Information Security and Data Privacy
Supporting the Sustainable Development Goals
Rapid technological advancements have caused cyber threats and personal data breach risks to become increasingly sophisticated. Plan B recognizes that information system security is an essential foundation for preventing operational disruptions, safeguarding reputation, and maintaining stakeholder trust. The company is dedicated to strictly enforcing information security policies and personal data protection measures, alongside continuous efforts to raise employee awareness.
Goals and Performance Highlights
| Sustainability Targets | 2025 Performance | |
|---|---|---|
| Long term (2026-2030) | Short term (2026) | |
| Maintain zero complaints regarding personal data breaches and customer data leaks. | Maintain zero complaints regarding personal data breaches and customer data leaks. | Zero complaints from government agencies, customers, or other stakeholders regarding unauthorized use of personal data, and no customer data leaks occurred. |
| 100% of employees at all levels must pass training and knowledge tests on personal data protection and cybersecurity annually. | 100% of employees at all levels must pass training and knowledge tests on personal data protection (PDPA) and cybersecurity. | All employees received training on the Personal Data Protection Act (PDPA) and cybersecurity safety. |
| Elevate data protection and prepare for international information security management system certification such as ISO IEC 27001 or NIST. | Review and update information security policies to be comprehensive and ready for new types of cyber threats. | |
Goals and Performance Highlights
Commitment, Challenge and Opportunity
Commitment
Plan B places the highest importance on cybersecurity and personal data protection. The company operates in compliance with applicable laws and international standards, establishing policies, measures, and continuous employee training to build trust among all stakeholders.
Challenges
- Complex and evolving cyber threats, such as malware, phishing, ransomware, and new forms of attacks that are difficult to anticipate
- Risks of personal data leakage or theft, arising from both internal factors (human error) and external factors (hacker attacks), which affect security and legal compliance
- Potential impacts on the confidence of customers, business partners, and stakeholders, as cybersecurity or data incidents may damage reputation, trust, and long-term business continuity
Opportunities
- Strict compliance with laws and international standards to build customer and partner confidence, strengthening competitive advantage
- Promoting a culture of cybersecurity awareness through training and internal communication, enabling employees at all levels to understand risks and actively contribute to preventing cyber threats
Governance and Compliance
The company complies with the Personal Data Protection Act B.E. 2562 (PDPA) and the Cybersecurity Act B.E. 2562, alongside regulations regarding data collection, recording, usage for specific purposes, storage, and disposal. Plan B appointed a Data Protection Officer (DPO) to oversee privacy matters. In 2022, the company elevated its information technology and data privacy operations by strengthening data governance. IT practices and policies are reviewed annually to ensure that all employees have the knowledge, skills, and appropriate tools to safeguard customer information.

Personal Data Risk Management
The operations of the company involve the personal data of various stakeholder groups, including customers, partners, and employees. Multiple departments handle this information, which creates risks of incorrect or incomplete practices regarding privacy notices, consent requests, and data leak management. Such breaches could lead to significant reputational damage and heavy financial penalties, especially since the Personal Data Protection Act B.E. 2562 (PDPA) came into full effect on June 1, 2022.

The company recognizes the importance of the Personal Data Protection Act and the various regulations issued by the Personal Data Protection Committee. A Personal Data Protection Working Group has been established to develop internal policies and procedures that align with the law and relevant regulations. These policies are updated regularly to ensure they remain current. Additionally, the company has implemented a data storage system for employees and subsidiaries to prevent data leakage and allow for immediate damage mitigation.To promote systematic and transparent data management, the company has announced the Recording, Reporting, and Data Retention Policy. This policy provides guidelines for employees on data storage, retention periods, and disposal methods. It also covers procedures for responding to data subjects who exercise their rights to delete, destroy, or correct their information. Furthermore, the company communicates its operational plans to partners and customers to ensure that collaboration is efficient and follows the guidelines of the Personal Data Protection Committee.
Additionally, the Company implemented a Consent Management System (CMS) to ensure PDPA compliance, which is now fully integrated into our website. We manage personal data collection and usage through a Record of Processing Activities (RoPA), enabling data subjects to easily exercise their rights via the CMS "Data Subject Rights" section. Our Personal Data Protection team also collaborates with relevant departments to provide training for data owners, controllers, and business unit representatives. This ensures a clear understanding of roles and systems, resulting in the highly effective protection of personal data for all customers and stakeholders.
