Personal Data Protection Act Policy

NR Instant Produce Public Company Limited acknowledges the importance of protecting personal data, including that of customers, employees, suppliers/service providers, business partners, and sensitive personal data such as information relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, genetic data, and biometric data. This Privacy Policy has been established to outline the classification, use, and disclosure of personal data in accordance with legal requirements. This Policy has been approved by the Company’s Board of Directors.

1. Objective

This Personal Data Protection Act Policy is established to ensure compliance with the Personal Data Protection Act B.E. 2562 (PDPA), and to cover the impact arising from the said Act. The objective is to prevent the misuse or unauthorized use of personal data of data subjects related to the Company, including customers, employees, suppliers/service providers, and business partners, without their consent.

2. Categories of Protected Data

  1. 2.1 Personal Data Personal Data refers to any information that can identify an individual, either directly or indirectly, including but not limited to the personal data of customers, employees, suppliers/service providers, and business partners, as follows:
    1. 2.1.1 Name - Surname
    2. 2.1.2 Age
    3. 2.1.3 National identification number
    4. 2.1.4 Telephone number
    5. 2.1.5 Address
    6. 2.1.6 Email address
    7. 2.1.7 Photograph
    8. 2.1.8 Employment history
  2. 2.2 Sensitive Personal Data Sensitive Personal Data includes the following:
    1. 2.2.1 Race
    2. 2.2.2 Ethnicity
    3. 2.2.3 Political opinions, e.g., information shared on social media related to politics
    4. 2.2.4 Religious or philosophical beliefs, e.g., monkhood leave records
    5. 2.2.5 Sexual behavior
    6. 2.2.6 Criminal records
    7. 2.2.7 Health data or disability information
    8. 2.2.8 Trade union membership
    9. 2.2.9 Genetic data
    10. 2.2.10 Biometric data
    11. 2.2.11 Health data, e.g., health-related data appearing on health certificates
    12. 2.2.12 Other data that may significantly affect the data subject as prescribed by the Personal Data Protection Committee

3. Data Subject Rights

Data subjects shall be entitled to the following rights under the PDPA:

  1. 3.1 Right to be informed
  2. 3.2 Right to rectification
  3. 3.3 Right to data portability
  4. 3.4 Right of access
  5. 3.5 Right to object
  6. 3.6 Right to erasure ("Right to be forgotten")
  7. 3.7 Right to restriction of processing
  8. 3.8 Right to withdraw consent

4. Key Compliance Requirements Under the PDPA

  1. 4.1 Personal Data Protection Essentials
    1. 4.1.1 Collection, use, disclosure, and/or transfer of personal data must be based on valid consent, unless permitted by law.
    2. 4.1.2 Consent (if required) must be freely given, specific, and informed. The data subject must be able to withdraw consent at any time.
    3. 4.1.3 Data subjects must be informed of necessary details at the time of collection, such as the purpose of collection and potential disclosures or transfers.
  2. 4.2 Use and Disclosure
    1. 4.2.1 The use and disclosure of personal data must be in accordance with the purposes for which the data subject has given consent.
    2. 4.2.2 International data transfers must comply with the PDPA’s cross-border data transfer requirements.
  3. 4.3 Other Requirements
    1. 4.3.1 Ensure the exercise of data subject rights under the PDPA.
    2. 4.3.2 Implement appropriate data security measures.
    3. 4.3.3 Appoint a Data Protection Officer (DPO) if large-scale or sensitive data processing is conducted.
    4. 4.3.4 Conduct internal audits by appointed Expert Committees.
    5. 4.3.5 Maintain a Record of Processing Activities (RoPA).
    6. 4.3.6 Report personal data breaches to the office of Personal Data Protection Committee within 72 hours of awareness, and notify affected data subjects if the breach poses a high risk.
    7. 4.3.7 Ensure that data processors/sub-contractors comply with the PDPA.

5. PDPA Compliance

  1. 5.1 Identify and assess the legal basis for each data processing activity.
  2. 5.2 The data subject must always be informed of their rights, the details of the data processing, and the purposes of personal data collection. Consent must always be obtained from the data subject. Personal Data must be collected only to the extent necessary and erased when it is no longer needed or when the retention period has expired, as previously notified. It must also be ensured that the consent mechanism and the privacy policy comply with the criteria set forth under the PDPA
    1. 5.2.1 When requesting consent, the data subject must be able to:
      1. 5.2.1.1 Provide consent either in paper form or through an online system
      2. 5.2.1.2 Read and understand the consent form easily
      3. 5.2.1.3 Do not be misled or deceived in any way
      4. 5.2.1.4 Provide consent separately from other terms and conditions, and consent must not be tied to unrelated conditions
    2. 5.2.2 When withdrawing consent, the data subject must be able to:
      1. 5.2.2.1 Withdraw consent at any time
      2. 5.2.2.2 Withdraw consent through a process that is as easy as giving consent
      3. 5.2.2.3 Be informed of the potential consequences resulting from the withdrawal of consent
  3. 5.3 The use and disclosure of personal data must always be based on the data subject’s consent and must be carried out strictly in accordance with the purposes that have been notified.
  4. 5.4 There must be accessible channels through which data subjects can access and correct their personal data, such as via a CRM web portal or call center.
  5. 5.5 Any transfer of personal data to a foreign destination must ensure that the receiving party provides an adequate level of personal data protection, such as in cases where data is stored on cloud platforms or servers located overseas.
  6. 5.6 Appropriate and standardized data protection systems must be implemented. In the event of a data breach, the data subject must be notified within 72 hours from the time the incident is discovered.
  7. 5.7 Contracts entered into between the Company and external parties must include stringent and appropriate personal data protection clauses.
  8. 5.8 Providing appropriate data management policies and conducting relevant training programs.
  9. 5.9 Regular reviews, risk assessments, and updates of relevant data and processes must be conducted to avoid unintentional errors or breaches.
  10. 5.10 Systems, equipment, and software used for the collection and use of personal data must be enhanced to ensure higher levels of security. There must also be a clearly defined process for deleting unnecessary data within an appropriate timeframe.
  11. 5.11 Cookies must be stored on users’ browsers. Cookies function as small files that store user data. If the website uses tracking or analytics tools such as Google Analytics, Facebook Pixel, or others, cookies will be used according to the specific purposes of each tool.
  12. 5.12 A cookie consent mechanism must be implemented to obtain the user’s consent for the use of cookies. The purposes for collecting and using cookies must be clearly explained. Users must be allowed to give and withdraw their consent at any time through a process that is as easy as when consent was initially given. Users must also be informed of any potential consequences related to such consent.
  13. 5.13 Integrating the efforts of its legal and information technology departments to ensure efficient, timely, and comprehensive data protection management.

