Section 29

In the event that the Data Controller or the Data Processor

who is in the Kingdom of Thailand has put in place a Personal Data protection policy regarding
the sending or transferring of Personal Data to another Data Controller or Data Processor
who is in a foreign country, and is in the same affiliated business, or is in the same group of undertakings,
in order to jointly operate the business or group of undertakings. If such Personal

Data protection policy has been reviewed and certified by the Office, the sending or transferring

of Personal Data to a foreign country, which is in accordance with such reviewed and certified
Personal Data protection policy, can be carried out and shall be exempt from compliance with section 28 .

The Personal Data protection policy, the nature of the same affiliated undertaking or affiliated business

in order to jointly operate the undertaking or business, and the rules and methods for the review and certification
in paragraph one shall be as prescribed and announced by the Committee.

In the absent of a decision by the Committee in accordance with

section 28 , or the Personal Data protection
policy referred in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal
Data to a foreign country in exemption to compliance with section 28 , if the Data Controller or the Data Processor
provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective
legal remedial measures according to the rules and methods as prescribed and announced by the Committee.