Data Ethics and Data Leakage Prevention
The Company has implemented Data Loss Prevention (DLP) systems to mitigate the risks of data breaches and unauthorized access. These measures are designed to enhance the efficiency and security of our information technology infrastructure, ensuring cyber resilience and an agile response to evolving cyber threats, alongside the continuous strengthening of our security systems.
The Company fosters a corporate culture of responsible data usage by enforcing comprehensive Data Ethics Policies and Guidelines, prioritizing human rights and data privacy. Furthermore, we proactively promote data protection awareness and provide regular updates on information technology and emerging cyber threats via internal communications. This ensures that employees at all levels are engaged and serve as a frontline defense in maintaining sustainable organizational information security.
Cybersecurity and Customer Data Protection
The Company recognizes the critical importance of cybersecurity and data network stability. Given the evolving and complex nature of data theft and cybercrimes, which pose risks to economic, social, and environmental dimensions as well as the trust of our partners and customers, we classify cyber risk as a key enterprise risk under Board-level oversight. We are committed to strict compliance with domestic and international cybersecurity and data privacy laws to prevent cyber threats and mitigate the impact of potential public data leaks. Consequently, the Company adheres to international standards and has enacted a Cybersecurity Policy to provide a comprehensive framework for information technology security as follows:
1. Information Security Policy Development
The Company has established an Information Security Policy applicable to all employees and personnel acting on our behalf. This policy serves as a framework for information security practices in alignment with relevant legal and regulatory requirements. Key components of the policy include:
- Corporate information security structure and the designation of a Data Protection Officer (DPO)
- Personnel security and information asset management
- Access control for systems and data
- Data encryption and physical environment management
- Information security incident management
- Business Continuity Management (BCM)
This policy undergoes regular reviews, with compliance audits conducted by both internal and external auditors.
2. Business Continuity and IT Disaster Recovery Planning
to ensure data availability and operational resilience following any potential disruptions to critical business processes.
3. Annual "Cybersecurity & Basic IT Troubleshooting" Training
provided to all employees to enhance knowledge and awareness regarding the importance of cybersecurity, current cyber threats, and fundamental prevention and resolution methods.
In 2025, this training was conducted in an online format with a total of 192 participants.
4. Data Privacy Protection for all stakeholder groups, including customers, employees, vendors, business partners, and shareholders
remains a top priority for Plan B. The Company has implemented a Privacy Policy to communicate our personal data protection standards in accordance with the Personal Data Protection Act B.E. 2562 (PDPA). Furthermore, training sessions on these regulatory requirements are provided to employees to increase awareness. The Company also organized specific training for the Board of Directors to ensure they are well-prepared and knowledgeable regarding legal enforcement.
In this regard, Plan B processes customer data strictly for the purposes specified in the Privacy Policy and/or for which consent has been obtained as required by law.
Cybersecurity Governance Structure and Data Protection for Partners and Customers
Emergency Response and Incident Handling Process
In the event of an incident meeting the aforementioned criteria, the Company follows a standardized operational procedure to promptly suppress and mitigate damages as follows:
Information Security Performance
As a result of our ongoing commitment to system enhancement and information security management aimed at strengthening cyber resilience, the Company successfully achieved its data protection objectives. We maintained a 100% success rate in preventing data breaches, fully meeting our established targets.
Throughout the reporting period, there were no reported incidents of data leakage, cyber theft, or the loss of critical information concerning either corporate data or the personal data of stakeholders. These empirical results reflect the effectiveness of our proactive controls, the robustness of our technological infrastructure, and the successful integration of a comprehensive cybersecurity culture across the entire organization.
| Performance Results | 2023 | 2024 | 2025 |
|---|---|---|---|
| Number of complaints from external parties and substantiated by the Company | 0 | 0 | 0 |
| Number of complaints from regulatory bodies | 0 | 0 | 0 |
| Number of identified leaks, thefts, or losses of customer data | 0 | 0 | 0 |