ภาษาความเป็นส่วนตัวของ MSA

 DATA PROTECTION ADDENDUM

Customer has entered into a Master Agreement or into an agreement with similar nature and purpose (hereinafter “Master Agreement”) with G-P. The execution of such Master Agreement may entail the Processing of Personal Data. The Customer and G-P (jointly referred to as “Parties”) agree that this Data Protection Addendum (“DPA”) sets forth their obligations with respect to the processing and security of Personal Data in connection with the Services provided by G-P to the Customer under the Master Agreement and the Parties agree to be bound by this DPA. This DPA supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this DPA, and any other agreement between the parties on the issues set forth herein, this DPA shall prevail. If Customer already has an executed data protection addendum in effect with G-P, then that agreement shall prevail over this DPA, and this DPA shall have no force or effect, unless otherwise agreed in writing by Customer and G-P.

 

Whereas:

1. When G-P provides the Customer with Employer of Records (“EOR”) services, G-P assumes the role of the legal employer for any individuals selected by the Customer (“Professionals”) to be hired.
2. With regard to such Professionals' Personal Data, G-P is a Controller during the course of the employment relationship.
3. With regards to Professionals' Personal Data collected and used by the Customer for its own purposes, Customer is also a Controller with independent privacy obligations.
4. When delivering the EOR services, the exchange of Professionals' Personal Data between G-P and the Customer is under an independent Controller-to-Controller relationship and the Controller-to-Controller terms defined in section 2 below, shall apply.
5. G-P also offers various software as a service products via G-P’s platform (“GPP”), through which G-P enables Customer to manage the relationship with those Professionals.
6. By providing Customer with access to GPP, G-P is the Processor for the account related data uploaded to the GPP by the Customer's appointed Authorized Users of GPP and the Controller-to-Processor terms defined in section 3 bellow, shall apply.

 

G-P and the Customer has agreed as following:

 

1. DEFINITIONS

1.1. Terms not defined herein have the meanings set forth in the Master Agreement. The following words in this DPA have the following meanings:

1.2. “Authorized User” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the GPP on behalf of the Customer, pursuant the execution of the Master Agreement.

1.3. “Customer Data” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by G-P on behalf of Customer for the use of the GPP by the Customer.

1.4. “Data Protection Laws” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, Swiss Data Protection Laws, US Privacy Laws (including state and federal laws), and Brazil LGPD.

1.5. “GDPR” means the General Data Protection Regulation (EU) 2016/679.

1.6. “GPP” means G-P’ proprietary software, including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either G-P’ proprietary software or the third party services, including their updates, upgrades, platform as a service and, documentation.

1.7. “EEA” means the European Economic Area.

1.8. “LGPD” means Brazil Law No. 13.709, the General Law on Protection of Personal Data, as may be amended, superseded, or replaced.

1.9. “Master Agreement” means the agreement executed between Customer and G-P for the provision of the Services.

1.10. “Privacy Policy” means G-P´s privacy policy, as updated from time to time, available at https://www.globalization-partners.com/privacy-policy/

1.11. “Professionals´ Data” means Professionals´ Personal Data processed by G-P in the course of its EOR services provision to Customer.

1.12. "Restricted Transfer" means any transfer of Personal Data to a country outside the EEA, the United Kingdom, Switzerland or Brazil that is not subject to an adequacy decision under the applicable Data protection Laws, and therefore requires appropriate safeguards under applicable data protection laws.

1.13. “Services” mean the services to be provided by G-P to the Customer under the Master Agreement which may include the EOR services and the access and use of GPP.

1.14. "Standard Contractual Clauses" or "SCCs" mean (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 มิถุนายน 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum (“UK Addendum”) to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such UK Addendum may be revised under Section 18 therein ("UK SCCs"); (iii) where the Swiss Data Protection Laws apply, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection Authority and Information Commissioner´s Office (the "Swiss SCCs); where the Brazilian LGPD applies, the applicable standard contractual clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (“ANPD”), as they may be amended from time to time (“Brazil SCCs”).

1.15. “Swiss Data Protection Laws” or “FADP” means (i) Swiss Federal Data Protection Act (dated มิถุนายน 19, 1992, as of 1 มีนาคม, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.16. “UK Addendum” means the United Kingdom international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

1.17. “UK Data Protection Laws” mean the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws").

