IT Security, Cybersecurity, and Personal Data Protection

IT Security, Cybersecurity, and Personal Data Protection

Goal and Performance Highlights

Performance
In 2025, there were no complaints regarding customer privacy violations.
No customer data leaks or losses were reported.
No complaints concerning breaches of stakeholder privacy.
Goal
By 2030, the Company aims to have no complaints regarding customer privacy violations, no customer data breaches or losses, and no impacts from privacy violations affecting stakeholders.
Sustainability Performance Data

Challenges and Opportunities

Central Pattana continues to invest in digital technologies to transform processes, using technology enablers to enhance the use of data analytics and forecasting capabilities. In line with our Omnichannel strategy, this digital transformation helps create a seamless customer experience, boosts efficiency in customer and tenant services, reduces business risks, strengthens supplier collaboration and simplifies employee workflows.

However, these benefits come with information technology risks, data theft, cybercrime, and personal data breaches. Moreover, compliance with data protection laws, such as the Personal Data Protection Act B.E. 2562 (PDPA), presents an ongoing challenge due to the complexity of the regulatory requirements and the need for strict legal adherence. However, these advancements also bring potential risks including data theft, cybercrime and personal data breaches due to insufficient cybersecurity measures. Such threats could result in business disruptions, resource losses, complaints, legal actions, reputational damage and a decline in stakeholder trust.

Furthermore, the integration of advanced digital technology with stringent security protocols significantly improves operational efficiency.

Investing in secure technologies also drives innovation and business growth-factors that are instrumental in laying the foundation for long-term organizational sustainability.

Management Approach and Value Creation

Central Pattana Public Company Limited places utmost importance on information security, cybersecurity, and personal data protection as a means of building stakeholder trust, including customers, partners, shareholders, and all related parties. The company is committed to aligning its operations with international standards and strictly complying with relevant laws and regulations. In addition, the Risk Policy Committee helps ensure that critical information is protected from constantly evolving cyber threats.

Cybersecurity and personal data protection have been defined as critical organizational risk indicators. The Company monitors and reports performance in these areas regularly to the Board of Directors to strengthen risk management on an ongoing basis. In addition, an IT Security team has been established under the leadership of Central Group's Chief Information Security Officer (CISO), who plays a key role in setting cybersecurity strategies and coordinating with relevant internal and external parties. The Company also prioritizes the appointment of board members with expertise in information technology to enhance the Board's oversight capabilities in a rapidly evolving digital landscape.

Cybersecurity and Personal Data Protection Governance Structure
Click to Enlarge
Governance Level Reporting Frequency
Board Level As scheduled
Management Level Quarterly
Operational Level Monthly
Audit Level Ongoing
  • Oversee the availability of information systems, both hardware and software
  • Manage data center security systems, including physical disaster-prevention systems for emergencies
  • Coordinate with the Risk Management Unit for annual emergency response drills simulating system failure scenarios
  • Serve as an equivalent to a Security Operations Center (SOC)
  • Monitor threats and inspect access to the organization's network and information systems
  • Respond swiftly to threats or abnormal events, conduct incident analysis, and implement preventive measures to prevent damage to the Company
  • Conduct monthly security reviews and vulnerability assessments, and promptly remediate severe and critical vulnerabilities
  • Compile incidents and corrective actions for incident reports to Central Group's CISO
  • Define information security policies, standards, and implementation practices for software system development across the organization, along with training programs to build employee awareness and understanding
  • Ensure information security in accordance with the organization's risk profile, based on CIA principles covering confidentiality of Company information, personal data protection (PDPA), and criteria for selecting products, system developers, and software for organizational use
  • Ensure cybersecurity compliance with legal obligations and international standards such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and Center for Internet Security Controls (CIS Controls)
  • Collaborate closely with Central Group's Data Protection Officer (DPO)
  • Coordinate business continuity testing in case of information system failures
  • Perform random audits related to: (1) Program access control (2) Data confidentiality (3) Data integrity in systems
Executive Oversight and Governance

Central Pattana Public Company Limited places importance on cybersecurity and personal data protection governance. These areas are defined as key risk indicators for the Board of Directors, with performance regularly monitored and reported. The Company has also established an IT Security team under the leadership of Central Group's Chief Information Security Officer (CISO) to drive cybersecurity strategies for maximum effectiveness. In addition, the Company has a policy to recruit directors with expertise in information technology to ensure that its business operations can effectively respond to technological challenges.

