Cybersecurity and Privacy Protection

Cybersecurity Governance Structure

To ensure the security, effective management, and proper utilization of Central Retail's cybersecurity system and privacy protection, a governance structure has been instituted. This structure involves the Risk Policy Committee, Chief Executive Officer (CEO), Chief Information Security Officer (CISO), and the Information Technology Committee (ITC). The Risk Policy Committee oversees enterprise risk management, including risks from cybersecurity and privacy protection at the Board level. Mr. Yol Phokasub, who is the current CEO of Central Retail, and also a member of the Board of Directors and the Risk Policy Committee, which oversees and establish strategies to manage cybersecurity and privacy protection. The CEO has an educational background in computer science and software engineering and has work experience as a system manager previously. The ITC is an executive-level committee, with the CISO leading the implementation of cybersecurity and privacy protection measures. The current CISO also has vast experience in cybersecurity and as CISO at another major online retail company. Other members of the ITC include executives from different business units that ensure compliance to Central Retail’s cybersecurity and privacy protection management approach, while operating with competent employees possessing expertise necessary for implementing and communicating these measures throughout the organization and to external stakeholders. Importantly, Central Retail has appointed the Data Protection Officer (DPO) to advise, oversee and monitor Central Retail’s compliance with the Personal Data Protection Act B.E. 2562 (PDPA) and established the Data Protection Working Team dedicated to protecting personal data and handling privacy issues.

Cybersecurity Management

Central Retail has established the Information Security Mission Statement and Policy to announce its commitments in ensuring that its information system and services can meet the standards of protection expected by customers and stakeholders. Central Retail has adopted international standards such as the ISO 27001:2022, the National Institute of Standards and Technology (NIST), and Center for Internet Security Control (CIS) to provide and act as an internal policy and guidance that all employees and relevant personnels must adhere to effectively manage and protect the core systems and relevant personal data.

Central Retail has implemented a risk management approach to protect and manage the information environment to keep up with changing situations through balancing control and system usage Central Retail also prioritized sensitive data into different levels of risks, which will determine its level of protection and measures. Other cybersecurity measures include but not limited to server vulnerability management, endpoint detection response and virus protection, and data encryption. Moreover, information technology resources should have cybersecurity measures embedded into their respective lifecycles, from acquisitions to disposal. With regards to physical security, Central Retail has relocated the information systems to the data centers adhering to international standards for both procedural and security measures. This approach provides comprehensive safeguards against potential physical harm from fire, flood, and other emergencies, as well as illegal entry into the system.

Cybersecurity Process

Data Privacy Protection

Central Retail is dedicated to privacy protection from taking appropriate security measures (including organizational and technical measures) to prevent data leakage, and establishing the Personal Data Handling Procedure for internal use that all employees and pertinent personnels must follow to prevent breaches and misuse of personal data. In addition, Central Retail has also put in place its agreements with the suppliers to control the activities carried out by the suppliers and to ensure suppliers’ compliance with privacy practice. The Personal Data Handling Procedure covers extensive topics such as recordkeeping of data processing activity, consent management system, data subject rights management, data retention, data processing agreement, personal data breach procedures, and etc. Central Retail has also made the Privacy Policy available to the public on the website and at various contact points where personal data is collected. This is to ensure transparency and to inform customers and stakeholders of their rights to data privacy. The Privacy Policy encompasses the following issues:

• Type of personal data
• Purpose of data collection, use, and disclosure
• Agencies or individuals to which Central Retail may disclose personal data
• Transfer of personal data to third countries
• Duration of personal data storage
• Security measures
• Cookie policy
• Rights of data subject
• Service points of contact regarding the exercise of personal data rights

Consent

Central Retail is committed to lawfully process personal data of customers and other stakeholders. Central Retail may further obtain a consent from the customers and other stakeholders when the Company cannot rely on other legal basis for collection, use and disclosure of personal data including but not limited to the processing of sensitive personal data, the processing for analysis or marketing activities etc.

In addition, Central Retail has set up channels by which data owners can file complaints, inquiries and exercise their rights regarding personal data. Cases and complaints which are substantiated will be addressed and disciplinary actions will be taken. For any questions, concerns, or would like to exercise rights regarding personal data, please contact our Data Protection Officer at:

Security Measures for Personal Data Protection

Central Retail is committed to protect the personal data by establishing effective security measures from a technical, physical and organizational point of view to prevent loss, unauthorized or unlawful access, deletion and destruction, use, alteration, rectification or disclosure of personal data.

Central Retail continuously reviews its security measures and monitors technological changes to ensure effective security protocols, considering the nature, scope, context, and objectives, as well as the level of risk associated with personal data processing.

Central Retail’s cybersecurity systems are tested through conducting internal and external vulnerability analysis and penetration testing (including simulated hacker attacks) to actively monitor and prevent cause for cyberattacks. These tests are performed on an annual basis by qualified experts to help identify the system’s weaknesses in addition to business continuity plans. Likewise, Central Retail conducts audits of compliance to data privacy on a regular basis.

To reduce risks to cybersecurity and privacy protection, Central Retail integrates these risks as part of the quarterly group-wide enterprise risk management process to ensure that these risks are monitored and managed. Central Retail also conducts regular trainings on cybersecurity topics such as physical security, phishing, and email malware protection for both executives and employees. Moreover, Central Retail selects representatives from each business units in functions specific to data privacy to conduct intensive training on PDPA and proper data handling. Employees are able to notify an incident or potential incident should they suspect any breaches which will be escalated and addressed as appropriate. In the case that there are misconduct or breaches by employees, disciplinary actions will be taken. Cybersecurity and privacy protection is also considered as part of annual performance review of relevant employees to ensure continuous improvements of the entire system.