1.18. “US Privacy Laws” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws

1.19. "Controller" "Data Subject", "Personal Data", “Personal Information” “Data Breach”, "Processor", "Process/Processing", “Restricted Transfer”, “Service Provider” and/or any other similar terms and concepts shall have the meanings as defined in Data Protection Laws.

 

 

2. CONTROL OF PERSONAL DATA

2.1. Roles of the Parties. Where G-P operates as an independent Controller, G-P shall comply with its Controller obligations under Data Protection Laws when Processing Personal Data and shall Process the Personal Data as described in G-P’s Privacy Policy available at https://www.globalization-partners.com/privacy-policy/. ลูกค้าจะต้องปฏิบัติตามข้อผูกพันของตนภายใต้กฎหมายคุ้มครองข้อมูลเมื่อประมวลผลข้อมูลส่วนบุคคลในฐานะผู้ควบคุม In no event will the Parties Process Personal Data under this DPA as joint Controllers.

2.2. Responsibilities and Acknowledgements. Each Party may process Personal Data under this DPA with respect to Professionals’ Data as independent data Controllers. The Parties agree to comply with their respective obligations and to process any Personal Data fairly and lawfully in compliance with this DPA and all Data Protection Laws applicable to such Party’s Personal Data Processing operations. Each Party shall ensure that its Processing of Personal Data is limited to the purpose of the GPP provided by G-P and is based on a legal ground for lawful processing. The Parties will assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests. 

 

3. PROCESSING OF PERSONAL DATA

 

3.1. Scope. The use of GPP may entail the Processing of Customer Data by G-P as a Processor or Service Provider on behalf of Customer.

3.2. Instructions. G-P will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this DPA, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to G-P regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Customer will ensure that its instructions comply with applicable Data Protection Laws. Customer acknowledges that G-P is neither responsible for determining which laws are applicable to Customer’s business. Customer will ensure that G-P’s processing of Customer Data, when done in accordance with Customer’s instructions, will not cause G-P to violate any applicable law, including applicable Data Protection Laws. G-P However, if G-P is of the opinion that a Customer instruction infringes applicable Data Protection Laws, G-P shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

3.3. Details of Processing. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Customer Data and data subjects are as specified in Annex I attached hereto. 

3.4. Compliance. Customer and G-P agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to G-P. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for G-P to Process Customer Data as directed by Customer.

3.5. Subprocessors. Customer authorizes G-P to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the G-P group of companies. G-P may continue to use those Subprocessors already engaged by G-P as of the date of this DPA, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, G-P shall be liable to the Customer for the performance of the Subprocessor’s obligations. G-P shall notify Customer of any changes to its list of Subprocessors through GPP. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and G-P cannot reasonably accommodate Customer’s objection, the parties will discuss Customer’s concerns in good faith with a view to resolving the matter.

3.6. Technical and organizational security measures. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data, G-P shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data, as detailed in Annex II attached hereto. G-P will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.

3.7. Confidentiality. G-P shall ensure that persons authorized to access the Customer Data (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and (ii) access the Customer Data only upon documented instructions from G-P, unless required to do so by applicable law.

3.8. Personal Data Breach. G-P will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach.

3.9. Deletion of Personal Data. Upon termination of the Services (for any reason), G-P shall, as soon as reasonably practicable, return or delete the Customer Data stored in the GPP unless applicable law requires storage of the Customer Data for a longer period. For such retention the provisions of this DPA shall continue to apply to such Customer Data.

3.10. Data Subject Requests. G-P shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. ลูกค้ามีหน้าที่รับผิดชอบในการตอบสนองต่อคําขอดังกล่าว G-P will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the GPP.

3.11. Third party requests. If G-P receives any requests from third parties or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which G-P is subject relating to the Processing of Customer Data under the Agreement, G-P will promptly redirect the request to the Customer. G-P will not respond to such requests without Customer’s prior authorization unless legally compelled to do so. G-P will, unless legally prohibited from doing so, inform the Customer in advance of making any disclosure of Customer Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required. 

3.12. Data Protection Impact Assessment and Prior Consultation. To the extent required by Data Protection Laws, G-P shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Customer Data undertaken by G-P and/or any required prior consultation(s) with supervisory authorities. G-P reserves the right to charge Customer a reasonable fee for the provision of such assistance.

