1. Introduction
Paragon Car Rental Company Limited (hereinafter referred to as the "Company" in this policy) recognizes the importance of personal and other information related to the user (collectively referred to as "information"). The Company ensures transparency and responsibility in collecting, using, or disclosing your information in accordance with the Personal Data Protection Act 2019 ("Personal Data Protection Act") and other related laws. This Personal Data Protection Policy ("Policy") has been created to explain the details concerning the collection, use, or disclosure (collectively referred to as "processing") of personal data processed by the Company, including officers and related persons acting on behalf of the Company, with the following contents:

2. Scope of the Policy
This policy applies to the personal data of individuals who have or may have a relationship with the Company in the future, where personal data is processed by the Company, contractors, subcontractors, business units, or other forms of organizations managed by the Company, including contractors or third parties processing personal data on behalf of the Company ("Personal Data Processors") across various products and services such as websites, systems, applications, documents, or other forms of services controlled by the Company.

Subjects interacting with the Company, as referred to in the first paragraph, include:

1. Individual customers
2. Officials or operators, employees
3. Partners and service providers who are individuals
4. Directors, attorneys, representatives, agents, shareholders, employees, or other individuals having a similar relationship with the legal entity engaged with the Company
5. Users of the Company's products or services
6. Visitors or users of the websites www.hertzthailand.com, www.thriftythailand.com, and the Hertz Thailand application, including systems, applications, devices, or other communication channels controlled by the Company
7. Other individuals whose personal data is collected by the Company, such as job applicants, relatives of officials, guarantors, insurance beneficiaries, etc.

In addition to this Policy, the Company may require a privacy notice (“Notice”) for the Company’s products or services to inform personal data owners who are users of protected personal data processing of the purposes and legal bases for processing, retention periods, including the personal data rights that the owners of personal data should have in specific products or services.

In the event of a material conflict between the content of this Privacy Policy and the Notice, the Notice for that service shall prevail.

3. Definitions

• "Company" refers to Paragon Car Rental Company Limited and group companies.
• "Personal data" refers to information about individuals that enables the identification of that person, either directly or indirectly. However, it does not include information about a deceased individual.
• "Sensitive personal data" refers to personal data as defined in Section 26 of the Personal Data Protection Act B.E. 2019, which includes information about race, ethnicity, political opinions, religion, or philosophy, sexual behavior, criminal records, health information, disability, union membership, genetic data, biometric data, or any other data that affects the data owner in the same way, as specified in the announcement of the Personal Data Protection Committee.
• "Processing of personal data" refers to any action taken with personal data, such as collection, recording, copying, organizing, storage, updating, modification, use, retrieval, disclosure, forwarding, publication, transfer, combination, deletion, destruction, etc.
• "Personal data owner" refers to an individual who owns personal data that the Company collects, uses, or discloses.
• "Personal data controller" refers to a person or legal entity authorized and responsible for making decisions regarding the collection, use, or disclosure of personal data.
• "Personal data processor" refers to a person or legal entity who collects, uses, or discloses personal data based on the orders or on behalf of the personal data controller. However, the person or legal entity performing such action is not the personal data controller.

4. Sources of Personal Data Collected by the Company
The Company collects and receives your personal data through various channels as follows:

4.1 Personal data provided directly to the Company: You may provide personal data directly to the Company, such as during the application process, registration, job application, contract signing, document completion, survey participation, or when using products, services, or other service channels controlled by the Company, or when the personal data owner communicates with the Company at the office or via other contact channels, whether the communication is in writing, verbally, by telephone, or electronically controlled by the Company, etc.

4.2 Personal data automatically collected by the Company: The Company may collect technical information related to your device, activity, and traffic patterns. This includes automatically collected browsing history information using cookies and similar technologies. For more details, please see [Cookie Policy]. When a personal data owner enters the Company’s premises, closed-circuit television (CCTV) cameras may record fixed and moving images.

4.3 Personal data received by the Company from third parties: The Company may receive your personal data from third parties from time to time, such as through online travel agency (OTA) marketing, your personal data from a reference, employment agency, government agencies, or various public sources, etc.

