1. Introduction

CR3 Group recognises the importance of privacy of personal/entity data. We have therefore developed this Privacy Policy (the “Policy”) to govern our practice of how Personal Data of our personnel, customers, suppliers, subcontractors of the group, or any other individuals from whom we obtain Personal Data during the course of our business will be collected, used, or disclosed by the company. Our policy is developed in accordance with relevant effective regulations and their sub-regulations as being announced by the authorities (the “Regulations”).

The CR3 Group will only collect, use, or disclose Personal Data for the purposes described in the Policy. In case where collection, use, or disclosure of Personal Data will be different from the purpose previously notified to the Data Subject, we will

  • inform of such new purpose and obtain consent from the Data Subject prior to the time of collection, use, or disclosure, or
  • we ensure that systems and processes we use are in compliance with Regulations to the extent that they are applicable to us.

Definition:

Data Controller” means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

Data Subject” (or “Individual”) means any Person whose Personal Data is being collected, used, or disclosed.

Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.

Processing” refers to collect, use, or disclose of Personal Data.

2. Collecting Personal Information

In general, we shall collect Personal Data directly from Data Subject such as our clients/ prospective clients, suppliers, subcontractors, visitors of our official website https://www.cr3.group/ (the “Official Website”), visitors of our office, journalists, candidates for job applications, our employees or other individual third parties.

We could obtain Personal Data from many circumstances e.g. through a submission of enquiry via our Official Website, through direct communication in relation to our services (via our customer service, email, telephone, or any other means), through application for employment/internship, when voluntarily participation in surveys.

We could collect Personal Data through e.g. enquiries, requests, emails, registration, completion of forms/surveys, application forms, and other situations where Data Subject chooses to provide Personal Data to us. However, if we obtain Personal Data from person other than Data Subject (the “Disclosing Person”), we assume the Disclosing Person represents and confirms to us that such Personal Data has

been disclosed in compliance with applicable Regulations on personal data protection by the Disclosing Person. Details of how we obtain such Personal Data will be properly recorded in our system.

Following scope of categories may be collected by us:

Basic datae.g. Name, Company Name, Phone Number, Mailing Address, Email Address, Contact Details etc.
Sensitive datae.g. Health Data, Criminal Record, Biometric data, blood type etc..
Client service datae.g. Personal Data receives from clients in respect of individuals associated with them
Registration datae.g. Event/Seminar registrations, Details on Contact Us page
Marketing datae.g. Data about individuals participated the CR3 group Events or Seminars, Conferences, Clients’ Networking etc.
Employment datae.g. Banking Details, Citizen Card, Passport etc.
IT related datae.g. IP Address, Cookies ID etc.
Compliance datae.g. Beneficial Ownership Data, Identification Details etc.
Job applicant datae.g. Education, Work Experience, Salary, Address etc.

3. Use of Personal Information/ Data

Unless we obtain consent or it is required or permitted by Regulations, Personal Data may be used for the following purposes: –

  • Providing Professional Services: We offer various types of services to our clients. To perform our services efficiently, we need to use Personal Data of our clients to deliver our works within the scope of the service agreements.
  • Managing Business Operations: To run our business effectively, we may need to use Personal Data for various reasons, including
  • manage relationships with our clients, suppliers, contractors, subcontractors, or other individuals,
    • ensure our official website is easy to use and prevent it from misuses of IT information or other crimes,
    • provide information about our services that might be of interest,
    • send you invitation and host seminars, events, or client’s networking,
    • consider individuals for potential recruitment, or
    • maintain and update internal record keeping
    • processing payroll
    • statutory reporting and enquires of government departments.
  • Complying with Rules, Regulations, and Professional Obligations: as a regulated business, it is necessary for us to comply with legal requirements and professional obligations that we are subject e.g.
  • for auditing, risk management and security purposes,
    • Safety incident management,
    • for detecting, investigating and preventing illegal activities,
    • for enabling us to perform our obligations and enforce/defend our rights under any agreements/documents that we are a party to,
    • for meeting any applicable legal/regulatory requirements, or
    • for carrying out verification and background checks as a part of recruitment or selection process.