3.13. Audit. Customer may audit G-P compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certification, SOC2 certificate), within twelve (12) months as of the date of Customer’s request. Alternatively, in the event the documentation provided subject to this Section 3.13 is not sufficient for the purpose of demonstrating compliance, the Customer may conduct its own audit in addition to the provided third party certifications or reports, provided that such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting G-P’ day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense; v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or processing activities contemplated hereunder; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon G-P’ reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. ถึงแม้จะมีการบังคับใช้ต่อไป แต่จะไม่มีสิทธิในการตรวจสอบหลังจากการบอกเลิกข้อตกลงหลัก ยกเว้นภาระหน้าที่ทางกฎหมายที่ลูกค้าจะต้องแสดงให้เห็น Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR services company, agency, a related organization or consultant. Nothing in this DPA will require G-P to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other G-P’ customer; (ii) G-P’ internal accounting or financial information; (iii) any trade secret of G-P or its affiliates; (iv) any information that, in G-P’ reasonable opinion, could compromise the security of any G-P’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

3.14. US Privacy Laws. Under this section 3 (“Processing of Personal Data”), the Parties agree that G-P is a “Service Provider” or “Processor” as such terms are defined under applicable US Privacy Laws. Accordingly, to the extent US Privacy Laws apply to the Processing of Customer Data by G-P, G-P shall not (a) retain, use, or disclose any Customer Data outside the direct business relationship between G-P and Customer, or for any purpose other than for the purpose set out in Annex I attached hereto, and G-P shall only Process Customer Data only as long as it provides services to the Customer; (b) sell any Customer Data; (c) share any Customer Data; or (d) combine the Customer Data that G-P receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that G-P may combine Customer Data if it is within the scope of providing the services to Customer. Where applicable, each Party shall notify the other party if it makes a determination that it can no longer meet its obligations under US Privacy Laws.

 

 

4. International Data Transfers

4.1. Appropriate protection. G-P is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws, G-P shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement.

4.2. Data Privacy Framework. Professionals and Customer Data are stored in GPP which is hosted in U.S. G-P is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). G-P´s certification can be confirmed publicly on the DPF website https://www.dataprivacyframework.gov/list. The EU-U.S. Data Privacy Framework was considered adequate by the European Commission, being a lawful data transfer mechanism pursuant to Article 45 of the GDPR, the UK GDPR, and the FADP, respectively. If the DPF Framework(s) are invalidated, suspended, or otherwise no longer recognized as providing adequate protection for international data transfers, the Processor agrees to enter into and comply with the SCCs issued or approved by the European Commission, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable. The parties shall cooperate in good faith to implement any supplementary measures required to ensure an essentially equivalent level of protection for the transferred data.

4.3. Standard Contractual Clauses. The parties agree that when the transfer of personal data from Customer (as "data exporter") to G-P (as "data importer") is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

1. In relation to transfers of Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

1. Modules One and Two shall apply;
2. ในข้อ 7นั้น ให้ใช้ข้อกําหนดการต่อเครื่องที่เป็นทางเลือก
3. in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.5 of this DPA;
4. ในข้อ ข้อความ11ทางเลือกจะไม่นํามาใช้
5. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Master Agreement;
6. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
7. ในข้อ 18(ข) ข้อพิพาทจะได้รับการแก้ไขต่อหน้าศาลไอร์แลนด์
8. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;
10. Annex III of Module Two of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA.

b. In relation to transfers of personal data protected by the UK Data protection Laws or the Swiss Data Protection Laws, the EU SCCs as implemented under sub-paragraphs (a) above will apply with the following modifications:

1. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);
2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);
3. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);
4. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
5. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);
7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
8. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss Data Protection Laws apply, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
9. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows: (i) apply as completed in accordance with the paragraphs (i) to (viii) above; and (ii) be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

c. In relation to transfers of personal data protected by the Brazil LGPD, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the ANPD, the Brazil SCCs will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

1. Clause 2 of the Brazil SCCs is satisfied by the information set forth in Annex I, which describes the data transfer;
2. In Clause 3 of the Brazil SCCs, Option B shall apply, with onward transfers permitted in accordance with Section 3.5 (“Subprocessors”) of this DPA. The subject matter, nature, and duration of processing are set forth at Annex I of this DPA;
3. Clause 4 of the Brazil SCCs is satisfied by the information set forth in Annex I of this DPA. Where G-P is a Controller, it will be the “Designated Party”, as defined in the Brazil SCCs, and for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil SCCs. Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 Incident Reporting) of the Brazil SCCs for any personal data of which it may otherwise be Controller;
4. In Clause 9 of the Brazil SCCs, the optional docking clause will not apply; and
5. Section III (Security Measures) of the Brazil SCCs will be deemed completed with the information set forth in Annex II of this DPA.

