{"id":30959,"date":"2026-05-23T14:44:14","date_gmt":"2026-05-23T14:44:14","guid":{"rendered":"https:\/\/www.othellointernational.com\/certifications\/gdpr\/"},"modified":"2026-07-09T16:35:47","modified_gmt":"2026-07-09T16:35:47","slug":"gdpr","status":"publish","type":"page","link":"https:\/\/www.othellointernational.com\/th\/certifications\/gdpr\/","title":{"rendered":""},"content":{"rendered":"\n\n<!-- ===================================================================\n     OTHELLO INTERNATIONAL \u2014 GDPR COMPLIANCE \u00b7 v12 INTERACTIVE\n     URL: \/certifications\/gdpr\/\n     Processor-grade \u00b7 SCCs + TIA \u00b7 Art 28 DPA \u00b7 PDPA-domiciled, GDPR-aligned\n   =================================================================== -->\n\n<style>\n@import url('https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@300;400;500;600;700;800;900&family=Fraunces:ital,wght@0,300;0,400;0,500;0,600;0,700;1,300;1,400;1,500;1,600;1,700&family=JetBrains+Mono:wght@400;500;600;700&family=Sarabun:wght@400;500;600;700&display=swap');\n\n.oth-gdpr{\n  --k:#000;--k0:#050505;--k1:#0a0a0a;--k2:#141414;--k3:#1a1a1a;--k4:#1f1f1f;\n  --line:#242424;--line2:rgba(255,255,255,.06);\n  --r:#ED4036;--r1:#FF5046;--r2:#C2261C;--r3:#8a1a13;--r4:rgba(237,64,54,.1);\n  --w:#fff;--w1:rgba(255,255,255,.84);--w2:rgba(255,255,255,.60);--w3:rgba(255,255,255,.42);--w4:rgba(255,255,255,.20);\n  --gold:#FF5046;--gold1:#FF6B5C;--g:#4ade80;--blue:#3b82f6;--amber:#f59e0b;\n  --s:'Poppins',-apple-system,sans-serif;--d:'Fraunces',Georgia,serif;\n  --m:'JetBrains Mono',Menlo,monospace;--th:'Sarabun',sans-serif;\n  --ease:cubic-bezier(.16,1,.3,1);\n  font-family:var(--s);color:var(--w);background:var(--k);line-height:1.6;font-size:16px;\n  margin:0;padding:0;width:100%;overflow-x:hidden;scroll-behavior:smooth;scroll-padding-top:76px;\n}\n.oth-gdpr *,.oth-gdpr *::before,.oth-gdpr *::after{box-sizing:border-box}\n.oth-gdpr .wrap{max-width:1340px;margin:0 auto;padding:0 40px}\n.oth-gdpr a:focus-visible,.oth-gdpr button:focus-visible,.oth-gdpr summary:focus-visible{outline:2px solid var(--r1);outline-offset:3px;border-radius:2px}\n\n.oth-gdpr [data-reveal]{opacity:1;transform:none;transition:opacity .9s var(--ease),transform .9s var(--ease)}\n.oth-gdpr.js-on [data-reveal]:not(.in){opacity:0;transform:translateY(24px)}\n.oth-gdpr [data-reveal].in{opacity:1;transform:translateY(0)}\n.oth-gdpr [data-reveal-stagger] > *{opacity:1;transform:none;transition:opacity .8s var(--ease),transform .8s var(--ease)}\n.oth-gdpr.js-on [data-reveal-stagger]:not(.in) > *{opacity:0;transform:translateY(20px)}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(1){transition-delay:0s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(2){transition-delay:.06s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(3){transition-delay:.12s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(4){transition-delay:.18s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(5){transition-delay:.24s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(6){transition-delay:.30s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(7){transition-delay:.36s}\n.oth-gdpr [data-reveal-stagger].in > *:nth-child(8){transition-delay:.42s}\n.oth-gdpr [data-reveal-stagger].in > *{opacity:1;transform:translateY(0)}\n\n.oth-gdpr .eyebrow{display:inline-flex;align-items:center;gap:14px;font-family:var(--m);font-size:11px;font-weight:600;letter-spacing:.18em;text-transform:uppercase;color:var(--r);margin-bottom:22px}\n.oth-gdpr .eyebrow::before{content:\"\";width:36px;height:1px;background:var(--r)}\n.oth-gdpr h2.title{font-size:clamp(34px,4.6vw,58px);line-height:1.06;font-weight:700;letter-spacing:-.025em;margin:0 0 22px;color:var(--w)}\n.oth-gdpr h2.title em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r)}\n.oth-gdpr .lead{font-size:17px;color:var(--w1);max-width:74ch;line-height:1.65}\n.oth-gdpr .lead strong{color:var(--w);font-weight:600}\n.oth-gdpr .lead em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .lead a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n.oth-gdpr .lead a:hover{border-bottom-color:var(--r)}\n.oth-gdpr .section{padding:110px 0;background:var(--k);position:relative}\n.oth-gdpr .section.alt{background:var(--k1)}\n.oth-gdpr .section-head{margin-bottom:56px;max-width:920px}\n.oth-gdpr .section-head.center{margin-left:auto;margin-right:auto;text-align:center}\n.oth-gdpr .section-head.center .eyebrow{justify-content:center}\n.oth-gdpr .section-head.center .eyebrow::after{content:\"\";width:36px;height:1px;background:var(--r);margin-left:14px}\n\n.oth-gdpr .btn{display:inline-flex;align-items:center;gap:12px;padding:17px 30px;font-family:var(--s);font-size:13px;font-weight:600;letter-spacing:.06em;text-transform:uppercase;text-decoration:none;border-radius:4px;transition:all .35s var(--ease);cursor:pointer;border:2px solid;position:relative;overflow:hidden}\n.oth-gdpr .btn::after{content:\"\u2192\";font-family:var(--d);font-style:italic;font-size:17px;transition:transform .3s var(--ease)}\n.oth-gdpr .btn:hover::after{transform:translateX(5px)}\n.oth-gdpr .btn-primary{background:var(--r);color:var(--w) !important;border-color:var(--r)}\n.oth-gdpr .btn-primary:hover{background:var(--r1);border-color:var(--r1);transform:translateY(-3px);box-shadow:0 16px 40px rgba(237,64,54,.45)}\n.oth-gdpr .btn-outline{background:transparent;color:var(--w) !important;border-color:var(--w4)}\n.oth-gdpr .btn-outline:hover{background:var(--w);color:var(--k) !important;border-color:var(--w);transform:translateY(-3px)}\n\n@keyframes gd-pulse{0%,100%{box-shadow:0 0 0 0 rgba(74,222,128,.6)}50%{box-shadow:0 0 0 10px rgba(74,222,128,0)}}\n@keyframes gd-shimmer{0%{background-position:200% 50%}100%{background-position:-200% 50%}}\n@keyframes gd-glow{0%,100%{opacity:1}50%{opacity:.7}}\n@keyframes gd-arrow{0%,100%{transform:translateX(0)}50%{transform:translateX(6px)}}\n\n.oth-gdpr .strip{background:var(--k1);border-bottom:1px solid var(--line);padding:12px 0;font-family:var(--m);font-size:11px;letter-spacing:.12em;text-transform:uppercase;color:var(--w2)}\n.oth-gdpr .strip-row{display:flex;align-items:center;justify-content:space-between;gap:24px;flex-wrap:wrap}\n.oth-gdpr .strip-row .l{display:flex;align-items:center;gap:12px}\n.oth-gdpr .strip-dot{width:8px;height:8px;background:var(--g);border-radius:50%;animation:gd-pulse 2s ease-in-out infinite}\n.oth-gdpr .strip-row .r{color:var(--w3)}\n.oth-gdpr .strip-row .r b{color:var(--w);font-weight:500}\n\n.oth-gdpr .crumb{background:var(--k);border-bottom:1px solid var(--line);padding:18px 0;font-family:var(--m);font-size:11px;letter-spacing:.10em;text-transform:uppercase;color:var(--w3)}\n.oth-gdpr .crumb a{color:var(--w2);text-decoration:none;transition:color .2s}\n.oth-gdpr .crumb a:hover{color:var(--r)}\n.oth-gdpr .crumb .sep{margin:0 12px;color:var(--w4)}\n.oth-gdpr .crumb .here{color:var(--w)}\n\n\/* ============ HERO ============ *\/\n.oth-gdpr .hero{padding:90px 0 120px;background:var(--k);position:relative;overflow:hidden}\n.oth-gdpr .hero::before{content:\"\";position:absolute;inset:0;background:radial-gradient(ellipse 1400px 900px at 78% 25%,rgba(237,64,54,.22),transparent 60%),radial-gradient(ellipse 700px 500px at 12% 80%,rgba(237,64,54,.08),transparent 60%);pointer-events:none;animation:gd-glow 8s ease-in-out infinite}\n.oth-gdpr .hero::after{content:\"\";position:absolute;inset:0;background-image:linear-gradient(rgba(255,255,255,.03) 1px,transparent 1px),linear-gradient(90deg,rgba(255,255,255,.03) 1px,transparent 1px);background-size:64px 64px;pointer-events:none;mask-image:radial-gradient(ellipse 1400px 800px at 50% 30%,black,transparent 75%);-webkit-mask-image:radial-gradient(ellipse 1400px 800px at 50% 30%,black,transparent 75%)}\n.oth-gdpr .hero-inner{position:relative;z-index:2}\n.oth-gdpr .hero-tag{display:inline-flex;align-items:center;gap:14px;padding:10px 22px;background:rgba(237,64,54,.12);border:1px solid rgba(237,64,54,.35);border-radius:100px;font-family:var(--m);font-size:11px;letter-spacing:.16em;text-transform:uppercase;color:var(--r1);font-weight:600;margin-bottom:30px;backdrop-filter:blur(6px);-webkit-backdrop-filter:blur(6px);box-shadow:0 0 30px rgba(237,64,54,.15)}\n.oth-gdpr .hero-tag .dot{width:7px;height:7px;background:var(--g);border-radius:50%;animation:gd-pulse 2s ease-in-out infinite}\n\n.oth-gdpr .hero