4. Disclosure of Personal Information/ Data

We may disclose Personal Data under these following categories of recipients:

  • We may disclose personal information to any of our employees, officers, advisers, agents, insofar as reasonably necessary for the purposes set out in this policy.
  • We may disclose personal information to any member of our group of companies (this means our affiliates and subsidiaries,) insofar as reasonably necessary for the purposes set out in this policy. However, to ensure that personal data does receive an adequate level of protection we have executed Standard Contractual Clauses with our [Group Company(ies)] to ensure that personal data is treated by those Group Companies in a way that is consistent with and which respects the regional laws on data protection.
  • We may disclose personal information for the following purposes:
  • To the extent that we are required to do so by law;
    • In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
    • To the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and
    • To any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
  • Except as provided in this policy, we will not provide personal information to third parties.
  • Service Providers: We disclose Personal Data to our third party service providers to enable them to perform their services which are under our instruction. Those services are such as IT services, event organisers, employment agencies, professional advisors, consultants, or external auditors. As a part of our agreement with them, they are required to strictly adhere to applicable laws

and/or regulations and to take reasonable and efficient measures to ensure Data Subject that Personal Data is secure.

  • Financial Institutions: We disclose Personal Data to them in connection with business routines e.g. invoicing and payments.
  • Compulsory disclosure: We disclose Personal Data as requested from regulators, governmental bodies/organisations, or other related law enforcement authorities where our services are subject to be regulated. We also disclose Personal Data to establish or protect our legal rights, property, or safety, or rights, property, or safety of other individuals, or we have to defend against any legal claims.

5. Storage, Retention and Destruction of Personal Data

We realise the importance of security, and we endeavor to take all reasonable and reliable steps to safeguard Personal Data that we hold by providing appropriate technical and organisational measures. This consideration includes implements of Policies & Procedures and trainings for our personnel related to confidentiality, records retention, or information technology. Those Policies & Procedures and trainings will be regularly reviewed to ensure that they are effective for their purposes.

Personal Data will be kept either in hard copies and/or soft files. We provide filing cabinets and/or rooms to store hard copies of Personal Data and we are requested to be locked at all times. For soft files, we have been kept in channels provided for each department and simultaneously uploaded on the cloud which has a reliable security measure put in place. Additionally, only authorised departments/persons are allowed to have access to secured spaces. Personal Data is kept only for its necessary in relation to lawful purposes, including in compliance with:

  • activities or services for which they are being processed;
    • applicable statues, regulations and other legal requirements and guidelines under effective Policies & Procedures;
    • applicable professional requirements which they are relevant to our professional services; and
    • litigations or investigations that might arise from providing services and there is a requirement under a compulsory disclosure.

Generally, we will keep Personal Data in accordance with our applicable Records Retention Policy which will shall be as per need to comply with any legal or specific industry-standard requirements that may apply or maximum Ten year from the date of termination of contracts/legal documents. We will securely destroy Personal Data when they are no longer necessary to keep them for purposes which they were collected, we are no longer subject to any legal requirements to keep them, or we have no other lawful basis to keep Personal Data.

6. Lawful basis for Processing Personal data

  1. Consent
    • It means any freely given, specific, informed and unambiguous indication of Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  2. Legitimate Interest
    • It is necessary for legitimate interests of a Data Controller or any other persons, except where such interests are overridden by the fundamental rights of a Data Subject with respect to his/her Personal Data
  3. Contract
    • It is necessary for a performance of a contract to which a Data Subject is a party, or in order to take steps at the request of a Data Subject prior to entering into a contract
  4. Legal Obligation
    • It is necessary for compliance with a law to which a Data Controller is subjected.
  5. Vital Interest
    • It is for preventing or suppressing a danger to a person’s life, body or health.
  6. Public Interest
    • It is necessary for the performance of a task carried out in the public interest by a Data Controller, or it is necessary for the exercising of official authority vested in a Data Controller.
  7. Research
    • It is for the achievement of a purpose relating to the preparation of historical documents or archives for public interest, or for a purpose relating to research or statistics, in which suitable measures to safeguard a Data Subject’s rights and freedoms are put in place and in accordance with Notification as prescribed by the law.

7. Data Subject’s Rights

Data Subject (or “You”) have rights to:

  • Withdraw consent: In the case where the CR3 Group Processes Personal Data based on the consent, you have a right to withdraw your consent at any time and we will respond to your

request within 30 days from when such a request of withdrawal has been made. Please note that your withdrawal of consent shall not affect the past collection, use, or disclosure of Personal Data for which you have already given legally consent. Furthermore, your withdrawal may leave you some certain consequences which we will inform you such consequences when we receive your request of withdrawal.