 

Annex I

Data Processing Description

 

Parties	Data Exporter: Customer entity executing the Master Agreement Data Importer: G-P entity executing the Master Agreement.
Parties Contact Details	Contact details as set out in the Master Agreement.
Activities Relevant to the Data Transferred	Activities related to the EOR Services and the use of GPP provided to the Customer as a service.
Processing Activities	The Personal Data processed / transferred may be subject to the following processing activities: any operation with regard to Personal Data irrespective of the means applied and procedures, in particular the collecting, organizing, storage, holding, use, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, compliance, legal and audit functions.
Duration of the Processing	G-P will Process Customer Data for the duration of the Master Agreement and on a continuous basis.
Nature and Purpose of Processing	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the processing is to provide the Services in accordance with the Master Agreement.
Categories of Data Subjects	a) The Personal Data exchanged by the Parties as independent Controllers regard to Professionals' Personal Data. b) The Customer Data processed by G-P as a Data processor concerns Authorized Users of the GPP who may include Customer’s employees and/or contractors.
Types of Personal Data	· Contact details (such as phone number and e-mail). · Employees / Contractors data (such as job title and name of the company). · Usage data (such as data about the Authorized User's device and how such device interact with the GPP). · Location data (such as location derived from the IP address). · Content data (such as the content of the Customer’s files regarding the Professionals and related communications). · Credentials (such as passwords, passwords hints and similar security information used for authentication and account access to the GPP). · Any Personal Data supplied by Authorized Users.
Special Categories of Data (if appropriate)	ไม่มี
Retention	Personal Data will be retained at least as long as any applicable legally mandated minimum retention period, that is consistent with applicable statutes of limitations and meets good business practices.
Competent Supervisory Authority	คณะกรรมการคุ้มครองข้อมูลแห่งไอร์แลนด์
Transfers to Subprocessors	สําหรับการถ่ายโอนไปยังเครื่องแปลงสัญญาณ สาระสําคัญ ลักษณะ และระยะเวลาในการประมวลผลจะเหมือนกับที่ระบุไว้ข้างต้น
G-P Privacy contact details	privacy@G-P.com ถึง: สํานักงานความเป็นส่วนตัวทั่วโลก

 

 

Annex II

Technical And Organisational Measures

 

G-P has been certified and attested to confirm compliance with SOC 2 and ISO 27001 standards, by independent auditors. Such certifications demonstrate our commitment to securing Customer Data. G-P’ security program is designed to:

• Protect the confidentiality, integrity, and availability of Customer Data in G-P’ possession or to which G-P has access;
• ปกป้องจากภัยคุกคามหรืออันตรายที่คาดการณ์ไว้ใด ๆ ต่อการรักษาความลับ ความสมบูรณ์ และความพร้อมใช้งานของข้อมูลลูกค้า
• ป้องกันการเข้าถึง การใช้งาน การเปิดเผย การเปลี่ยนแปลง หรือการทําลายข้อมูลลูกค้าโดยไม่ได้รับอนุญาตหรือผิดกฎหมาย
• ป้องกันการสูญเสียหรือการทําลายหรือความเสียหายข้อมูลลูกค้าโดยไม่ได้ตั้งใจ และ
• ปกป้องข้อมูลตามที่กําหนดไว้ในระเบียบข้อบังคับใด ๆ ที่ G-P อาจได้รับการควบคุม

 

The following describes the functions, processes, controls, systems, procedures and measures which G-P has taken to ensure the security of the Processing of Customer Data:

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION 

1. Privacy by Design and Default: G-P takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. กระบวนการและฟังก์ชันการทํางานถูกกําหนดขึ้นในลักษณะที่หลักการคุ้มครองข้อมูล เช่น ความถูกต้องตามกฎหมาย ความโปร่งใส การจํากัดวัตถุประสงค์ การลดปริมาณข้อมูล ฯลฯ ตลอดจนความปลอดภัยของการประมวลผลได้รับการพิจารณาตั้งแต่ระยะแรก

2. Encryption of Personal Data: Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.

   1. Database and storage encryption: On all databases used by G-P an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.