6. Roles and Responsibilities

  1. 6.1 Central Functions
    1. 6.1.1 Data Controller: Determines the purposes and means of data processing.
    2. 6.1.2 Data Processor: Processes data on behalf of the Data Controller and must be a separate entity.
    3. 6.1.3 Data Protection Officer (DPO): Provides advice, monitors compliance, and coordinates with the Personal Data Protection Committee. DPO may be appointed across multiple departments depending on scale and sensitivity.
  2. 6.2 Departmental Functions
    1. 6.2.1 Legal Department: Drafts agreements and policies to ensure legal compliance.
    2. 6.2.2 Information Technology Department:
      1. 6.2.2.1 Implements minimum required security measures
      2. 6.2.2.2 Prevents unauthorized disclosure and ensures timely data deletion
      3. 6.2.2.3 Ensures cookie consent mechanisms meet PDPA requirements
    3. 6.2.3 Marketing Department: Conducts risk assessments on personal data it collects and determines data criticality.
    4. 6.2.4 Sales Department: Collects customer and prospect data and must obtain necessary consents.
    5. 6.2.5 Human Resources Department: Responsible for employee data, including applications, resumes, ID copies, and building access data.

Privacy Policy For CCTV

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) has implemented closed-circuit television (CCTV) installations both within and around the Company premises for the security of the Company premises and property, as well as for the protection of life, body, and health of any person within and around the Company premises. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data through CCTV usage is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For CCTV

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics
  • Facial
  • Image, Video Recording, and Audio Recording of you
  • Image, Video Recording, and Audio Recording of your property, such as vehicle

Nonetheless, the Company will not install CCTV in the area which may unduly infringe your fundamental rights, such as toilet, and rest area.

3. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
2 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
3 Vital Interest an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health
No Lawful Basis Description
1 Ensuring security and safety of the Company’s buildings, facilities, and assets located within and around the premises Legitimate Interest
2 Ensuring safety and prevent danger to your life, body, and health , including ensuring security in your property within and around the premises Legitimate Interest Vital Interest
3 Assisting relevant authorities in enforcing law to suppress, prevent, investigate, and legal prosecution Legal Obligation
4 Assisting in dispute resolution processes arise during disciplinary proceedings or grievance processes Legal Obligation
5 Assisting in investigations, handling of complaints or processes related to initiating or defending legal actions, including but not limited to exercising claims in labor disputes. Legal Obligation

4. Disclosure of Personal Data

  1. 4.1 Generally, the Company will store and keep confidential any Personal Data from CCTV and will not disclose such Personal Data, unless there exists any necessity in order to achieve the Company’s purpose as prescribed in this Privacy Policy. In such case, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affiliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations. This may include agents, contractors, and subcontractors of these service providers, such as security service providers to ensure the security of the Company, including CCTV vendors, for repair and maintaining CCTV, only in the case authorized by the Company.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

  1. 4.2 The Company will assign the recipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

5. International Transfer of Personal Data

  1. 5.1 Generally, the Company does not intend to transfer Personal Data from CCTV to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer such Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 5.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 5.3 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.

6. Personal Data Retention Period

  1. 6.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 90 days from the date of collecting Personal Data.
  2. 6.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 6.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

7. Security Measures of Personal Data

  1. 7.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 7.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 7.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

8. Data Subject Rights and Exercise of Rights

  1. 8.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to disclose of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible.
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people.
Right to object to Data Processing
  • You have the right to object to Data Processing in the event that the Company process Personal Data
    • for the necessary legitimate interests of the Company or any other person;
    • for the purpose of direct marketing; or
    • for the purpose of scientific, historical or statistic research
  • Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
    • there exists a compelling legitimate ground that is more important than your privacy;
    • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
    • it is necessary for a performance carried out in the public interest.
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 8.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 10. to request to exercise Data Subject’s rights.
  2. 8.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

9. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

10. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

11. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Customer

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Customer and people representing or act on behalf of Customer, including but not limited to executive, shareholder, authorized director, attorney-in-fact, substitute attorney-in-fact, employee, staff, and the representative of juristic person. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For Customer
Customer(s) natural person or juristic person that the Company targets for sale of Company’s products or services, irrespective of whether a purchase has been made or is expected to make a purchase, including any other similar person, such as event participants, service requesters, website users, and survey respondents

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics Title, First Name, Family Name, Age, Birth Data, Sex, Nationality, National Identification Number, Taxpayer Identification Number, Picture, Signature
Contact Information Address, E-mail, Mobile Number, Workplace, Line ID
Information Relating to Educational Backgrounds and Work Experience Department, Position
Financial Information Salary, Bank Account Number
Information used as Evidence for Legal Transaction Business Card, Copy of Personal Identification Card
Technical Information IP Address, MAC Address
Others
  • Image, Video Recording, and Audio Recordings captured by the Company’s recording device
  • Image, Video Recording, and Audio Recording captured by CCTV

Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.

3. Source of Personal Data

The Company may collect your Personal Data from various source as follows:

Type Example of Source of Personal Data
Personal Data obtained directly from you
  • Data appeared in any business contracts
  • Data appeared in other documents, such as quotations or business cards
  • Data provided through the completion of documents or online forms
  • Communication and Interaction records with the Company, in any format or method, such as telephone calls, video calls, e-mail, SMS, or postal mail
  • Data used to register for creating an account or profile with the Company for communication through both offline and online channels
Personal Data obtained automatically
  • Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises
  • Technical Information obtained from accessing the Company’s Information technology systems
Personal Data obtained from other sources or third-person
  • Other department within the Company
  • Your employer or affiliated organization
  • Related person or representatives, such as authorized persons, employees, staff, and agents
  • Data from the Company’s service providers

In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.

4. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
4 Vital Interest an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health.
5 Consent in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically.
No Purpose Lawful Basis
1 Facilitating communication and undertake any necessary operations, including completing internal procedures prior to entering into contract with you, such as preparing quotations and customer registration
  • Performance of Contract
  • Legitimate Interest
2 Performing contractual obligation, process purchase orders, and discolose information to third parties as required for such purposes, including coordinating with you, invoicing for goods and services, and providing after-sales services
  • Performance of Contract
  • Legitimate Interest
3 Carrying our activities related to the Company’s business operations, performing contractual obligation between the Company and you, and engaging with external party for purposes related to contractual agreements
  • Performance of Contract
  • Legitimate Interest
4 Conducting marketing activity, facilitating communication about marketing initiatives that align with your needs, presenting marketing materials and product and service information, including mange activities related to customer service and promotional campaigns Consent
5 Collecting and analyzing your behavior data and conduct satisfaction surveys as a basis for relationship management, improving services, and designing marketing activities that align more closely with your needs Consent
6 Collecting communication in a database for ongoing correspondence and creating future business opportunities, including facilitating coordination and communication related to the Company Legitimate Interest
7 Complying with applicable laws governing the Company’s operation, such as issuing withholding tax certificates, generating tax invoices, and disclosing financial data to auditors Legal Obligation
8 Managing information technology systems, including performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure
  • Legitimate Interest
  • Legal Obligation
9 Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV
  • Legitimate Interest
  • Vital Interest
10 Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings Legitimate Interest
11 Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings Legal Obligation
12 Managing risks, monitoring, investigating, and reporting on financial crimes, fraud, misconduct, and other criminal activities Legitimate Interest

5. Disclosure of Personal Data

  1. 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affliates: the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, or insurance companies.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT management providers, logistics service providers, and public relations service providers.

Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Revenue Department, Customs Department, Excise Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.

  1. 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

6. International Transfer of Personal Data

  1. 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.

7. Personal Data Retention Period

  1. 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of termination of the customer’s relationship.
  2. 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

8. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.

9. Security Measures of Personal Data

  1. 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

10. Data Subject Rights and Exercise of Rights

  1. 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to dosclode of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
  • it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading.
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 10. to request to exercise Data Subject’s rights.
  2. 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

11. Withdrawal of Consent & Consequence from Withdrawal

  1. 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.

13. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

14. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

15. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Employee, Intern, and Job Applicant

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of employee, intern, and job applicant. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For Employee, Intern, and Job Applicant
Job Applicant(s) any person of Thai nationality or foreign nationality who applies for employment as a permanent employee, temporary employee or intern, working for the Company, as the case may be, whether such job application is submitted directly by the Job Applicant, through internal company recruitment, through referral by any other person, or through the operation of an employment service provider
Employee(s) Job Applicant who has been selected to enter into a contract to work for the Company as a permanent employee, temporary employee , employee during probationary period, or intern, and receive wage calculated on a monthly, daily, hourly, or price-rate basis, or calculated by other means, or as otherwise agreed between the Company and such Employee

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics First Name, Family Name, Sex, Nationality, Age, National Identification Number, Alien Identification Number, Taxpayer Identification Number, Signature, Photo, Marriage Status, First Name & Family Name of Father & Mother
Contact Information Address, Mobile Number, E-mail, Name of the company
Information Relating to Educational Backgrounds and Work Experience Education Background, Degree, Academic Qualifications, Training Background, Employee ID, Position, Department, Length of Service, Data and Time of Work Attendance, Employment Commencement Date, Performance Evaluation Score, Attendance Record, Reason for Resignation
Financial Information Wage Rate, Salary, Bank Account Number
Information used as Evidence for Legal Transaction Copy of Personal Identification Card, Copy of Bank Account, Vehicle Registration Number, Copy of Passport, Visa Documents, Work Permit, Alien Identification Card, Alien Work Permit Receipt, Copy of Disabled Person Idenficiation Card
Technical Information IP Address, MAC Address
Sensitive Personal Data Height, Weight, Wound Details, Disease Details, Medical Information, Medical Certificate, Health Examination Result, Underlying Disease, Disability Information, Criminal Record, Sexual Orientation, Fingerprint
Others
  • Image, Video Recording, and Audio Recordings captured by the Company’s recording device
  • Image, Video Recording, and Audio Recording captured by CCTV

Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.

3. Source of Personal Data

The Company may collect your Personal Data from various source as follows:

Type Example of Source of Personal Data
Personal Data obtained directly from you
  • Data appeared during recruitment process
  • Data appeared in any relevant contract or documents, any government documents
  • Data provided through the completion of documents or online forms
  • Process undertaken during recruitment process or any other process during your tenure as an Employee
  • Communication and Interaction records with the Company, in any format or method, such as telephone calls, video calls, e-mail, SMS, or postal mail
  • Data used to register for creating an account or profile with the Company for communication through both offline and online channels
Personal Data obtained automatically
  • Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises
  • Technical Information obtained from accessing the Company’s information technology systems
Personal Data obtained from other sources or third-person
  • Other department within the Company
  • Your employer or affiliated organization
  • Employment Service Provider
  • Information from government agents
  • Infirmary

In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.

4. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
4 Vital Interest an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health.
5 Consent in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically.

If you are a Job Applicant, the Company will process your Personal Data for the following purposes and lawful basis as follows:

No Purpose Lawful Basis
1 Undertaking the necessary actions for evaluating and selecting Job Applicants, assessing their suitability for the positions required by the Company, and considering their employment as the Company's Employee, including recruitments, testing, interviews, assessments, and extending employment offers to candidates. Performance of Contract
2 Conducting background and qualification checks prior to employment including verifying essential information necessary for the Company's decision-making process regarding employment and the execution of employment contracts Performance of Contract
3 Facilitating the Company’s internal management processes related to recruitment activities, such as sharing your information or reports with decision-makers, completing internal procedures prior to entering into contracts, and carrying out other essential preparations for onboarding new employees. Performance of Contract
4 Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV
  • Legitimate Interest
  • Vital Interest

If you are an Employee, the Company will process your Personal Data for the following purposes and lawful basis as follows:

No Description Lawful Basis
1 Entering into employment contracts as requested by you or to perform contractual obligations where you are the party to the contract, such as preparing employment contracts and agreements, ensuring compliance with Company policies, organizing internal and external training, evaluating job performance, and considering remuneration and benefits
  • Performance of Contract
  • Legitimate Interest
2 Registering Employees, preparing Employee identification cards, maintain Employee records, and manage information technology systems, such as creating usernames, passwords, and e-mail accounts, as well as provisioning necessary equipment such as computers and other tools to ensure that you are adequately prepared to perform their duties
  • Performance of Contract
  • Legitimate Interest
3 Processing the issuance or renewal of visas, work permits, and other work- related permits for you, including the issuance of alien identification cards (pink cards), retention of work permit information, and preparation of Certificates of Identity and other work-related documents as required by law Legal Obligation
4 Collecting health-related data, including pre-employment medical examination results, for assessing suitability for the positions
  • Performance of Contract
  • Consent
5 Conducting criminal background checks for the evaluation of qualifications and suitability for specific positions Consent
6 Collecting data regarding disabilities for the purposes of labor protection, performance evaluation of disabled Employees, and submission of performance evaluation reports Legal Obligation
7 Collecting fingerprint scan data for recording access to restricted Company areas, identity verification, ensuring internal security, and preventing criminal activities Consent
8 Managing social security administration, including registering and de-registering insured persons, managing provident funds, and administering your tax matters, such as preparing supporting documents for accounting purposes (e.g., petty cash vouchers, tax invoices, and other tax deduction documents) Legal Obligation
9 Managing salaries, wages, compensation, bonuses, overtime pay, housing allowances, travel expenses, and your benefits, in addition to processing related compensation considerations, such as leave requests, overtime records, and attendance verification through timekeeping systems or fingerprint scan data
  • Performance of Contract
  • Legal Obligation
  • Consent
10 Providing you appropriate welfare benefits, such as health insurance, expressway cards, fuel cards, annual health check-ups, health screenings for at-risk groups, medical care, a loan for residential purposes, and welfare provisions for employee who is an alien, such as assisting in opening bank accounts for foreign nationals
  • Legitimate Interest
  • Consent
11 Appointing personnel for occupational safety roles, including Professional Safety Officers, Safety Officers at the Management Level, Safety Officers at the Supervisor Level, the Committee of Occupational Safety, Health and Environment of the Company, and other safety-related units Legal Obligation
12 Organizing training programs, seminars, and meetings for the development of the Company’s personnel, in addition to off-site activities such as corporate social responsibility (CSR) initiatives and recreational activities Legitimate Interest
13 Capturing image or video recordings of various activities, including ceremonial events, general event settings, and activities conducted within and outside the Company, as well as personalized or individual photography
  • Legitimate Interest
  • Consent
14 Engaging with the government agents, grants authorization, carrying out labor-related processes, and submitting information to government systems, such as the electronic public service system of the Department of Skill Development under the Ministry of Labour
  • Legitimate Interest
  • Legal Obligation
15 Evaluating the performance of employee during probationary period to determine their eligibility for permanent employees, assessing the performance of interns, and assessment of promotions, compensation adjustments, and additional benefits
  • Performance of Contract
  • Legal Obligation
16 Ensuring safety within production processes, manage measures for accident and hazard prevention and mitigation, and oversee other processes related to emergencies or risks to the life or body of Employees Legitimate Interest
17 Managing information technology systems, including creating user accounts, performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure
  • Legitimate Interest
  • Legal Obligation
18 Preventing and suppressing danger to your life, body, and health such as emergency contact, hospital transfers, recording travel history, and implementing disease control measures
  • Legitimate Interest
  • Legal Obligation
  • Vital Interest
19 Managing risk, implementing internal controls, overseeing the administration of the Company and its affiliates, ensuring adherence to good corporate governance practices, internal and external auditing, including coordination with service providers responsible for governance and compliance oversight for the Company and its affiliates
  • Legitimate Interest
  • Legal Obligation
20 Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV
  • Legitimate Interest
  • Vital Interest
21 Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings Legitimate Interest
22 Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings Legal Obligation

5. Disclosure of Personal Data

  1. 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, insurance companies, or infirmary.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT providers, event organizers.

Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Social Security Office, Department of Employment, Department of Skill Development, Office of Social Development and Human Security, the Revenue Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

  1. 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

6. International Transfer of Personal Data

  1. 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.

7. Data Retention Period

  1. 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period as follows:
Data Subject Data Retention Period
Job Applicant who does not get selected to work for the Company, irrespective of the reasons, such as the Company rejects or Job Applicant rejects the offer Not exceeding 6 months from the interview date
Employee who is an intern Not exceeding 5 years from the date of termination of internship period
Employee who is not an intern and receive wage calculated on monthly-rate basis For the duration of employment, and for a period of up to 10 years after the termination of the employment
Employee who is not an intern and receive wage calculated on daily-rate basis For the duration of employment, and for a period of up to 2 years after the termination of the employment
  1. 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  2. 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

8. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.

9. Security Measures of Personal Data

  1. 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

10. Data Subject Rights and Exercise of Rights

  1. 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to dosclode of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible.
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
  • it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading.
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
  2. 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

11. Withdrawal of Consent & Consequence from Withdrawal

  1. 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.

13. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

14. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

15. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Photography and Videography

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of shareholders, directors, employees, interviewees/commentators, activity participants, award recipients, premises users, visitors, applicant to enter building, as well as customers, vendors, prospective vendors, and representatives of such persons. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For Photography and Videography

2. Type of Personal Data the Company Collected

  1. 2.1 The Company requires the processing of photographic data, whether it is an image or video recording, whereby your Personal Data may includes image or video recording of you during interviews, photographs of specific individuals during activities (individual photos), overview of activities or group photographs (group photos) upon completion of activities. Such data are stored electronically on the Company's recording device, which may include personal information of the Data Subject, such as first name, family name, position of the photo subject, and activity information, location, date, time appearing on the images.
  2. 2.2 In the event that image or video recording of you are recorded for commercial and/or public relations purpose, the Company will explicitly notify you and request your consent specifically when the Company has selected such image or video recording to disclose, disseminate, along with requesting permission to specify first name and family name to accompany such image or video recording for commercial and/or public relations purpose which the Company has obtained your consent.

3. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Consent in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically.
No Lawful Basis Description
1 Capturing of image or video recording which is not personalized or individual photography, and overview image of the event, exhibition, activity during the event, training session, meeting, for the communication purpose and dissemination across various medic channels, including social media or the Company’s communication channels Legitimate Interest
2 Capturing of image or video recording which is personalized or individual photography, or using of first name and family name, or works associated with the person to accompany such image or video recording for appropriate business purpose and in adherence with the Company’s purpose Consent
3 Data Processing of photography or videography, first name, family name, and works associated with the person according to Photography or Videography license agreement, where compensation has been provided Performance of Contract
4 Capturing of image or video recording in case that the person is recorded as part of an award ceremony, either as a winner of a prize or as a selected recipient in any event Performance of Contract
5 Capturing of image or video recording as an evidence for identity verification, internal audit, or other Company’s legitimate purpose Legitimate Interest

4. Disclosure of Personal Data

  1. 4.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.

  1. 4.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

5. International Transfer of Personal Data

  1. 5.1 Generally, the Company does not intend to transfer Personal Data from photography or videography to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer such Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 5.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 5.3 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.