h1{font-size:clamp(34px,5.4vw,68px);line-height:1.04;font-weight:700;letter-spacing:-.03em;margin:0 0 30px;color:var(--w);max-width:26ch}\n.oth-gdpr .hero h1 em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r);background:linear-gradient(90deg,var(--r) 0%,var(--r1) 30%,var(--gold) 50%,var(--r1) 70%,var(--r) 100%);background-size:200% 100%;-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent;animation:gd-shimmer 6s linear infinite}\n.oth-gdpr .hero h1 .arrow{display:inline-flex;align-items:center;color:var(--r);animation:gd-arrow 2.5s ease-in-out infinite;margin:0 .1em;font-family:var(--d);font-style:italic;font-weight:300}\n\n.oth-gdpr .hero-grid{display:grid;grid-template-columns:minmax(0,1.45fr) minmax(0,1fr);gap:56px;align-items:start;margin-top:24px}\n.oth-gdpr .hero-left p{font-size:17px;line-height:1.7;color:var(--w1);margin:0 0 32px;max-width:66ch}\n.oth-gdpr .hero-left p strong{color:var(--w);font-weight:600}\n.oth-gdpr .hero-left p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .hero-left p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n\n.oth-gdpr .hs-grid{display:grid;grid-template-columns:repeat(4,1fr);gap:1px;background:var(--line);border:1px solid var(--line);margin-bottom:32px;position:relative;overflow:hidden}\n.oth-gdpr .hs{background:var(--k1);padding:24px 20px;transition:all .4s var(--ease);position:relative;overflow:hidden}\n.oth-gdpr .hs::before{content:\"\";position:absolute;inset:0;background:radial-gradient(circle at 50% 100%,rgba(237,64,54,.15),transparent 70%);opacity:0;transition:opacity .4s var(--ease)}\n.oth-gdpr .hs:hover::before{opacity:1}\n.oth-gdpr .hs:hover{background:var(--k3);transform:translateY(-3px)}\n.oth-gdpr .hs .ic{width:28px;height:28px;color:var(--r);margin-bottom:14px;position:relative;z-index:2;transition:transform .4s var(--ease)}\n.oth-gdpr .hs:hover .ic{transform:scale(1.15) rotate(-5deg)}\n.oth-gdpr .hs .ic svg{width:100%;height:100%}\n.oth-gdpr .hs .v{font-family:var(--d);font-style:italic;font-weight:500;font-size:42px;line-height:1;color:var(--r);margin-bottom:6px;letter-spacing:-.02em;position:relative;z-index:2;display:flex;align-items:baseline;gap:2px}\n.oth-gdpr .hs .v .num{display:inline-block;min-width:1ch}\n.oth-gdpr .hs .v .sm{font-size:.40em;color:var(--w2);font-style:normal;font-family:var(--m);font-weight:600;letter-spacing:.02em;margin-left:3px}\n.oth-gdpr .hs .lb{font-family:var(--m);font-size:9.5px;letter-spacing:.10em;text-transform:uppercase;color:var(--w2);font-weight:600;margin-bottom:4px;line-height:1.3;position:relative;z-index:2}\n.oth-gdpr .hs .sb{font-size:10.5px;color:var(--w3);line-height:1.4;position:relative;z-index:2}\n\n.oth-gdpr .hctas{display:flex;gap:14px;flex-wrap:wrap}\n\n\/* Posture card *\/\n.oth-gdpr .lp-card{background:linear-gradient(135deg,var(--k3) 0%,var(--k1) 100%);border:1px solid var(--line);padding:36px 30px;position:relative;overflow:hidden;transition:all .5s var(--ease)}\n.oth-gdpr .lp-card:hover{box-shadow:0 20px 60px rgba(0,0,0,.5),0 0 30px rgba(237,64,54,.15);border-color:rgba(237,64,54,.20)}\n.oth-gdpr .lp-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-gdpr .lp-card:hover::before{width:6px}\n.oth-gdpr .lp-card::after{content:\"\";position:absolute;inset:0;background:radial-gradient(circle at 100% 0%,rgba(237,64,54,.18),transparent 50%);opacity:.5;transition:opacity .5s var(--ease);pointer-events:none}\n.oth-gdpr .lp-card:hover::after{opacity:1}\n.oth-gdpr .lp-lb{font-family:var(--m);font-size:10px;letter-spacing:.16em;text-transform:uppercase;color:var(--r);margin-bottom:18px;display:flex;align-items:center;gap:8px;font-weight:600;position:relative;z-index:2}\n.oth-gdpr .lp-lb::before{content:\"\u25cf\";color:var(--g);animation:gd-pulse 2s ease-in-out infinite}\n.oth-gdpr .lp-head{font-family:var(--d);font-style:italic;font-size:22px;font-weight:500;color:var(--w);letter-spacing:-.015em;line-height:1.2;margin-bottom:22px;position:relative;z-index:2}\n.oth-gdpr .lp-head em{color:var(--r);font-weight:600}\n.oth-gdpr .lp-items{margin:0;padding:0;list-style:none;position:relative;z-index:2;display:grid;gap:8px}\n.oth-gdpr .lp-item{padding:13px 16px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);transition:all .3s var(--ease);display:grid;grid-template-columns:auto 1fr;gap:14px;align-items:center}\n.oth-gdpr .lp-item:hover{border-left-width:5px;transform:translateX(4px);background:var(--k2)}\n.oth-gdpr .lp-item.gold{border-left-color:var(--gold)}\n.oth-gdpr .lp-k{font-family:var(--m);font-size:9.5px;letter-spacing:.10em;color:var(--r);font-weight:700;background:rgba(237,64,54,.10);padding:4px 8px;border-radius:2px;line-height:1;white-space:nowrap;text-transform:uppercase}\n.oth-gdpr .lp-item.gold .lp-k{color:var(--gold);background:rgba(237,64,54,.10)}\n.oth-gdpr .lp-v{font-family:var(--s);font-size:12.5px;font-weight:600;color:var(--w);letter-spacing:-.005em;line-height:1.3}\n.oth-gdpr .lp-v b{color:var(--r);font-weight:700}\n.oth-gdpr .lp-item.gold .lp-v b{color:var(--gold)}\n\n@media (max-width:1024px){\n  .oth-gdpr .hero-grid{grid-template-columns:1fr;gap:40px}\n  .oth-gdpr .hs-grid{grid-template-columns:repeat(2,1fr)}\n}\n@media (max-width:600px){\n  .oth-gdpr .wrap{padding:0 22px}\n  .oth-gdpr .hero{padding:48px 0 64px}\n  .oth-gdpr .section{padding:64px 0}\n  .oth-gdpr .hero h1{font-size:32px}\n  .oth-gdpr .hctas{flex-direction:column}\n  .oth-gdpr .btn{justify-content:center;width:100%}\n  .oth-gdpr .hs .v{font-size:32px}\n}\n@media (prefers-reduced-motion:reduce){\n  .oth-gdpr *,.oth-gdpr *::before,.oth-gdpr *::after{animation-duration:.01ms !important;transition-duration:.01ms !important}\n  .oth-gdpr [data-reveal],.oth-gdpr [data-reveal-stagger] > *{opacity:1 !important;transform:none !important}\n}\n\/* ============ THE ATA CREDENTIAL MODEL ============ *\/\n.oth-gdpr .pm-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .pm-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-gdpr .pm-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:18px;position:relative;z-index:2}\n.oth-gdpr .pm-card{background:linear-gradient(135deg,var(--k2) 0%,var(--k3) 100%);border:1px solid var(--line);padding:36px 32px;position:relative;overflow:hidden;transition:all .5s var(--ease);display:flex;flex-direction:column}\n.oth-gdpr .pm-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-gdpr .pm-card:hover::before{width:6px}\n.oth-gdpr .pm-card::after{content:\"\";position:absolute;top:0;right:0;width:240px;height:240px;background:radial-gradient(circle at 100% 0%,rgba(237,64,54,.14),transparent 70%);opacity:0;transition:opacity .5s var(--ease);pointer-events:none}\n.oth-gdpr .pm-card:hover::after{opacity:1}\n.oth-gdpr .pm-card:hover{background:var(--k3);border-color:rgba(237,64,54,.4);transform:translateY(-5px);box-shadow:0 20px 50px rgba(0,0,0,.5)}\n.oth-gdpr .pm-num{font-family:var(--m);font-size:10px;letter-spacing:.14em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:14px;position:relative;z-index:2;padding:5px 12px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:2px;display:inline-block;width:fit-content}\n.oth-gdpr .pm-card h3{font-family:var(--d);font-style:italic;font-size:22px;font-weight:600;color:var(--w);margin:0 0 14px;line-height:1.2;letter-spacing:-.005em;position:relative;z-index:2}\n.oth-gdpr .pm-card h3 em{color:var(--r);font-style:italic;font-weight:600}\n.oth-gdpr .pm-card p{font-size:13.5px;line-height:1.7;color:var(--w1);margin:0 0 14px;position:relative;z-index:2}\n.oth-gdpr .pm-card p strong{color:var(--w);font-weight:600}\n.oth-gdpr .pm-card p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .pm-spec{margin-top:auto;padding-top:14px;border-top:1px dashed var(--line);position:relative;z-index:2;display:grid;gap:6px}\n.oth-gdpr .pm-spec-row{display:flex;justify-content:space-between;gap:10px;font-family:var(--m);font-size:11px;align-items:baseline}\n.oth-gdpr .pm-spec-k{color:var(--w3);letter-spacing:.08em;text-transform:uppercase;font-size:9px;font-weight:600}\n.oth-gdpr .pm-spec-v{color:var(--w);font-weight:600;font-size:11px;text-align:right;letter-spacing:.02em}\n.oth-gdpr .pm-spec-v b{color:var(--r);font-weight:700}\n@media (max-width:1024px){.oth-gdpr .pm-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-gdpr .pm-card{padding:28px 24px}}\n\/* ============ WHERE ATA-CERTIFIED IS REQUIRED ============ *\/\n.oth-gdpr .uc-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .uc-sec::before{content:\"\";position:absolute;top:30%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-gdpr .uc-grid{display:grid;grid-template-columns:repeat(4,1fr);gap:16px;position:relative;z-index:2}\n.oth-gdpr .uc-card{background:var(--k2);border:1px solid var(--line);padding:28px 24px;position:relative;overflow:hidden;transition:all .4s var(--ease);display:flex;flex-direction:column}\n.oth-gdpr .uc-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:var(--r);transition:width .35s var(--ease)}\n.oth-gdpr .uc-card:hover::before{width:6px}\n.oth-gdpr .uc-card::after{content:\"\";position:absolute;top:0;right:0;width:200px;height:200px;background:radial-gradient(circle at 100% 0%,rgba(237,64,54,.12),transparent 70%);opacity:0;transition:opacity .4s var(--ease);pointer-events:none}\n.oth-gdpr .uc-card:hover::after{opacity:1}\n.oth-gdpr .uc-card:hover{background:var(--k3);border-color:rgba(237,64,54,.4);transform:translateY(-5px);box-shadow:0 16px 40px rgba(0,0,0,.4)}\n.oth-gdpr .uc-card.flagship::before{background:linear-gradient(180deg,var(--gold) 0%,var(--r) 100%)}\n.oth-gdpr .uc-card.flagship{background:linear-gradient(135deg,rgba(237,64,54,.06) 0%,var(--k3) 100%);border-color:rgba(237,64,54,.30)}\n.oth-gdpr .uc-card.flagship:hover{border-color:rgba(237,64,54,.5);box-shadow:0 16px 40px rgba(0,0,0,.4),0 0 30px rgba(237,64,54,.12)}\n.oth-gdpr .uc-icon{width:48px;height:48px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:8px;display:flex;align-items:center;justify-content:center;margin-bottom:18px;position:relative;z-index:2;transition:all .35s var(--ease)}\n.oth-gdpr .uc-card.flagship .uc-icon{background:rgba(237,64,54,.10);border-color:rgba(237,64,54,.30)}\n.oth-gdpr .uc-card:hover .uc-icon{transform:scale(1.1) rotate(-5deg);background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-gdpr .uc-card.flagship:hover .uc-icon{background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-gdpr .uc-icon svg{width:24px;height:24px;stroke:var(--r);fill:none;stroke-width:1.8;stroke-linecap:round;stroke-linejoin:round}\n.oth-gdpr .uc-card.flagship .uc-icon svg{stroke:var(--gold)}\n.oth-gdpr .uc-num{font-family:var(--m);font-size:9.5px;letter-spacing:.14em;color:var(--r);font-weight:700;margin-bottom:6px;position:relative;z-index:2}\n.oth-gdpr .uc-card.flagship .uc-num{color:var(--gold)}\n.oth-gdpr .uc-card h3{font-family:var(--d);font-style:italic;font-size:19px;font-weight:600;color:var(--w);margin:0 0 10px;line-height:1.2;letter-spacing:-.005em;position:relative;z-index:2}\n.oth-gdpr .uc-card p{font-size:12.5px;line-height:1.65;color:var(--w1);margin:0 0 14px;position:relative;z-index:2;flex:1}\n.oth-gdpr .uc-card p strong{color:var(--w);font-weight:600}\n.oth-gdpr .uc-card p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .uc-card.flagship p em{color:var(--gold)}\n.oth-gdpr .uc-tags{display:flex;flex-wrap:wrap;gap:5px;margin-top:auto;padding-top:14px;border-top:1px dashed var(--line);position:relative;z-index:2}\n.oth-gdpr .uc-tag{font-family:var(--m);font-size:9px;letter-spacing:.04em;color:var(--w2);padding:4px 8px;background:var(--k);border:1px solid var(--line);border-radius:2px;text-transform:uppercase;font-weight:600}\n.oth-gdpr .uc-tag.gold{color:var(--gold);border-color:rgba(237,64,54,.3);background:rgba(237,64,54,.06)}\n@media (max-width:1024px){.oth-gdpr .uc-grid{grid-template-columns:1fr 1fr;gap:12px}}\n@media (max-width:600px){.oth-gdpr .uc-grid{grid-template-columns:1fr}.oth-gdpr .uc-card{padding:24px 20px}}\n\/* ============ COVERAGE (32 PAIRS) ============ *\/\n.oth-gdpr .cov-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .cov-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-gdpr .cov-grid{display:grid;grid-template-columns:1fr 1fr;gap:18px;position:relative;z-index:2}\n.oth-gdpr .cov-col{background:var(--k2);border:1px solid var(--line);padding:32px 30px;position:relative;overflow:hidden;transition:all .4s var(--ease)}\n.oth-gdpr .cov-col::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:var(--r);transition:width .35s var(--ease)}\n.oth-gdpr .cov-col:hover::before{width:6px}\n.oth-gdpr .cov-col:hover{background:var(--k3);border-color:rgba(237,64,54,.3)}\n.oth-gdpr .cov-head{display:flex;align-items:baseline;justify-content:space-between;gap:12px;padding-bottom:16px;margin-bottom:18px;border-bottom:1px solid var(--line)}\n.oth-gdpr .cov-dir{font-family:var(--d);font-style:italic;font-size:26px;font-weight:600;color:var(--w);letter-spacing:-.01em}\n.oth-gdpr .cov-dir span{color:var(--r);font-style:normal;margin:0 4px}\n.oth-gdpr .cov-count{font-family:var(--m);font-size:10px;letter-spacing:.12em;text-transform:uppercase;color:var(--w3);font-weight:600;white-space:nowrap}\n.oth-gdpr .cov-list{list-style:none;margin:0;padding:0;columns:2;column-gap:24px}\n.oth-gdpr .cov-list li{font-family:var(--s);font-size:14px;font-weight:500;color:var(--w1);padding:7px 0 7px 22px;position:relative;break-inside:avoid;border-bottom:1px dotted var(--line)}\n.oth-gdpr .cov-list li::before{content:\"\u2713\";position:absolute;left:0;top:7px;color:var(--r);font-size:12px;font-weight:700}\n.oth-gdpr .cov-foot{font-family:var(--m);font-size:10.5px;line-height:1.7;color:var(--w3);letter-spacing:.02em;margin:24px 0 0;padding:16px 20px;background:var(--k);border:1px solid var(--line);position:relative;z-index:2}\n.oth-gdpr .cov-foot b{color:var(--r);font-weight:700}\n@media (max-width:900px){.oth-gdpr .cov-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-gdpr .cov-list{columns:1}.oth-gdpr .cov-col{padding:26px 22px}}\n\n\/* ============ QUALITY DISCIPLINE \/ WORKFLOW + THAI GAP ============ *\/\n.oth-gdpr .qd-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .qd-sec.alt{background:var(--k1)}\n.oth-gdpr .qd-sec::before{content:\"\";position:absolute;top:30%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-gdpr .qd-block{background:linear-gradient(135deg,rgba(237,64,54,.08) 0%,var(--k3) 100%);border:1px solid rgba(237,64,54,.30);padding:48px 44px;position:relative;overflow:hidden;transition:all .5s var(--ease)}\n.oth-gdpr .qd-block::before{content:\"\";position:absolute;top:0;left:0;width:6px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-gdpr .qd-block:hover::before{width:8px}\n.oth-gdpr .qd-block.wf::after{content:\"QA\";position:absolute;top:-30px;right:-15px;font-family:var(--d);font-style:italic;font-size:clamp(100px,13vw,220px);line-height:1;color:var(--r);opacity:.06;font-weight:600;pointer-events:none;letter-spacing:-.03em}\n.oth-gdpr .qd-block.thai::after{content:\"TH\";position:absolute;top:-30px;right:-15px;font-family:var(--d);font-style:italic;font-size:clamp(100px,13vw,220px);line-height:1;color:var(--r);opacity:.06;font-weight:600;pointer-events:none;letter-spacing:-.03em}\n.oth-gdpr .qd-block:hover{transform:translateY(-3px);box-shadow:0 24px 60px rgba(0,0,0,.5),0 0 40px rgba(237,64,54,.12);border-color:rgba(237,64,54,.5)}\n.oth-gdpr .qd-eye{font-family:var(--m);font-size:10.5px;letter-spacing:.16em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:14px;position:relative;z-index:2;display:flex;align-items:center;gap:8px}\n.oth-gdpr .qd-eye::before{content:\"\u25cf\";color:var(--r);animation:gd-pulse 2s ease-in-out infinite}\n.oth-gdpr .qd-block h3{font-family:var(--d);font-style:italic;font-size:clamp(26px,3.4vw,32px);font-weight:500;color:var(--w);margin:0 0 18px;line-height:1.2;letter-spacing:-.01em;position:relative;z-index:2;max-width:36ch}\n.oth-gdpr .qd-block h3 em{color:var(--r);font-style:italic;font-weight:600}\n.oth-gdpr .qd-block > p{font-size:14.5px;line-height:1.7;color:var(--w1);margin:0 0 14px;position:relative;z-index:2;max-width:82ch}\n.oth-gdpr .qd-block > p strong{color:var(--w);font-weight:600}\n.oth-gdpr .qd-block > p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .qd-block > p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n.oth-gdpr .qd-steps{display:grid;grid-template-columns:repeat(2,1fr);gap:10px;margin-top:24px;padding-top:24px;border-top:1px solid rgba(237,64,54,.20);position:relative;z-index:2}\n.oth-gdpr .qd-step{background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);padding:16px 20px;transition:all .3s var(--ease);display:grid;grid-template-columns:64px 1fr;gap:14px;align-items:start}\n.oth-gdpr .qd-step:hover{background:var(--k2);transform:translateX(4px);border-left-width:5px}\n.oth-gdpr .qd-step .qs-num{font-family:var(--m);font-size:9px;color:var(--r);font-weight:700;letter-spacing:.10em;padding:5px 8px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.25);border-radius:2px;text-align:center;line-height:1.2;white-space:nowrap;align-self:start;text-transform:uppercase}\n.oth-gdpr .qd-step .qs-body{font-size:12.5px;line-height:1.65;color:var(--w1)}\n.oth-gdpr .qd-step .qs-title{font-family:var(--d);font-style:italic;font-size:14.5px;font-weight:600;color:var(--w);display:block;margin-bottom:4px;letter-spacing:-.005em}\n.oth-gdpr .qd-step .qs-body strong{color:var(--w);font-weight:600}\n.oth-gdpr .qd-step .qs-body em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n@media (max-width:1024px){.oth-gdpr .qd-steps{grid-template-columns:1fr;gap:8px}}\n@media (max-width:600px){.oth-gdpr .qd-block{padding:32px 28px}.oth-gdpr .qd-block h3{font-size:22px}.oth-gdpr .qd-step{grid-template-columns:1fr;gap:8px;padding:14px 16px}}\n\/* ============ ADJACENT SERVICES ============ *\/\n.oth-gdpr .as-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .as-sec::before{content:\"\";position:absolute;top:30%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-gdpr .as-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:18px;position:relative;z-index:2}\n.oth-gdpr .as-card{background:var(--k2);border:1px solid var(--line);padding:32px 30px;text-decoration:none;color:inherit;position:relative;overflow:hidden;transition:all .4s var(--ease);display:flex;flex-direction:column}\n.oth-gdpr .as-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:var(--r);transition:width .35s var(--ease)}\n.oth-gdpr .as-card:hover::before{width:6px}\n.oth-gdpr .as-card.gold::before{background:linear-gradient(180deg,var(--gold) 0%,var(--r) 100%)}\n.oth-gdpr .as-card.gold{background:linear-gradient(135deg,rgba(237,64,54,.06) 0%,var(--k3) 100%);border-color:rgba(237,64,54,.30)}\n.oth-gdpr .as-card.gold:hover{border-color:rgba(237,64,54,.5);box-shadow:0 20px 50px rgba(0,0,0,.4),0 0 30px rgba(237,64,54,.12)}\n.oth-gdpr .as-card:not(.gold):hover{background:var(--k3);border-color:rgba(237,64,54,.4);transform:translateY(-3px);box-shadow:0 20px 50px rgba(0,0,0,.4)}\n.oth-gdpr .as-card.gold:hover{transform:translateY(-3px)}\n.oth-gdpr .as-icon{width:48px;height:48px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:8px;display:flex;align-items:center;justify-content:center;margin-bottom:18px;transition:all .35s var(--ease)}\n.oth-gdpr .as-card.gold .as-icon{background:rgba(237,64,54,.10);border-color:rgba(237,64,54,.30)}\n.oth-gdpr .as-card:hover .as-icon{transform:scale(1.1) rotate(-5deg);background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-gdpr .as-card.gold:hover .as-icon{background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-gdpr .as-icon svg{width:24px;height:24px;stroke:var(--r);fill:none;stroke-width:1.8;stroke-linecap:round;stroke-linejoin:round}\n.oth-gdpr .as-card.gold .as-icon svg{stroke:var(--gold)}\n.oth-gdpr .as-tag{font-family:var(--m);font-size:9.5px;letter-spacing:.12em;color:var(--r);font-weight:700;margin-bottom:8px;text-transform:uppercase}\n.oth-gdpr .as-card.gold .as-tag{color:var(--gold)}\n.oth-gdpr .as-card h3{font-family:var(--d);font-style:italic;font-size:22px;font-weight:600;color:var(--w);margin:0 0 12px;line-height:1.2;letter-spacing:-.005em}\n.oth-gdpr .as-card p{font-size:13px;line-height:1.65;color:var(--w1);margin:0 0 18px;flex:1}\n.oth-gdpr .as-card p strong{color:var(--w);font-weight:600}\n.oth-gdpr .as-card p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .as-card.gold p em{color:var(--gold)}\n.oth-gdpr .as-arrow{font-family:var(--m);font-size:11px;letter-spacing:.10em;color:var(--r);font-weight:700;text-transform:uppercase;display:inline-flex;align-items:center;gap:8px;transition:gap .3s var(--ease)}\n.oth-gdpr .as-card.gold .as-arrow{color:var(--gold)}\n.oth-gdpr .as-arrow::after{content:\"\u2192\";font-family:var(--d);font-style:italic;font-size:16px;transition:transform .3s var(--ease)}\n.oth-gdpr .as-card:hover .as-arrow::after{transform:translateX(5px)}\n@media (max-width:1024px){.oth-gdpr .as-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-gdpr .as-card{padding:24px 