   2. Encryption of mobile data media: The use of mobile data carriers for storing customer data is not permitted.

   3. Encryption of data carriers on laptops: Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops.

   4. Encrypted exchange of information and files: In principle, the exchange of information and files is directly encrypted via a special application. หากข้อมูลส่วนบุคคลหรือข้อมูลที่เป็นความลับต้องถูกถ่ายโอนไปยังเซิร์ฟเวอร์ที่ไม่สามารถส่งผ่านการอัพโหลด HTTPS ที่เข้ารหัส TLS ข้อมูลเหล่านี้จะถูกถ่ายโอนโดยใช้โปรโตคอลการถ่ายโอนไฟล์ที่ปลอดภัย (SFTP) บริการซองจดหมายที่เข้ารหัส หรือกลไกที่เข้ารหัสอื่น ๆ ตามสถานะของศิลปะ

   5. E-Mail Encryption: In principle, all e-mails sent by employees of G-P are encrypted with TLS. อาจมีข้อยกเว้นหากเซิร์ฟเวอร์อีเมลที่ได้รับไม่รองรับ TLS The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption.

3. Admission Control: Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.

   1. Use of authentication methods: Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. ขั้นตอนการพิสูจน์ตัวตนสําหรับระบบไอที: เข้าสู่ระบบ IT สําหรับการพิสูจน์ตัวตนแบบหลายปัจจัย

   2. Automatic blocking in case of inactivity: Laptops used by G-P employees locked with password or PIN protection when not in use by the user. นอกจากนี้ จะมีการตั้งค่าการล็อกหน้าจออัตโนมัติพร้อมการป้องกันด้วยรหัสผ่านหลังจากไม่มีการใช้งานเป็นเวลา 15 นาที

   3. Use of anti-virus software: Laptops used by G-P employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. ตามหลักการแล้ว ห้ามใช้งานคอมพิวเตอร์ใดๆ โดยไม่มีเครื่องป้องกันไวรัสถิ่นที่อยู่ เว้นแต่จะมีมาตรการรักษาความปลอดภัยที่ทันสมัยเทียบเท่าอื่นๆ หรือไม่มีความเสี่ยงใดๆ ต้องไม่ปิดใช้งานหรือหลีกเลี่ยงการตั้งค่าความปลอดภัยเริ่มต้น

   4. "Clean Desk Policy": Employees of G-P are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which G-P is required by law to hold in hard copy are stored in locked cabinets.

4. Access Controls Within the Platform: Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.

   1. บทบาทและการอนุญาต

      1. Roles and Authorization Platform – Customer Access: Customer users can view and edit customer account information.

      2. Roles and Authorization Platform – Professional Access: Professional users can view and edit their own professional information. ผู้เชี่ยวชาญยังสามารถรับบทบาทการเข้าถึงของลูกค้าได้ตามความต้องการ + การอนุมัติ

      3. Roles and Authorization Platform – Internal Access: Internal access users have varied roles. พวกเขามีการเข้าถึงที่หลากหลายเพื่อสร้าง ดู แก้ไข และอนุมัติสิ่งต่อไปนี้:

         • ข้อมูลลูกค้า

         • ข้อมูลการเรียกเก็บเงิน

         • ข้อมูลพันธมิตร

         • บุคลากรวิชาชีพบันทึกข้อมูล

      4. การเข้าถึงระบบผู้ดูแลระบบโดยทั่วไปจะจํากัดไว้เฉพาะพนักงานที่ได้รับการฝึกอบรมในด้านการสนับสนุนลูกค้าและการพัฒนาผลิตภัณฑ์

5. Firewall as a Service: G-P uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.

6. Record of Log-In to the Platform: G-P maintains a record of all login activity.

7. Separability: Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

   1. Separation of development, test and operating environments: Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. การถ่ายโอนข้อมูลที่ไม่ระบุตัวตนจะต้องได้รับการเข้ารหัสหรือผ่านเครือข่ายที่เชื่อถือได้ Software to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferring to test environments.