This also includes situations where you provide third-party personal data to the Company. You are responsible for informing such persons of the details in accordance with this policy or product or service announcements, as applicable, and obtaining their consent, where required, to disclose the data to the Company.

5. Personal Data Collected
5.1 The Company collects your personal data and divides it into categories, whether it is personal data directly provided to the Company, personal data received from third parties, or personal data automatically collected by the Company. The data will include the following categories of personal data:

1. Customers, including individuals, website visitors, service recipients, participants in activities, seminar participants, and any other person contacting the Company to request information or services, whether directly or indirectly obtaining personal data.
2. Counterparties, including individuals who are contracting parties or are involved in any contract with the Company, including business partners, vendors, suppliers, service providers, contractors, consultants, securities professionals, and other similar persons.
3. Company personnel, including individuals employed, working for the Company, directors, executives, officers, specialists, or any person receiving salaries, wages, benefits, or any other compensation directly from the Company, including family members of Company personnel.
4. Job applicants, including individuals who have submitted applications or personal details to the Company, whether in writing or verbally, with the purpose of applying for employment, internships, or scholarships. This includes individuals who have not yet been selected by the Company, family members of the applicant, and references.

5.2 The personal data collected by the Company, whether provided directly, automatically collected, or received from third parties, includes the following categories:

1. Personal characteristics information, such as full name, date of birth, age, gender, height, weight, photograph, passport or national ID number and copy, signature, nationality, marital status, military service status, spoken languages, behavioral information, information on bankruptcy, information on being an incompetent or quasi-incompetent person, and family member details.
2. Sensitive personal information, such as religion and criminal records.
3. Health information, such as medical history, health status, congenital diseases, disabilities, physical abnormalities, accident history, and information on medical certificates.
4. Contact information, such as residential address, home phone number, mobile number, email address, social media contact information (Line ID, MS Teams, Skype, etc.), social media usernames, emergency contact details, fax numbers, and housing location maps.
5. Financial information, such as bank account numbers, and information on various taxes.
6. Employment and education information, such as employment details, work history, education history (type of employment, profession, rank, position, duties, skills, work status, work permit details, reference information, tax identification number, salary information, date of employment, date of departure, performance evaluation results, benefits, work achievements, bank account information, educational institution, degree, academic results, and graduation date).
7. Legal evidence information, such as personal data shown in a copy of the national ID card, passport, name change certificate, household registration copy, military service certificate, bank account booklet, marriage certificate, birth certificate, salary approval form, beneficiary identification form, social security registration form, employment contract, letter of guarantee, and related documents.
8. Technical information, such as data about your use of the Company’s website and various systems, computer traffic data (logs), contact data, communication data between you and other persons, usage records (computer serial number, IP address, device type, mobile network information, connection data, geolocation, browser type, login and logout information, username, password, system usage history, access logs, transaction logs), and information collected through cookies or other similar technologies.
9. Other information, such as voice recordings, still images, motion pictures, and sound captured by CCTV cameras.

5.3 For personal data collected before June 1, 2022, the Company will process such data in accordance with the Personal Data Protection Act and related laws.

6. Purposes and Legal Bases for Processing Personal Data
6.1 The Company may disclose your personal data according to the specified purposes and legal criteria, to the following persons or entities:

1. Partners, business partners, service providers, service recipients, and/or personal data processors assigned or hired to handle responsibilities or services or manage or process personal data on behalf of the Company for various services, such as information technology services, data registration services, payment systems, auditing, human resource management, or other services beneficial to you.
2. Business consultants such as legal advisors, attorneys, auditors, or any other experts.
3. Government agencies with regulatory or legal duties, or where disclosure of personal data is required by law or related to legal proceedings, such as the Office of Insurance Commission (OIC), Department of Provincial Administration, Department of Business Development, Office of the Personal Data Protection Committee, Office of Trade Competition, Royal Thai Police, Department of Special Investigations, Attorney General's Office, courts, and Department of Legal Execution.
4. Customers, beneficiaries, business partners, agents, intermediaries, service providers, and/or private representatives that you or your duties or positions are associated with, or any other similarly related persons.
5. Any other person or agency to whom you have given consent to disclose your personal data, or to whom disclosure is legally permitted.