Cybersecurity Management Standards and Guidelines

The Company places high importance on protecting personal data, covering all customer touchpoints including retail stores, websites, mobile applications, customer service centers, online communication channels, and other locations where stakeholders' personal data may be collected.

In addition, the Company obtains consent from data subjects before collecting, using, or disclosing personal data. It has also developed a personal data management system to effectively monitor, control, and protect customer data, supported by measures for responding to data breach incidents rapidly.

High importance on protecting customers' personal data.

Personal Data Protection and Legal Compliance

The Company has established the Information Security Policy, Privacy Policy, Cookie Policy, Data Recording, Reporting and Retention Policy, and information security standards as operational guidelines for employees across the organization and all stakeholder groups. The Company also continues to develop and enhance the information security management system, using ISO 27001:2013 and NIST SP800-53 as operating frameworks. These frameworks cover the security of Company data and information systems, including hardware, software, and networks.

Developing a Data Governance Framework to effectively track, control, and protect customer information.

In collaboration with Central Group, the Company has established a Personal Data Protection Unit and appointed a Data Protection Officer to oversee responsibilities and define a working framework in compliance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA). Business units exchange information on data breaches and jointly discuss preventive measures. The Privacy Policy is publicly accessible on the Company's website and prominently displayed in customer service areas at shopping centers and other locations where personal data is collected. A detailed manual has also been developed to guide the management of all activities involving personal data processing, ensuring compliance with relevant laws, regulations, and the Privacy Policy. The Company also communicates cyber risks to employees to build awareness and understanding.

To strengthen employee knowledge, the Company provides online training courses, including CPN-Personal Data Protection Act (PDPA 2019) and CRC-Personal Data Protection Act. The Company has also developed and maintained the Record of Processing Activities, implemented Consent Management, established Data Subject Rights Management, defined personal data retention periods under the Data Retention Policy, prepared relevant legal documents such as the Data Processing Agreement, and established the Personal Data Breach Procedure.

The Company also places importance on complaint channels. In cases where personal data is breached by the Company, data subjects may report the incident through the online complaint channel on the corporate website or through the Customer Information Center (Call Center) at +66 (0) 2-667-5555. Such complaints are reviewed by the Internal Audit Unit, reported to the Audit and Corporate Governance Committee, and forwarded to the responsible units for resolution. If an investigation finds that the incident resulted from the Company's actions, the Company will take responsibility by providing appropriate compensation or remediation.

Cultivating a Cybersecurity Culture

To maximize the effectiveness of cybersecurity operations, the Company promotes a strong Cybersecurity Culture across the organization through the following key measures:

  • Providing cyber awareness training and knowledge-building for employees at all levels to enhance awareness and reduce risks arising from unsafe behaviors.
  • Conducting regular cybersecurity incident response drills to ensure that employees are prepared to respond to and resolve issues effectively.
  • Developing comprehensive risk management approaches and updating them continuously to address emerging threats.

Fostering a cybersecurity culture within the organization.

Cyber Risk Management and Cyber Insurance

Central Pattana Public Company Limited recognizes that cyber risks may arise and affect its business. The Company has therefore arranged cyber insurance to help mitigate losses in the event of unexpected incidents. It also conducts third-party risk assessments to ensure that business partners with access to Company data maintain adequate security standards.

Conducting rigorous third-party risk assessments.

Commitment to Sustainable Cybersecurity

Central Pattana Public Company Limited believes that robust cybersecurity and personal data protection not only mitigate business risks but also serve as critical strategies for building trust with customers and stakeholders. The Company is committed to continuously developing and elevating cybersecurity standards to remain modern and aligned with global trends, ensuring that the business can grow securely and sustainably in the digital age.

Committed to developing and elevating cybersecurity standards.

Stakeholders Directly Impacted

Tenants and Lessees (Retail and Offices) and Residential Customers
Employees
Customers
Suppliers and Business Partners
Communities / Community Representatives Including Regulators and Government Bodies, Academia and Independent Organizations
Shareholders
Creditors

Related Documents

Code of Conduct and Corporate Governance Principles
Download
Insider Data Protection Policy
Download
Intellectual Properties Policy
Download
Recording, Reporting, and Storage of Data Policy
Download
ESG Reporting Library