Bangkok Dusit Medical Services : 10. Privacy Policy for Shareholders

Enclosure 10

Privacy Policy for Shareholders

Bangkok Dusit Medical Services Public Company Limited

Bangkok Dusit Medical Services Public Company Limited (the "Company") is committed to protect your Personal Data as the Company's shareholder. Your Personal Data will be protected in accordance with the Personal Data Protection Act B.E. 2562. As the Data Controller, the Company has a statutory duty to issue this Privacy Policy to inform you of the reasons for and methods through which the Company collects, uses, or discloses your Personal Data, as well as to inform you of your rights as the data subjects. The Company confirms that it has duly complied with the Personal Data Protect Act B.E. 2562 to protect your Personal Data.

1. Definitions

"Personal Data" the owner of such in particular;

means any information relating to an individual, which enables the identification of Personal Data, whether directly or indirectly, excluding the data of a deceased person

"Sensitive Personal Data" means Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data (such as facial model data, iris or retina image data, or fingerprint data), or any data which may affect the data subject in the same manner as prescribed by the Personal Data Committee;

"Process" means collection, use or disclosure;

"Data Controller" means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data;

"Data Processor" means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller.

2. Personal Data collected by the Company

1. The Personal Data collected by the Company can be categorized as follows:

Type of Personal Data	Description
1.	Identification Data	Examples include full name, identification number, passport number,
		photo, motion picture;
2.	Contact Data	Examples include address, telephone number, email;

2. The Company will not process your Sensitive Personal Data without your prior express consent except it is so permitted by the Personal Data Protection Act B.E. 2562.In this regard, the Company has in place appropriate measures for protecting the fundamental rights and benefits of the data subject.

40

Enclosure 10

3. Sources of Personal Data

The Company will collect your Personal Data received from the following sources:

1. Personal Data which you have directly provided to the Company such as Personal Data in the document or online form which the Company requires you to provide.
2. Personal Data which the Company receives indirectly such as personal data received from the securities registrar or your proxy.

4. Objectives for Personal Data Collection, Use and Disclosure

The Company processes your Personal Data only to the extent as prescribed in the Personal Data Protection Act B.E. 2562 and collects Personal Data only to the extent necessary for the foregoing purpose. A summary of how the Company uses your Personal Data and the lawful basis of Processing of Personal Data is provided below:

No.	Objective	Data Type	Lawful Basis of Processing
1.	Management of the shareholder	-Identification	For the compliance with laws to which
	registration, company	Data	the Company, as a Data Controller, is
	management such as capital	-Contact Data	subjected (Section 24(6))
	increase, capital reduction,
	change of registration
	transaction, shareholder's
	meeting, management of rights
	and duties of shareholders,
	dividend payment, accounting
	and reporting or any other
	actions which comply with
	relevant laws;
2.	Company management,	-Identification	For the legitimate interests of the
	recording of the meetings and	Data	Company as a Data Controller (Section
	preparing minutes of meetings to	-Contact Data	24(5))
	send to relevant regulators,
	recording video of meetings,
	security protection, proposing
	news or activities to shareholders
	for the benefit of shareholders.

The Company shall not use your Personal Data for any purpose other than for the objectives listed above, unless Processing of Personal Data is otherwise necessary as prescribed in the Personal Data Protection Act B.E. 2562.

5. Disclosure or Sharing of Personal Data

1. The Company may disclose or share your Personal Data to the following third parties which are Data Processors, as necessary for the performance of work of the Company. The Company requires that the foregoing third parties maintain full confidentiality of and protect your Personal Data in line with the standards prescribed by the Personal Data Protection Act B.E. 2562, and that such third parties are only able to use your Personal Data for the objectives determined or instructed by the Company.

41

Enclosure 10

Such third parties are not authorized to use your Personal Data for any purpose other than the said objectives.

2. The Company may store Personal Data on a cloud computing system offered by a third-party service provider located in Thailand or overseas. In entering into the relevant agreement with such cloud computing service provider, the Company has exercised due care and consideration of the security systems for the storage of the Personal Data in order to protect the Personal Data.

3. The Company may disclose your Personal Data to the government agencies, competent authorities, or other juristic persons in compliance with the law, or with a court order.

6. Retention Period of Personal Data

1. The Company shall retain the Personal Data which you have provided for the period necessary to achieve the stated purposes. However, the Company may retain your personal data longer if it is necessary for the Company's compliance with applicable laws.

2. Upon the expiry of the period above, the Personal Data will be destroyed by following the Company's procedure for data destruction, and such process shall be completed without delay.

7. Measures for Personal Data Security

1. The Company will store Personal Data using measures that are at least in compliance with the standards prescribed by the law, and using appropriate systems for ensuring the protection and security of Personal Data. These include use of, for example, a Secure Sockets Layer (SSL) protocol, firewall protection, password protection, and other technical measures for online data encryption, and storage of paper-based Personal Data in a facility with restricted access.
2. The Company will restrict access to Personal Data, which may be accessed by employees, agents, business partners, or third parties. Access to Personal Data by third parties is strictly restricted to the extent prescribed or instructed by the Company, and such third party has the duty to maintain full confidentiality of and protect such Personal Data.
3. The Company shall put in place technological methods for preventing unauthorized computer systems access.
4. The Company has an auditing mechanism for destroying Personal Data which is no longer required for the operations of the Company.

8. Transfer of Personal Data Overseas

1. The Company may transfer your Personal Data overseas in order to achieve the objectives as the Company has notified you and for which you have granted consent. The Company will notify you of any inadequacies relating to Personal Data protection standards applicable to the recipient country.
2. The Company may transfer your Personal Data without your consent in the case that transfer of Personal Data overseas is for the performance of an agreement to which you are a party, or in compliance with your request prior to entering into such agreement, or as prescribed in the Personal Data Protection Act B.E. 2562.

42

Enclosure 10

9. Your Rights as the Data Subject

As the data subject, you have the right to request the Company to take the following acts in relation to your Personal Data, to the extent permitted by law:

1. Right to withdraw consent: you have the right to withdraw consent for the Company to process your Personal Data, for which you had given consent, any time which your Personal Data is retained with the Company;
2. Right of access: you have the right to access your Personal Data and to request that the Company makes copies of the same, as well as request that the Company discloses any acquisition of your Personal Data for which you had not given consent;
3. Right to rectification: you have the right to request that the Company rectifies inaccurate Personal Data, or to add to the existing Personal Data which is incomplete;
4. Right to erasure: you have the right to request that the Company erases your Personal Data, for certain reasons.
5. Right to restriction of Processing: you have the right to request that the Company suspends the use of your Personal Data, for certain reasons;
6. Right to data portability: you have the right to transfer your Personal Data which you had provided to the Company to another Data Controller, or to yourself, for certain reasons;
7. Right to object: you have the right to object to the Processing of your Personal Data, for certain reasons;

To file a request relating to any of the above rights, contact bdms.pdpa@bdms.co.th

10. Amendments to the Personal Data Protection Policy

The Company may subsequently revise and make amendments to its Personal Data Protection Policy in order to ensure better protection of Personal Data. The Company will notify you of any revision or amendment.

11. Contact Information

If you wish to contact the Data Controller, ask questions, or exercise any right in relation to Personal Data, please contact:

Personal Data Protection Officer,

Bangkok Dusit Medical Services Public Company Limited

2 Soi Soonvijai 7, New Petchburi Rd., Bangkapi Subdistrict, Huaykwang District, Bangkok Tel: 02-310-3432

E-mail:bdms.pdpa@bdms.co.th

43