6. Personal Data Retention Period

  1. 6.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of collecting Personal Data.
  2. 6.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 6.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

7. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 9.2.

8. Security Measures of Personal Data

  1. 8.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 8.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 8.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

9. Data Subject Rights and Exercise of Rights

  1. 9.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to disclose of the source of Personal Data that you did not consent.
Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 9.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 13. to request to exercise Data Subject’s rights
  2. 9.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

10. Withdrawal of Consent & Consequence from Withdrawal

  1. 10.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 10.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

11. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 11.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 11.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on another lawful basis that do not require consent.

12. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

13. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

14. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with the laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Shareholder and Director

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of shareholder, director, and representative of such person, such as proxy, attorney-in-fact, and any other related person. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy NR Instant Produce Public Company Limited Privacy Policy For Shareholder and Director

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics Title, First Name, Family Name, Sex, Birth Data, National Identification Number, Taxpayer Identification Number, Signature
Contact Information Address, E-mail, Mobile Number
Information Relating to Educational Backgrounds and Work Experience Position
Financial Information Bank Account Number
Information used as Evidence for Legal Transaction Copy of Personal Identification Card, Copy of Passport, Vehicle Registration Number
Others Image, Video Recording, and Audio Recording captured by CCTV

Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.

3. Source of Personal Data

The Company may collect your Personal Data from various source as follows:

Type Example of Source of Personal Data
Personal Data obtained directly from you
  • Data provided through the completion of documents or online forms
  • Process undertaken during your tenure as a shareholder, director, or representative of such person
  • Data used to register for creating an account or profile with the Company for communication through both offline and online channels
Personal Data obtained automatically
  • Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises
  • Technical Information obtained from accessing the Company’s information technology systems
Personal Data obtained from other sources or third-person
  • Other department within the Company
  • Information from government agents such as the Department of Business Development
  • Information obtained from conducting background checks with relevant government agents
  • Publicly available and reliable information

In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.

4. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
4 Vital Interest an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health.
No Purpose Lawful Basis
1 Managing corporate matters related to registration, proxies, granting authorization, and the furnishing of meeting notices in compliance with applicable laws, such as the law on Public Company Limited, the law on Securities and Exchange, or other relevant legislation
  • Legitimate Interest
  • Legal Obligation
2 Facilitating the Company’s operations in alignment with its business legitimate interest, including organizing shareholder meetings, board meetings, and managing corporate activities such as capital increase or reduction, business restructuring, conducted in accordance with applicable laws, such as the law on Public Company Limited, the law on Securities and Exchange, or other relevant legislation
  • Legitimate Interest
  • Legal Obligation
3 Recording image or video recording during meeting for disseminating through the Company’s information technology systems, or for attendees to view the content later, or for public relations purpose Legitimate Interest
4 Recording meetings as evidence of such meetings and preparing meeting minutes to furnish to relevant persons or entities Legitimate Interest
5 Facilitating processes related to recruitment, selection, evaluation, and qualification verification, as well as to fulfill contractual obligations, such as payment of director remuneration and providing welfare benefits and entitlements to directors
  • Performance of Contract
  • Legitimate Interest
6 Maintaining a database for communication, dissemination of public relations materials, and delivery of necessary and relevant documents, such as annual reports and financial statements Legitimate Interest
7 Paying dividend to shareholders, interest payments on debentures, and manage other corporate matters related to the rights and obligations of shareholders Legal Obligation
8 Entering into contract with vendors or trade partners or third persons, including actions undertaken by the Company prior to entering into contracts or to perform contractual obligations
  • Performance of Contract
  • Legitimate Interest
9 Engaging with government agents, granting authorizations, carrying out transactions with relevant government agents, submitting information to government systems
  • Legitimate Interest
  • Legal Obligation
10 Preventing and suppressing danger to your life, body, and health such as emergency contact, hospital transfers, recording travel history, and implementing disease control measures
  • Legitimate Interest
  • Legal Obligation
  • Vital Interest
11 Managing risk, implementing internal controls, overseeing the administration of the Company and its affiliates, ensuring adherence to good corporate governance practices, internal and external auditing, including coordination with service providers responsible for governance and compliance oversight for the Company and its affiliates
  • Legitimate Interest
  • Legal Obligation
12 Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV
  • Legitimate Interest
  • Vital Interest
13 Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings Legitimate Interest
14 Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings Legal Obligation

5. Disclosure of Personal Data

  1. 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affiliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, or insurance companies.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website providers, hire-purchase & leasing company.

Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Revenue Department, Customs Department, Excise Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.

  1. 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

6. International Transfer of Personal Data

  1. 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 6.3 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.

7. Personal Data Retention Period

  1. 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of collecting Personal Data.
  2. 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

8. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.

9. Security Measures of Personal Data

  1. 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

10. Data Subject Rights and Exercise of Rights

  1. 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to disclose of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible.
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
  • it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading.
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
  2. 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

11. Withdrawal of Consent & Consequence from Withdrawal

  1. 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.

13. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

14. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

15. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Vendor

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Vendor, Prospective Vendors and people representing or act on behalf of Vendor and/or Prospective Vendor, including but not limited to executive, shareholder, authorized director, attorney-in-fact, substitute attorney-in-fact, employee, staff, and the representative of juristic person. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For Vendor
Prospective Vendor any natural person or juristic person who may become a vendor of the Company, including those who have expressed intention to enter into a contract or register as a vendor of the Company, parties interested in business collaboration, parties operating jointly with the Company, or any other person requesting quotations or to whom the Company has submitted quotations for consideration
Vendor any natural person or juristic person who submits quotations for the sale of goods or services, or contract to perform work for the Company, whether registered as a vendor with the Company or not, trade partner, business participants, whether selling directly to the Company or participating in product or service development with the Company for distribution, service providers, service recipients, employers, contractors, consultants, experts, academics, speakers, contractual parties of the Company, and other persons of similar nature

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics First Name, Family Name, Age, Sex, National Identification Number, Alien Identification Number, Taxpayer Identification Number, Nationality, Signature, Photo
Contact Information Address, E-mail, Line ID, Mobile Number, Workplace
Information Relating to Educational Backgrounds and Work Experience Department, Position
Financial Information Bank Account Number
Information used as Evidence for Legal Transaction Copy of Personal Identification Number
Technical Information IP Address, Mac Address
Others
  • Image, Video Recording, and Audio Recordings captured by the Company’s recording device
  • Image, Video Recording, and Audio Recording captured by CCTV

Generally, the Company does not intend to process Sensitive Personal Data, such as religious belief or blood type information appeared on your personal identification card. If you provide the Company with your copy of your personal identification card containing such data, the Company kindly request you to redact such data before submitting to the Company. Should you failed to redact the aforementioned data, it is deemed that you consent to the Company to redact such data on your behalf.