  • Access: You have the right to request access to and obtain a copy of Personal Data, or request a disclosure of an acquisition of Personal Data obtained without your consent, subject to certain exceptions. In case of a copy requirement, the CR3 Group may charge a reasonable administration fee is this allowed for multiple copies of Personal Data. Please note that we will process your request once the fee has been agreed.
  • Rectify: You have a right to have your Personal Data remain accurate, up-to-date, complete, and not misleading. However, you realise that we rely on Personal Data which we assume is accurate, up-to-date, and complete at the time when you gave it to us or any updates that made later. Therefore, we have no responsibility for relying on using any inaccurate, outdated, or incomplete Personal Data that you provided to us or failed to update any changes. If you believe your Personal Data needs to be rectified, you can exercise your right by contacting our contact cr3g@cr3.group.
  • Erase: You have a right to request the CR3 Group to erase or destroy Personal Data, unless such Personal Data retained by the CR3 Group is necessary for a preparation of a historical document, a public interest, an establishment, compliance or exercise of legal claims, or a defence of legal claims, or a purpose for compliance with the law.
  • Restrict of processing: You have a right to request the CR3 Group to restrict use of Personal Data including but not limited to:
  • When there is a pending examination process on accuracy of Personal Data when you believe it is inaccurate;
    • When Personal Data shall be erased but you make a request to restrict use of such Personal Data; and
    • When the company has no ongoing necessary to retain such Personal Data in accordance with the purpose. However, you have necessity to retain such Personal Data for establishment, compliance or exercise of legal claims, or a defence of legal claims.
  • Data portability: You have a right to request the CR3 Group to send or transfer Personal Data to you or to another person or organisation. The CR3 Group will arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means.
  • Object: You have a right to object processing of Personal Data when Personal Data is collected without your consent or to serve a purpose of direct marketing.
  • Complaint: In the event that the Data Controller does not take action in accordance with the Act or notifications issued in accordance with this Act, the data subject shall have the right to complain to expert committee to order the Data Controller to take such action.

Please note that we will endeavor to respond your request within 30 days upon receiving your request. However, our length of time to respond will depend on the nature and extent of your request. In case where your request cannot be responded to within the timeline, we will notify you at the earliest practicable opportunity.

8. Third Party Websites

Our official website may contain links to other websites. The Policy applies only to CR3 Group. We are not responsible for the privacy practices of other websites. We encourage our visitors to carefully read the privacy policy of other websites that collect, use, or disclose Personal Data.

9. Cookies

A cookie is a small piece of data or message that is sent from the CR3’s Group web server to your web browser and is then stored on your hard drive. Cookies cannot read data off hard drive or cookie files created by other sites, and do not damage your system. Some of Cookies that we use are strictly necessary for functionality of our Official Website, while others are for enhancing user experience. Please note that if you choose not to use Cookies, some of the features of our site may not work as well as we intend.

10. Security

We have recognised the importance of Personal Data by implementing our protection through organisational and technical measures. We restrict access on a need-to-know basis and only to the extent necessary for engagement team to perform their duties in relation to their engagement assignments.

We also endeavour to take appropriate steps to protect and safeguard our systems, networks and information against unauthorised access, use, modification and disclosure. However, the internet is considered as an open global communication platform and has potential to expose to other risks during transmission or stored on our systems. Therefore, we cannot guarantee that any information will be 100% safe from attackers. Also we have no responsibility to assume any unauthorised and illegal use of Personal Data by third parties which are deemed beyond our control.

Additionally, a Data Subject has an important role to protect Personal Data by not sharing username, password, or other authentications with anyone. Also, it is recommended to use a strong password when transferring Personal Data. However, if you have reasonable reason to believe that your username, password, or other authentication has been compromised, please contact us as details provided under contact channels.

11.  Changes to the Policy

This Privacy Policy may be amended and updated periodically and without prior notice to you to reflect changes in our online information practices. When changes are made to this Policy it will be posted to the

website. We also encourage users to periodically check this Policy to understand how we protect and use your information.

12.  Contact

If you have any questions, comments or requests regarding personal data, please address them to: Group Data Controller,

17th Floor, Unit 1706, Two Pacific Place, 142 Sukhumvit Road, Klongtoey, Bangkok, Thailand 10110

+66-2-653-3913-5

crag@cr3.group