Bangkok Expressway and Metro : Privacy notice for the 2024 Annual Ordinary General Meeting of Shareholders

Attachment 15

Privacy Notice for

the 2024 Annual Ordinary General Meeting of Shareholders

Bangkok Expressway and Metro Public Company Limited (the "Company") values the personal data of shareholders and/or proxies ("you"), the Company would like to inform you of the following information in order to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019) and the Company Personal Data Protection Policy.

1. Personal Data Source and Personal Data Collected by the Company

The Company receives the personal data directly from you and/or proxies and/or Thailand Securities Depository Co., Ltd., which is the securities registrar of the Company, and the Company is required to gather such personal data for conducting and attending the 2024 Annual Ordinary General Meeting of Shareholders. Such personal data is comprised of the following:

1. General Personal Data, such as title, name, surname, date of birth, age, address, ID card number, the code on the back of the ID card, passport number, proof of name- surname change, postal code, phone number, fax number, e-mail, shareholder identification number, bank account number, photo, sound, motion photo, or both sound and motion photo from video recording and/or from information technology system and/or from broadcasting via electronic media or by any other means in the Annual Ordinary General Meeting (AGM) which have been prepared by the Company.
2. Sensitive Personal Data, such as facial image data for identity verification through the Face Recognition system.
   Remark:The Company will not keep your religious information because it is sensitive personal data which does not need to be processed for the Ordinary General Meeting of Shareholders. As such, if a copy of your ID card contains religious information, the Company requests your cooperation in hiding such information before submitting it to the Company (it may be scraped or crossed out until the information cannot be read), or if you are not comfortable, the Company reserves the right to do so instead.

2. Lawful in Collecting and Processing Basis and the Objectives in Collecting and Processing Personal Information.

2.1 Consent

This is due to an electronic shareholders' meeting (E-AGM), registration process (for individual shareholders attending the meeting in person) requires that they verifiy their identity via the Face Recognition system, which has been made available by the E-AGM system service provider, before being approved to attend the Meeting. Therefore, the Company is required to collect, use and disclose your personal data in accordance with Clause 1.2 above, with such data essential for attending the E-AGM. To that purpose, the Company will ask for your consent before collecting, using and disclosing your personal data. However, you will not be able to register for attendance at the E-AGM in person if you do not give consent or withdraw your consent before being approved to attend the Meeting (please see Clause 5: Rights of Data Subject), but you will be able to register by proxy as usual.

54

1. 1. 2.2 Legal Obligation

      The Company will collect, use, and disclose your personal data in accordance with Clause 1.1 to call, arrange and conduct the Annual Ordinary General Meeting of Shareholders. This includes verification of your identity as well as the delivery of relevant documents, collection of information as evidence for the Meeting and for any purposes in compliance with the resolutions of the Meeting, including any other actions under laws and/or orders of competent government authorities in accordance with the Public Limited Companies Act B.E. 2535 (1992), the Notification of the Ministry of Digital Economy and Society Re: Standards for Maintaining Security of Meetings via Electronic Means B.E. 2563 (2020), and other applicable laws.

   2. Legitimate Interest
      The Company will collect, use and disclose your data in accordance with Clause 1.1 for use in the preparation of the Minutes of the Meeting as proof of attendance at the E-AGM for the meeting public relations purpose, as well as for any other necessary and related purposes for the sake of the Company's and third parties' legitimate interests without going beyond what you can reasonably expect.
2. Personal Data Retention Period
3. 1. 
      The Company will retain your personal data for as long as it is necessary to achieve the above-mentioned purpose. The Company intends to retain your personal data per Clause
   2. for a period of 10 years, and per Clause 1.2 for a period of 6 months, from the date of the Company's receipt of your personal data. Upon the expiration of each specified period, the Company will either destroy your personal data or make it non-personally identifiable.
4. Personal Data Disclosure or Transfer
5. 
   Your personal data may be disclosed or transferred by the Company to related persons or agencies, for instance service providers, contractors of the Company in connection with meeting planning or information technology or data storage or website management, as well as auditors, legal consultants, government agencies, or officials with legal authority. In this regard, the Company will only disclose or transfer your personal data to service providers or contractors as is necessary for the delivery of services, and will ensure that the service providers or contractors do not use your data for any other purpose.
6. Rights of Data Subject
7. 
   The data subject has the rights to request access to his/her personal data, request to obtain a copy of his/her personal data under the Company's responsibility, or disclose the acquisition of such personal data for which he/she has not given consent, withdraw consent, object to the collection, use or disclosure of the personal data, update, delete, destroy the personal data, or make the personal data non-personally identifiable, suspend the use of his/her personal data, transfer his/her personal data to other data controllers subject to conditions and methods set forth by law. If you intend to exercise any of your rights, please contact the Company and the Company will consider your request as soon as possible. In some cases, the exercise of any right above may be restricted by applicable laws or the Company may reject your request. In this regard, you have the right to lodge a complaint with the competent official in accordance with the Personal Data Protection Act B.E. 2562 (2019) if you see that the Company is violating or failing to comply with such Act. In addition, if you have any questions or would like more information about the protection, storage, collection, use, disclosure of your personal data, or the exercise of your rights, or if you have any complaints, please feel free to contact us at E-mail address : DPO@bemplc.co.th
   Please study the Company's privacy protection policy at www.bemplc.co.th/privacycenter

55