3. Source of Personal Data

The Company may collect your Personal Data from various source as follows:

Type Example of Source of Personal Data
Personal Data obtained directly from you
  • Data appeared during procurement and purchase process, and vendor assessment documents
  • Data appeared in any business contracts
  • Data provided through the completion of documents or online forms
  • Data appeared on business cards
  • Communication and Interaction records with the Company, in any format or method, such as telephone calls, video calls, e-mail, SMS, or postal mail
  • Data used to register for creating an account or profile with the Company for communication through both offline and online channels
Personal Data obtained automatically
  • Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises
  • Technical Information obtained from accessing the Company’s information technology systems
Personal Data obtained from other sources or third-person
  • Other department within the Company
  • Your employer or affiliated organization
  • Related person or representatives, such as authorized persons, employees, staff, and agents
  • Information from government agents
  • Data from the Company’s service providers
  • Publicly available and reliable information

In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.

4. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
4 Vital Interest an operation to protect vital interest of Data Subject, such as prevention or suppression of danger to a Data Subject’s life, body, and health.
5 Consent in the event that the Company must process your Personal Data or Sensitive Personal Data which cannot rely on the aforementioned lawful basis, the Company will explicitly notify you and request your consent specifically.
No Purpose Lawful Basis
1 Evaluating qualifications and suitability of vendor registration applicants and registered vendors, establishing new vendor relationships, and carrying out procedures related to vendor registration processes, such as background verification, identity validation, and processing your various requests within the Company's system, including modifications to your information
  • Performance of Contract
  • Legitimate Interest
2 Facilitating procurement and selection processes, assessing qualifications and suitability in accordance with the Company's procurement procedures, and price comparison activities Legitimate Interest
3 Entering into contract and completing procedures prior to entering into contracts as requested by you, such as including but not limited to employment agreements, service agreements, commercial contracts, memoranda of understanding (MOU), non-disclosure agreements and others, as well as managing Company in compliance with contractual obligations
  • Performance of Contract
  • Legitimate Interest
4 Carrying our activities related to the Company’s business operations, communicating essential information as a performance of contractual obligation between the Company and you, facilitating business communications, and providing services in the capacity of Vendor Performance of Contract
5 Publicizing information regarding Company operations, news production, and creating of public relations announcement Legitimate Interest
6 Collecting communication in a database for ongoing correspondence and creating future business opportunities Legitimate Interest
7 Collecting payments or outstanding debts owed to the Company, executing transactions, processing payments, including implementing various measures to successfully complete transactions, verifying account accuracy, and issuing accounting documentation for both accounts payable and accounts receivable, such as tax invoices, payment vouchers, receipts, and withholding tax certificates
  • Performance of Contract
  • Legal Obligation
8 Managing risk, implementing internal controls, overseeing the administration of the Company and its affiliates, ensuring adherence to good corporate governance practices, internal and external auditing, including coordination with service providers responsible for governance and compliance oversight for the Company and its affiliates
  • Legitimate Interest
  • Legal Obligation
9 Managing information technology systems, including performing data backups, recording access logs, and monitoring data traffic within the Company's information technology infrastructure
  • Legitimate Interest
  • Legal Obligation
10 Ensuring safety and prevent danger to your life, body, health and your property within and around the Company’s premises, such as oversight through CCTV
  • Legitimate Interest
  • Vital Interest
11 Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings Legitimate Interest
12 Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings Legal Obligation
13 Managing risks, evaluating your credibility for the purpose of monitoring, investigating, and reporting on financial crimes, fraud, misconduct, and other criminal activities Legitimate Interest

5. Disclosure of Personal Data

  1. 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Trade Partners the Company may disclose your Personal Data to trade partners for purposes related to the Company’s operational management. This may include agents or authorized representatives of such organizations, such as banks, financial institutions, or insurance companies.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as website and IT management providers.

Professional Consultants the Company may disclose your Personal Data to auditors, corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, the Revenue Department, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

Public Media the Company may disclose Personal Data as necessary to achieve its objectives on public platforms, whether in an informational or non-informational format, where it is accessible to the general public. These platforms may include social media channels, the Company’s communication channels, or websites of relevant government authorities.

  1. 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

6. International Transfer of Personal Data

  1. 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.

7. Personal Data Retention Period

  1. 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 10 years from the date of termination of the customer’s relationship.
  2. 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

8. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.

9. Security Measures of Personal Data

  1. 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

10. Data Subject Rights and Exercise of Rights

  1. 10.1 Under Personal Data Protection Law, you, as a Data Subject, have the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to dosclode of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible
  • Unless
    • it is not feasible due to technical reasons;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
  • it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading.
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
  2. 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

11. Withdrawal of Consent & Consequence from Withdrawal

  1. 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.

13. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

14. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

15. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.

Privacy Policy For Visitor and Applicant to Enter the Building

NR Instant Produce Public Company Limited (hereinafter referred to as “Company”) emphasizes the utmost importance of protection the Personal Data of Visitor and Applicant to Enter the Building. (“you”) To ensure that the collection, use, and/or disclosure of your Personal Data is in adherence with the Personal Data Protection Act B.E. 2562, the Company hereby established this Privacy Policy to inform you of your rights, duties, and the Company’s practice in collect, use and/or disclosure of Personal Data.

1. Definition

Vocabulary Definition
Personal Data Protection Law Personal Data Protection Act B.E. 2562 and any further amendment, including any relevant Rule, Regulation, and Order related to Personal Data protection
Personal Data any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the notification of the deceased Persons in particular
Sensitive Personal Data Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biometric data (such as facial scan, iris scan, fingerprint scan) or any other data which may impact the Data Subject in a similar manner, as prescribed by the Personal Data Protection Committee
Data Subject a person who has been identified by the Personal Data, whether directly or indirectly
Data Processing/process any operation performed on the Personal Data or set of the Personal Data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consideration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
Privacy Policy This Privacy Policy For Visitor and Applicant to Enter the Building
Visitor/ Applicant to Enter the Building any person who notifies the Company of their intention to request access to services, visits, perform work, or carry out any transactions with the Company within buildings, factories, operational facilities, or restricted areas within the Company's premises

2. Type of Personal Data the Company Collected

The Company will collect and store Personal Data in a legitimate manner and only to the extent necessary for the Company’s business operation as follows:

Type Example of Personal Data
Specific Personal Information and Information Relating to Personal Characteristics First Name, Family Name, Age, National Identification Number, Signature
Contact Information Name of the Company, Department
Information used as Evidence for Legal Transaction License Plate
Others Image, Video Recording, and Audio Recording captured by CCTV
Sensitive Personal Data Sickness, Injury

3. Source of Personal Data

The Company may collect your Personal Data from various source as follows:

Type Example of Source of Personal Data
Personal Data obtained directly from you
  • Data provided through the completion of documents or online forms
  • Data appeared in documents that the Company requested you to furnish to
  • Communication and Interaction records with the Company, in any format or method, such as telephone calls, video calls, e-mail, SMS, or postal mail
Personal Data obtained automatically Image, Video Recording, and Audio Recording captured by CCTV within the Company’s premises
Personal Data obtained from other sources or third-person
  • Other department within the Company
  • Your employer or affiliated organization
  • Related person or representatives, such as authorized persons, employees, staff, and agents

In the event that you agree and consent to giving Personal Data relating to a third person, you warrant and represent that such Personal Data is accurate and you have fully informed of this Privacy Policy to the third person.

4. Purpose & Lawful Basis for Data Processing

The Company will process your Personal Data for various purposes, applying lawful basis as appropriate as follows:

No Lawful Basis Description
1 Performance of Contract necessity for the Company to perform contractual obligations to which you are a party to the Contract with the Company, including any preliminary action undertaken at your request prior to entering into the contract
2 Legitimate Interest necessity for the Company to operate under the Company’s legitimate interests within reasonable expectations of the Data Subject and without unduly infringing on the rights and freedoms of the Data Subject
3 Legal Obligation necessity for compliance with the law, regulations, or order issued by the regulatory authorities overseeing the Company
4 Vital Interest an operation to protect vital interest of Data Subject, such as prevent or suppress of danger to a Data Subject’s life, body, and health.
No Purpose Lawful Basis
1 Managing your access to buildings, factories, operational facilities, or restricted areas within the Company's premises, including monitoring, preventing and deterring, as well as varying of any unauthorized access, as well as facilitating any necessary processes such as card exchange, registration, and recording your necessary information Legitimate Interest
2 Ensuring safety and prevent danger to your life, body, health and your property, including security of the Company’s buildings, factories, operational facilities, or restricted areas within the Company's premises, in addition to implementing necessary internal process prior to any performance of work within the Company
  • Legitimate Interest
  • Vital Interest
3 Controlling access to the Company’s information technology systems and databases, including monitoring preventing and deterring, as well as verying of any unauthorized access. Legitimate Interest
4 Managing hygiene and safety standards and ensuring compliance with applicable laws related to workplace safety and public health benefits
  • Legal Obligation
  • Consent
5 Preventing and suppressing danger to your life, body, and health such as emergency contact, hospital transfers, recording travel history, and implementing disease control measures
  • Legitimate Interest
  • Legal Obligation
  • Vital Interest
6 Establishing, exercising, or defending of legal claims, including but not limited to litigation, enforcement proceedings, or other actions under legal proceedings Legitimate Interest
7 Complying with applicable laws, regulations, and requirements, both domestic and international, as well as to achieve legitimate orders by authorized government agents or government officials, including performing actions required under legal proceedings Legal Obligation

5. Disclosure of Personal Data

  1. 5.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may disclose your Personal Data to internal and external party as follows:

Internal Departments and Affliates the Company may disclose your Personal Data to its personnel and internal departments, including executives, supervisors, employees, and affiliates. However, such disclosure will be strictly limited to those directly involved and necessary for processing Personal Data.

Service Provider the Company may engage in external service providers (Outsource) to act on its behalf or support its business operations and customer services. This may include agents, contractors, and subcontractors of these service providers, such as security guard service provider.

Professional Consultants the Company may disclose your Personal Data to corporate governance inspectors, consultants, professional service providers, and other experts, both internal and external, to support the Company’s business operations.

Government Authority the Company may disclose your Personal Data to government agents, regulatory bodies overseeing the Company, or other authorized agent as required by law. This includes, but not limited to, Royal Thai Police, Office of the Personal Data Protection Committee, Courts, and authorized government officials such as police officers or public prosecutors.

  1. 5.2 The Company will assign the receipients of your Personal Data to implement appropriate security measures to safeguard Personal Data and to process your Personal Data only to the extent necessary. The Company will undertake actions to prevent unauthorized or unlawful Data Processing and will ensure that such Data Processing is carried out in strict adherence to the purpose as prescribed in this Privacy Policy or Personal Data Protection Law. In the event that the consent is required to process your Personal Data according to the Personal Data Protection Law, the Company will explicitly notify you and request your consent specifically.

6. International Transfer of Personal Data

  1. 6.1 To achieve the Company’s purpose as prescribed in this Privacy Policy, the Company may transfer Personal Data to the receipients located in foreign country. Nonetheless, if there exists any necessity for the Company to transfer Personal Data to the receipients located in foreign country, the Company will explicitly notify you and request your consent specifically.
  2. 6.2 In transferring such Personal Data, the Company will implement appropriate security measures and will comply with Personal Data Protection Law, whereby the Company will undertake measures to ensure that the destination country or international organization receiving Personal Data has adequate Personal Data protection standards or in adherence with other law.
  3. 6.3 The Company may store your Personal Data on computers, servers, or cloud, provided by third parties, and may utilize third-party program or applicavation in the form of software as a service and platform as a service for processing your Personal Data. In this regard, the Company will not permit unauthorized person to access Personal Data and require such third parties to implement appropriate security measures for safeguarding Personal Data.

7. Personal Data Retention Period

  1. 7.1 The Company will retain your Personal Data for a period necessary to achieve the purpose in Data Processing, taking into account the criteria used to determine the retention period, including the duration of the Company’s relationship with you and the practices for each type of Personal Data. Generally, the Company will retain your Personal Data for a period not exceeding 4 years from the date of collecting Personal Data.
  2. 7.2 Upon expiration of the aforementioned period or when it is no longer necessary to retain your Personal Data, the Company will promptly erase, destroy, or anonymize your Personal Data. Nonetheless, the Company may retain all or part of your Personal Data exceeding the aforementioned period for compliance with laws or legitimate orders.
  3. 7.3 The Company has implemented an audit system to implement the erasure, destruction, or anonymization of such Personal upon expiration of the retention period or when processing of such data is no longer necessary.