6.2 The Company will only disclose your personal data to others according to specific purposes or as required by law. Where legally required, the Company will request your consent to disclose your personal data to another person.

6.3 In disclosing your personal data to others, the Company will implement appropriate measures to protect the disclosed data and comply with personal data protection standards and obligations under the Personal Data Protection Act. In the case of cross-border transfers of personal data, the Company will ensure that the recipient country or international organization has adequate personal data protection standards in place or follows the criteria specified by law, unless an exemption is provided by law. In some cases, the Company may request your consent for the cross-border transfer of your personal data.

7. Period for Retaining Personal Data
The Company will retain your personal data for the period necessary to fulfill the purposes outlined in the processing of such data. The retention period may vary depending on the specific purpose of processing and taking into account the following factors:

1. The period specified by applicable laws. Once the specified period has ended, the Company will delete or anonymize the personal data.
2. The statute of limitations for any legal proceedings that may arise from or relate to the personal data processed by the Company. The Company will retain your personal data for no longer than [10] years from the termination of the relationship between you and the Company. However, the Company may retain your personal data for a longer period if permitted by law or if it is necessary to enforce the Company's legal claims.

8. Your Rights Regarding Personal Data
As the data subject, you have several rights concerning your personal data, subject to the criteria, methods, and conditions set out by personal data protection laws. If you wish to exercise your rights, you may contact the Company using the contact details provided in Section 11 of this policy.

8.1 Right to access personal data: You have the right to access your personal data and request a copy of such data in accordance with personal data protection laws.

8.2 Right to data portability: You have the right to request personal data concerning you in a readable format or to request that your personal data be transferred to another data controller, as allowed by personal data protection laws.

8.3 Right to object to the processing of personal data: You have the right to object to the processing of your personal data, as permitted by personal data protection laws.

8.4 Right to request the deletion of personal data: You may request the Company to delete, destroy, or anonymize your personal data in accordance with personal data protection laws.

8.5 Right to suspend the processing of personal data: You have the right to request the suspension of your personal data processing as permitted by personal data protection laws.

8.6 Right to rectify personal data: You have the right to request the rectification of your personal data if it is inaccurate, incomplete, or misleading.

8.7 Right to withdraw consent: If the Company relies on your consent to process your personal data, you have the right to withdraw that consent at any time.

8.8 Right to file a complaint: If you believe that the Company has violated or failed to comply with any duties under personal data protection laws, you have the right to file a complaint with the Personal Data Protection Committee.

8.9 Right to amend or delete member personal data: This can be done by contacting the email loyalty@hertzthailand.com.

The Company will review requests to exercise the above rights and may ask for relevant information and documentation to assess the request. The Company reserves the right to assess and respond to such requests in accordance with personal data protection laws.

9. Security of Personal Data Storage
The Company has implemented a personal data storage system and appropriate technical and managerial security measures to prevent unauthorized use, disclosure, destruction, or access to your personal data. The security level of your personal data complies with the criteria and methods specified by personal data protection laws and other related laws.

10. Links to External Websites, Applications, or Services
The Company’s services may contain links to third-party websites, applications, or services. As mentioned, there may be a separate personal data protection policy for those services, which may differ from this policy. The Company advises reviewing the personal data protection policy of such websites, applications, or services before using them. The Company is not involved in or responsible for personal data protection measures of third-party websites or services and cannot be held accountable for their content, policies, damages, or actions.

11. How to Contact the Company
If you have any questions or concerns about this policy or wish to exercise your rights as described in Section 8, please contact the Data Protection Officer using the following details:

Company office: 46 Kronos Sathorn Office Building, G Floor and 10th Floor, North Sathorn Road, Silom Subdistrict, Bang Rak District, Bangkok 10500.
Email: dpo@hertzthailand.com
Phone: +66-2266-4666 extension 1622

12. Changes to This Policy
The Company may amend this policy from time to time to comply with any changes related to the processing of your personal data or updates in the personal data protection law or other related laws. The Company will notify you of significant changes or provide a revised version of the policy through appropriate channels. The Company advises checking for policy updates from time to time.

This policy is effective from June 1, 2022.