   2. Separation in networks: G-P separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. นอกเหนือจากเครือข่ายเหล่านี้แล้ว เครือข่ายที่แยกต่างหากเพิ่มเติมจะถูกสร้างขึ้นตามความจําเป็น เช่น สําหรับการกู้คืนการทดสอบและการทดสอบการเจาะระบบ ขึ้นอยู่กับความเป็นไปได้ทางเทคนิค เครือข่ายจะถูกแยกออกทั้งทางกายภาพหรือทางเครือข่ายเสมือน

8. Availability control: G-P takes the following steps to ensure that personal data is protected against accidental destruction or loss.

   1. Data protection procedures/ backup: To ensure adequate availability G-P implements daily snapshots of its database with replication to a different region. นอกจากนี้ ยังมีมาตรการเพื่อให้แน่ใจว่าพนักงานที่มีความจําเป็นต้องตรวจสอบข้อมูลจะได้รับสิทธิ์การเข้าถึงชุดข้อมูลแบบจําลองเท่านั้น

   2. การทําซ้ําทางภูมิศาสตร์เกี่ยวกับโครงสร้างพื้นฐานของเซิร์ฟเวอร์ของข้อมูลและการสํารองข้อมูลที่มีประสิทธิภาพ

   3. IT incident management ("Incident Response Management"): There is a concept and documented procedures for handling incidents and safety- relevant events. ซึ่งรวมถึงการวางแผนและการเตรียมการตอบสนองต่อเหตุการณ์ ขั้นตอนในการตรวจสอบ ตรวจหาและวิเคราะห์เหตุการณ์ที่เกี่ยวข้องกับความปลอดภัย และคําจํากัดความของความรับผิดชอบที่เกี่ยวข้องและช่องทางการรายงานในกรณีที่มีการละเมิดการคุ้มครองข้อมูลส่วนบุคคลภายในกรอบข้อกําหนดทางกฎหมาย

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

G-P has put in place the following organizational measures to ensure the organization operates in a manner that meets data privacy and protection requirements.

1. Organizational Instructions: G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. การจัดทําเอกสารรวมถึงวิธีการระบุและจัดการปัญหาด้านความเป็นส่วนตัวของข้อมูล แนวทางปฏิบัติที่ดีที่สุดเพื่อให้มั่นใจว่ามีการปฏิบัติตามกฎระเบียบด้านความเป็นส่วนตัว และนโยบายในการจัดการกับเหตุการณ์ด้านความเป็นส่วนตัว
2. Commitment to confidentiality and data protection: G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. พนักงานและผู้รับจ้างทุกคนมีข้อผูกพันเป็นลายลักษณ์อักษรในการรักษาความลับและการคุ้มครองข้อมูล ตลอดจนกฎหมายอื่น ๆ ที่เกี่ยวข้อง พนักงานทุกคนได้รับการฝึกอบรมด้านความเป็นส่วนตัวและความปลอดภัย การตรวจสอบภายในเกี่ยวกับการคุ้มครองข้อมูลและการรักษาความปลอดภัยของข้อมูลจะดําเนินการเป็นประจํา การตรวจสอบจะดําเนินการตามเกณฑ์/แบบแผนการทดสอบทั่วไป The employees and contractors of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.
3. Data protection training: All employees receive privacy & security training which remains available for review at any time in G-P training platform.
4. Physical Access Controls: G-P has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.
   1. Electronic door protection: The entrance doors to the premises of G-P offices are always locked and electronically secured. ประตูเปิดผ่านเครื่องส่งสัญญาณอิเล็กทรอนิกส์ส่วนตัว
   2. Controlled distribution of keys: A central, documented allocation of keys to the employees of G-P takes place. ผู้จัดการสํานักงานหรือฝ่ายทรัพยากรบุคคลแต่ละคนสามารถปิดใช้งานเครื่องส่งสัญญาณอิเล็กทรอนิกส์/กุญแจเหล่านี้ได้จากส่วนกลาง
   3. Supervision and accompaniment of external persons: External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of G-P. G-P applies its written Visitor’s Policy when visitors are invited to the premises.
   4. Securing of premises with increased need for protection: Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. ตู้และลิ้นชักที่มีเอกสารทางกฎหมาย สัญญา และเอกสารที่เป็นความลับต้องล็อกไว้ตลอดเวลา ยกเว้นเมื่อมีการใช้งาน
   5. Closed doors and windows: Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.
5. Recoverability: G-P ensures that systems in use can be restored in the event of physical or technical failure.

   1. Regular tests of the data recovery ("Restore-Tests"): Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.

   2. Emergency plan ("Disaster Recovery Concept"): There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. G-P ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.

