkle
Managing Director
Lufthansa Services (Thailand) Ltd.

Given this day, 1st April 2025

Moritz Merkle
Managing Director
Lufthansa Services (Thailand) Ltd.