BOOKING
BOOKING
BOOKING

Data Processing Terms

(GDPR & PDPA Compliance)

These terms apply and bind the Subscriber, as Controller, that either occasionally and for limited services or with a durable agreement has business with MEKA Catamaran Thailand, as Processor. All the definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation (GDPR) and the Personal Data Protection Act of Thailand (PDPA).

Processing of Controller Personal Data

The Processor shall only process Controller personal data for the purposes in the interest of the Controller. The Processor shall not process, transfer, modify, amend or alter the Controller data or disclose or permit the disclosure of the Controller data to any third party other than in accordance with Controller’s documented instructions. The Processor shall inform the Controller of any legal requirement before processing the personal data and comply with the Controller’s instructions to minimize the scope of disclosure.

Reliability and Non-Disclosure

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller personal data, ensuring in each case that access is strictly limited to those individuals who require access. The Processor must ensure that all individuals processing Controller personal data are informed of its confidential nature, subject to confidentiality undertakings, and authenticated by secure access processes.

Personal Data Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This may include pseudonymization and encryption, ensuring confidentiality, integrity, availability and resilience of systems, and the ability to restore access in case of incidents.

Sub-Processing

The Controller authorises the Processor to engage Sub-Processors. The Processor shall provide the Controller with details of Processing to be undertaken by each Sub-Processor, perform due diligence, ensure the same level of protection, and remain fully liable for any failure of the Sub-Processor.

Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject rights requests under GDPR and PDPA. This includes:

  • Promptly notifying the Controller if it receives a request from a Data Subject, a Supervisory Authority, or other competent authority;
  • Cooperating as requested by the Controller to comply with rights exercises, assessments, or investigations;
  • Providing assistance as reasonably requested by the Controller to comply with requests within the timescales prescribed by data protection laws;
  • Implementing additional technical and organisational measures to allow effective responses to relevant complaints or communications.

Personal Data Breach

The Processor shall notify the Controller without undue delay and, in any case, within twenty-four (24) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide sufficient information to enable the Controller to meet reporting obligations, including:

  • Nature of the breach, categories and numbers of Data Subjects and records concerned;
  • Name and contact details of the Processor’s Data Protection Officer or relevant contact;
  • Estimated risks and likely consequences of the breach;
  • Measures taken or proposed to be taken to address the breach.

In line with GDPR and PDPA requirements, notification shall be made within 24 hours where possible, and in all cases no later than seventy-two (72) hours of becoming aware of the breach.

Erasure or Return of Data

Upon termination of Processing or agreement, the Processor shall within 90 days either: (i) return all Controller personal data to the Controller via secure transfer and erase other copies, or (ii) securely wipe all data, as instructed by the Controller. The Processor may retain personal data only where required by law, ensuring confidentiality and limited use.

Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with these terms and shall allow audits and inspections by the Controller or appointed auditors of relevant premises.

International Transfers

The Processor shall not transfer Controller personal data outside Thailand or the European Economic Area (EEA) to a third country unless expressly authorized by the Controller and subject to appropriate safeguards under GDPR and PDPA.

General Terms

These Data Processing Terms shall be governed by and construed in accordance with the laws of the Kingdom of Thailand, in particular the Personal Data Protection Act B.E. 2562 (PDPA). Where the processing of personal data involves data subjects who are within the European Union, the provisions of the General Data Protection Regulation (GDPR) shall also apply.

Any breach of these terms shall constitute a material breach of the principal agreement. In case of conflict, these Data Processing Terms shall prevail with respect to data protection obligations. Should any provision be found invalid or unenforceable, the remainder shall continue in full force and effect.