   3. Review and evaluation measures: Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

6. Privacy Team: The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.

7. Risk Management: There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.

3) INDEPENDENT REVIEW OF INFORMATION SECURITY

1. Performance of audits: Internal audits on data protection and information security are conducted regularly. การตรวจสอบจะดําเนินการตามเกณฑ์/แบบแผนการทดสอบทั่วไป
2. Review of compliance with security policies and standards: Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. หากเป็นไปได้ การตรวจสอบเหล่านี้จะดําเนินการแบบสุ่มและไม่คาดคิด
3. Verification of compliance with technical specifications: Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. การทดสอบการเจาะระบบอย่างละเอียดจะดําเนินการโดยผู้ให้บริการภายนอกเพื่อตรวจสอบแอปพลิเคชันและโครงสร้างพื้นฐานโดยเฉพาะสําหรับช่องโหว่
4. Processing on instruction: The employees of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.
5. Careful supplier selection: G-P adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. กระบวนการนี้ประกอบด้วยข้อเสนอแนะจากฝ่ายการเงินและฝ่ายกฎหมาย/ความเป็นส่วนตัว และรวมการประเมินความเสี่ยง การตรวจสอบคุณสมบัติเบื้องต้นด้านการรักษาความปลอดภัย และขั้นตอนการรับรองเอกสาร ซัพพลายเออร์ที่จะประมวลผลข้อมูลที่ได้รับการคุ้มครองจะต้องแสดงให้เห็นถึงการปฏิบัติตามกฎหมายความเป็นส่วนตัวของข้อมูลที่บังคับใช้ รวมถึงข้อบังคับ 28 GDPR สําหรับข้อมูลที่ครอบคลุม

 

Annex III 

List of Subprocessors

 

ผู้ประมวลผลย่อย	Location and Contact Information	คําอธิบายการประมวลผล
G-P subsidiaries	https://www.globalization- partners.com/contact-us/	การให้บริการแพลตฟอร์มและการจัดการความสัมพันธ์กับลูกค้า
Acumatica	3933 ทะเลสาบวอชิงตัน บูเลอวาร์ด นอร์ทแคโรไล350นา เคิร์กแลนด์ วอชิงตัน 98033สหรัฐอเมริกา	บริการทางการเงิน
Amazon Web Service	P.O. Box 81226 Seattle, WA 98108-1226, USA	การโฮสต์ – ผู้ให้บริการระบบคลาวด์
Microsoft	Microsoft Corporation One Microsoft Way Redmond, Washington 98052 USA Telephone: (+1) 425-882-8080.	Business Process Support for communications (email) and services management
Atlassian	350 Bush Street Floor 13 San Francisco, CA 94104, USA +1 415 701 1110	การสนับสนุนกระบวนการทางธุรกิจสําหรับการจัดการบริการ
DocuSign	DocuSign International (EMEA) Ltd, เรียน: ทีมความเป็นส่วนตัว, 5 Hanover Quay, ชั้นล่าง, ดับลิน 2, สาธารณรัฐไอร์แลนด์	การจัดการเอกสาร
Salesforce.com	Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA 1-800-387-3285	การสนับสนุนกระบวนการทางธุรกิจสําหรับการจัดการลูกค้าสัมพันธ์ (CRM)
Zendesk	989 Market St San Francisco, CA 94103, USA zendesk.com 888-670-4887	การสอบถามข้อมูลจากศูนย์บริการช่วยเหลือสําหรับการสนับสนุนลูกค้า
Workday	6110 Stoneridge Mall Road Pleasanton, CA 94588, USA	Business Process Support for managing payroll, benefits, HR and employee data.
Service Now	2225 Lawson Lane Santa Clara, CA, 95054 USA	Business Process Support for IT service and operations management, the employee and customer experiences through (automated cloud-based workflow)
Databricks	160 Spear Street, 15th Floor San Francisco, CA 94105 1-866-330-0121 USA	Cloud data warehouse infrastructure.
Datadog	620 8th Ave 45th Floor New York, NY 10018 USA	Service monitoring and debugging tool
Wise	Avenue Louise 54, Room s52, 1050 Brussels เบลเยียม	Online payment processor
Google	1600 Amphitheatre Pkwy, Mountain View, CA 94043	Business Process Support for communications (email) and internal document storage