8. Data Processing Under Original Purpose

The Company reserves the right to process your Personal Data collected prior to the effective date of the Personal Data Protection Act B.E. 2562, for the original purpose for which it was collected. If you no longer wish the Company to process your Personal Data, you may withdraw your consent at any time, subject to the clause 10.2.

9. Security Measures of Personal Data

  1. 9.1 The Company has implemented appropriate security measures, including administrative measures, technical measures, and physical measures, to maintain the confidentiality, integrity, and availability of Personal Data to prevent loss, access, use, modification, alteration, or disclosure of Personal Data by unauthorized persons or those who do not have relevant duties concerning such Personal Data.
  2. 9.2 The Company has strictly enforced security measures within the Company, utilizing security technologies and procedures, such as implementing access control measures and data use measures by establishing data access rights, authorization rights for designated persons to access data, as well as implementing measures for audit trail monitoring to ensure that only authorized persons can access your Personal Data and such authorized persons have been trained and are aware of the importance of Personal Data security.
  3. 9.3 The Company will conduct review of such security measures, including improving and developing such measures to reflect necessity or change in technology to ensure the effectiveness of Personal Data security.

10. Data Subject Rights and Exercise of Rights

  1. 10.1 Under Personal Data Protection Law, you, as a Data Subject, has the following rights:
Data Subject Rights Description
Right to withdraw consent
  • If you consent to the Company to process your Personal Data, you has right to withdraw consent at any time that the Personal Data is retained at the Company, unless there is any legal restrictions or contraty to the contract that benefits you.
  • Nonetheless, the withdrawal of consent may affect certain benefits you are entitled to. To safeguard your interests, the Company encourages you to review and inquire about the consequences of withdrawing your consent.
Right to access and retrieve a copy of data
  • You have the right to access and obtain copy of your Personal Data, including to inquire the Company to disclose of the source of Personal Data that you did not consent.
  • Unless the Company is subjected to the law or the court’s order or it violates the rights and freedoms of other people.
Right to data portability
  • You have the right to request for Personal Data in an easily accessible and intelligible form using automated tools or equipment and in the format that can be used or disclosed using automated tools or equipment and may request a transfer of such Personal Data to other Data Controller in such format if feasible.
  • Unless
    • it is not feasible due to technical reason;
    • it is a performance carried out in the public interest;
    • it is for compliance with the law; or
    • it violates the rights and freedoms of other people
Right to object to Data Processing You have the right to object to Data Processing in the event that the Company process Personal Data.
  • for the necessary legitimate interests of the Company or any other person;
  • for the purpose of direct marketing; or
  • for the purpose of scientific, historical or statistic research
Nonetheless, if you object to Data Processing, the Company will continue processing your Personal Data to the extent that
  • there exists a compelling legitimate ground that is more important than your privacy;
  • it is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims; or
  • it is necessary for a performance carried out in the public interest
Right to erasure/Right to be forgotten You have the right to request the Company to erase, destroy, or anonymize your Personal Data in the following circumstances:
  • You believe that the Company has unlawfully processed your Personal Data
  • You believe that the Company cease the necessity to retain your Personal Data according to the Company’s purpose as prescribed in this Privacy Policy; or
  • You have exercised right to withdraw consent or right to object to Data Processing as aforementioned
Right to restriction of Data Processing You have the right to request the Company to restrict Data Processing in the following circumstances:
  • The Company is pending examination process in accordance with the request to exercise rights to rectification,
  • It is Personal Data which must be erased or destroyed, but you request to restrict Data Processing instead, or
  • The Company is pending examination process in accordance with the request to exercise rights to object to Data Processing
Right to rectification You have the right to request the Company to rectify your Personal Data to be accurate, up to date, complete, and not cause any misleading.
Right to lodge a complaint You have the right to lodge a complaint to the Company or to the competent authority where you believe that the Company’s Data Processing is not in adherence with Personal Data Protection Law.
  1. 10.2 You may exercise your aforementioned rights at any time by contacting through channel specified in clause 14. to request to exercise Data Subject’s rights.
  2. 10.3 The exercise of such rights may be restricted under Personal Data Protection Law or other relevant law, and there may exist certain circumstances where the Company has necessary grounds to reject or unable to proceed with your application. In such case, the Company will notify you of the reasons for rejection together with the response to such application.

11. Withdrawal of Consent & Consequence from Withdrawal

  1. 11.1 In the event that the Company processes Personal Data based on consent, you, as a Data Subject, have the right to withdraw the consent given to the Company at any time. Such withdrawal of consent will not affect any legitimate Data Processing based on your consent given prior to its withdrawal.
  2. 11.2 If you withdraw the consent previously given to the Company or refuse to provide information to the Company, whether in whole or in part, it may result in the Company's inability to achieve the Company’s purpose as prescribed in this Privacy Policy, whether in whole or in part.

12. Personal Data of a Minor, Incompetent Person, or Quasi-Incompetent Person

  1. 12.1 If you are a minor, an incompetent person, or a quasi-incompetent person, and with to consent the Company to process your Personal Data, you must obtain consent from your legal representative, guardian, or curator, as the case maybe, prior to giving consent to the Company.
  2. 12.2 In the event that the Company is required to obtain consent from a legal representative, guardian, or curator, as the case may be, for processing Personal Data of a minor, an incompetent person, or a quasi-incompetent person, but the Company was unaware of such facts at the time of Data Processing and subsequently becomes aware that the Company has processed such Personal Data without obtaining the aforementioned consent, the Company will promptly erase, destroy, or anonymize the Personal Data of such minor, incompetent person, or quasi-incompetent person, unless the Company can process such Personal Data based on other lawful basis that do not require consent.

13. Amendment to Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in our practices or changes in circumstances. In the event of any material amendment to this Privacy Policy, the Company will notify you of the amendment. The Company encourages you to review this Privacy Policy periodically.

14. Contact Us

Should you have any inquiries regarding this Privacy Policy, or would like further information about the Company's data protection practices, or to exercise your rights as a Data Subject, please contact us at the following channels:

Contact the Company and DPO:

Address: NR Instant Produce Public Company Limited 99/1 Moo 4, Khae Rai Sub-District, Krathum Baen District, Samut Sakhon, 74110

E-mail: DPO@nrinstant.com

Telephone Number: 034849576-80

15. Applicable Law

You acknowledge and accept that this Privacy Policy is governed and construed in accordance with laws of Thailand. Any dispute arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts of Thailand.

This Privacy has been approved by the Board of Directors Meeting No. 9/2025 held on 15 May 2025 and effective on 16 May 2025 onwards.

Announcements on 16 May 2025.