Cybersecurity and Privacy Protection at True

Cybersecurity and personal data protection are critical issues across all industries, but network and communication technology providers play a fundamental role in mitigating and safeguarding users from rights violations and online threats. Therefore, True must rigorously pursue cybersecurity and personal data protection efforts, including the establishment of control measures, audits, and continuous improvement of management practices to meet standards consistently. This also involves building internal staff capabilities, educating business partners, collaborators, and continuously educating users and consumers. This ensures the creation of a secure digital environment for everyone, reducing legal, financial, and reputational risks for the Company.

GOVERNANCE AND STRUCTURE

One of True’s missions is to prioritize the management of personal data security in accordance with the Personal Data Protection Act B.E. 2562 (PDPA), as well as international guidelines and standards, such as the ISO 27001 Information Security Management Standard, covering all business units, including TrueMove H, True Online, TrueVisions, and True Digital.

The company has established the IT & Security Division and the Business Security Department under the Chief Technology Officer. It reports the results of Information Security and Cyber Security operations to the Risk, Cybersecurity, and Finance Committee, as well as to the management committee. Additionally, a Data Protection Division has been established to specifically manage personal data protection issues. Its main responsibility is to control the personal data protection processes in accordance with the company’s policies and the PDPA. This division operates under the Chief Corporate Affairs Officer Group and reports progress and operational results to the Corporate Governance and Sustainability Committee and the management committee.

In general, the scope duties and responsibilities of the Risk, Cybersecurity and Finance Committee in relation to cybersecurity and privacy protection include:

Oversee risk policy framework and process for risk management of the Company, including all strategies, policies, rules and operational manuals to determine, evaluate, monitor and recommend cybersecurity risk, and data privacy risk to the Board of Directors;
Regularly review the policy framework and process for cybersecurity and data privacy risk and propose recommendation for revision to the Board of Directors and determine risk metrics of the Company’s business;
Promote and implement the policy by enhancing the level of cybersecurity risk awareness through the development of appropriate procedures and commitment of resources;
Support the monitoring of risks including cybersecurity risk and data privacy risk across the Company and regularly report to the Board of Directors;
Oversee and review the cybersecurity and privacy protection management and performance of the Company, including meeting regularly with management and commenting and giving opinions on any recommendations of management to the Board of Directors regarding long and short term strategies, expenses, etc.
Monitor and evaluate the cybersecurity and privacy protection performance of the Company against the Company’s budget

The Risk, Cybersecurity and Finance Committee has Mr. Vichaow Rakphongphairoj as an expert in corporate IT and cybersecurity. He was Group Chief Operating Officer of True Corporation PCL, overseeing network and technology including information technology and security during 2008-2016. He was later appointed as Deputy Chief Executive Officer during 2016-2017. After that, he was appointed as President (Co) between 2017 and 2019.

DATA PROTECTION POLICY

True has Personal Data Protection Policy designed in accordance with the PDPA framework, which is enforced rigorously within the Company, including subsidiaries, business partners and those appointed to act on behalf of the Company. One key aspect of the policy is defining the Company’s role as a “Data Controller,” which entails the authority to determine the purposes and methods of processing personal data arising from business operations. This is considered the duty and responsibility of the Company as the Data Controller, requiring various measures to ensure effective and appropriate data protection under PDPA principles and using customer data only for the purposes for which consent has been provided.

Additionally, a Data Protection Officer (DPO) is appointed, tasked with providing guidance to management, employees, and relevant individuals on risks and best practices regarding personal data processing. The DOP reports non-compliance and policy violations to the Company’s management and operates independently to review the use of personal data within the Company’s internal activities without interference.

The policy includes other important aspects in line with the PDPA, such as:

Defining the responsibilities of employees or authorized personnel who access personal data, along with implementing controls and access limitations.
Clearly defining the duration of data retention, usage, and destruction, as specified in customer consent agreements, and strictly adhering to these guidelines.
Establishing procedures to control and audit partners and external entities authorized to access personal data from the Company, ensuring strict compliance with this policy.
Making personal data protection a focal point in internal audits across all business operations, reporting audit findings to the Audit Committee, and taking immediate corrective actions upon discovering violations or policy breaches.
Regularly reviewing policies, practices and assessing risks related to personal data, with high-risk issues being documented in the Company's risk register.
Establishing data storage and maintaining records of customer personal data.
Providing channels for complaints and reporting situations that may deviate from or violate policies and practices.
Enhancing employee understanding and capabilities through communication, knowledge training, and awareness-building initiatives.

The Company assesses and reviews its personal data sharing processes and practices with internal entities and third parties annually, conducted by both internal and external auditors to ensure privacy policy compliance.

HANDLING AUTHORITY REQUESTS FOR DATA DISCLOSURE

The Company has developed an Authority Request Management Process to manage request from government agencies and other authorized entities. This process involves a committee comprising representatives from various departments, such as legal, communications and information security.

When receiving requests to disclose personal data of customers or users, including requests related to accessing personal data, the committee shall evaluate and deliberate on the requests. Key evaluation criteria include:

COMPLIANT REPORTING AND HANDLING, REMEDIATION AND PUNISHMENT

True provides channels for employees, customers, partners, and the general public to report complaints and situations that may violate or deviate from the company’s policies and practices regarding data security and customer data protection. These reports are handled through processes involving assessment, investigation, inquiry, mediation, and penalties for violations of the company’s Code of Conduct. The Compliance & Ethics Department oversees these processes. In the event of personal data breaches, the company has effective legal remedies in accordance with PDPA criteria and methods. If violations that contravene policies are identified, legal penalties will be considered. Additionally, if company employees violate policies and practices, they will face disciplinary action in accordance with the Code of Conduct and may be subject to legal penalties as prescribed by law.

e-mail: TruePrivacy@truecorp.co.th
CyberSOC@truecorp.co.th

True Call Center 1424
dtac Call Center 1678

Every Branch of True and dtac Shops