Data Processing Agreement (DPA)

Effective Date: June 2024

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Principal Agreement") between:

Client: The entity identified as "Client" in the Principal Agreement ("Client")

Taglinker: TagLinker ("Processor")

Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

Processing of Personal Data

The Processor shall:

Sub-processing

The Client authorizes the Processor to appoint Sub-processors as required for the provision of the Service. The Processor shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors, giving the Client the opportunity to object to such changes.

The Processor shall ensure that the arrangement between the Processor and each Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this DPA.

Data Subject Rights

The Processor shall promptly notify the Client if it receives a request from a data subject under any Data Protection Law in respect of Personal Data. The Processor shall not respond to that request except on the documented instructions of the Client or as required by applicable laws.

Personal Data Breach

In the event of a Personal Data breach, the Processor shall notify the Client without undue delay and shall provide the Client with sufficient information to allow the Client to meet any obligations to report or inform data subjects of the Personal Data breach under the Data Protection Laws. The Processor shall cooperate with the Client and take reasonable commercial steps as directed by the Client to assist in the investigation, mitigation, and remediation of each such Personal Data breach.

Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Client with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which the Client reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to processing of Personal Data by, and taking into account the nature of the processing and information available to, the Processor.

Deletion or Return of Personal Data

Subject to this section, the Processor shall promptly and in any event within 30 days of the date of cessation of any Services involving the processing of Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.

The Processor shall, at the Client's request, return a complete copy of all Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client to the Processor within 30 days of the Cessation Date. The Processor shall delete and procure the deletion of all other copies of Personal Data processed by the Processor, unless retention of such data is required by applicable law.

Audit Rights

Subject to this section, the Processor shall make available to the Client on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the processing of the Personal Data by the Processor.

The Processor acknowledges that the Client may be obliged to conduct audits of the Processor to verify compliance with this DPA. The Processor shall permit the Client, or any third party auditor mandated by the Client, to conduct such audits.

International Data Transfers

The Processor shall not transfer Personal Data outside of the European Economic Area (EEA) unless the following conditions are fulfilled:

General Terms

Confidentiality: Each party must keep this DPA and information it receives about the other party and its business in connection with this DPA ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other party except to the extent that:

Governing Law and Jurisdiction: This DPA is governed by the laws of Thailand. Any dispute arising in connection with this DPA, which the parties will not be able to resolve amicably, shall be submitted to the exclusive jurisdiction of the courts of Thailand.

Contact Us

If you have any questions or concerns about this DPA, please contact us at:

Email: info@taglinker.com