22px}}\n\n\/* ============ FAQ ============ *\/\n.oth-gdpr .faq-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-gdpr .faq-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-gdpr .faq-grid{display:grid;gap:14px;max-width:980px;margin:0 auto}\n.oth-gdpr .faq{background:var(--k2);border:1px solid var(--line);transition:all .35s var(--ease);overflow:hidden;position:relative}\n.oth-gdpr .faq[open]{background:var(--k3);border-color:rgba(237,64,54,.30);box-shadow:0 16px 40px rgba(0,0,0,.4)}\n.oth-gdpr .faq:hover{border-color:rgba(237,64,54,.20)}\n.oth-gdpr .faq summary{padding:22px 28px;cursor:pointer;list-style:none;display:grid;grid-template-columns:auto 1fr auto;align-items:center;gap:18px;font-family:var(--s);font-size:15.5px;font-weight:600;color:var(--w);line-height:1.35;transition:background .25s}\n.oth-gdpr .faq summary::-webkit-details-marker{display:none}\n.oth-gdpr .faq summary:hover{background:var(--k1)}\n.oth-gdpr .faq-num{font-family:var(--m);font-size:10.5px;font-weight:700;letter-spacing:.10em;color:var(--r);padding:5px 10px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:2px;white-space:nowrap}\n.oth-gdpr .faq-ic{width:32px;height:32px;border-radius:50%;background:var(--k);border:1px solid var(--line);display:flex;align-items:center;justify-content:center;font-size:18px;font-weight:300;color:var(--r);transition:all .3s var(--ease)}\n.oth-gdpr .faq[open] .faq-ic{transform:rotate(45deg);background:var(--r);color:var(--w);border-color:var(--r)}\n.oth-gdpr .faq-body{padding:0 28px 26px;border-top:1px solid var(--line)}\n.oth-gdpr .faq-body p{font-size:14px;line-height:1.7;color:var(--w1);margin:18px 0 0;max-width:84ch}\n.oth-gdpr .faq-body p:first-child{margin-top:18px}\n.oth-gdpr .faq-body p strong{color:var(--w);font-weight:600}\n.oth-gdpr .faq-body p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .faq-body p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n@media (max-width:600px){.oth-gdpr .faq summary{padding:18px 20px;gap:12px;font-size:14px}.oth-gdpr .faq-body{padding:0 20px 22px}}\n\n\/* ============ FINAL CTA ============ *\/\n.oth-gdpr .cta-sec{background:radial-gradient(ellipse 1000px 700px at 50% 0%,rgba(237,64,54,.22),transparent 60%),radial-gradient(ellipse 800px 500px at 50% 100%,rgba(237,64,54,.10),transparent 60%),var(--k);padding:130px 0;text-align:center;position:relative;overflow:hidden;border-top:1px solid var(--line)}\n.oth-gdpr .cta-sec::before{content:\"\";position:absolute;inset:0;background-image:linear-gradient(rgba(255,255,255,.025) 1px,transparent 1px),linear-gradient(90deg,rgba(255,255,255,.025) 1px,transparent 1px);background-size:64px 64px;pointer-events:none;mask-image:radial-gradient(ellipse 1200px 700px at 50% 50%,black,transparent 75%);-webkit-mask-image:radial-gradient(ellipse 1200px 700px at 50% 50%,black,transparent 75%)}\n.oth-gdpr .cta-content{position:relative;z-index:2;max-width:920px;margin:0 auto;padding:0 32px}\n.oth-gdpr .cta-content h2{font-size:clamp(34px,5.2vw,64px);line-height:1.04;font-weight:700;letter-spacing:-.03em;color:var(--w);margin:0 auto 24px;max-width:26ch}\n.oth-gdpr .cta-content h2 em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r);background:linear-gradient(90deg,var(--r) 0%,var(--r1) 30%,var(--gold) 50%,var(--r1) 70%,var(--r) 100%);background-size:200% 100%;-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent;animation:gd-shimmer 6s linear infinite}\n.oth-gdpr .cta-content p{font-size:16.5px;line-height:1.7;color:var(--w1);max-width:74ch;margin:0 auto 44px}\n.oth-gdpr .cta-content p strong{color:var(--w);font-weight:600}\n.oth-gdpr .cta-content p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-gdpr .cta-buttons{display:flex;gap:14px;justify-content:center;flex-wrap:wrap}\n.oth-gdpr .cta-note{margin-top:36px;font-family:var(--m);font-size:11px;letter-spacing:.14em;text-transform:uppercase;color:var(--w2);line-height:1.8}\n.oth-gdpr .cta-note b{color:var(--r);font-weight:700}\n.oth-gdpr .cta-note a{color:inherit;text-decoration:none;transition:color .2s}\n.oth-gdpr .cta-note a:hover{color:var(--w)}\n.oth-gdpr .cta-note .sep{color:var(--r)}\n.oth-gdpr .endline{padding:32px 0;text-align:center;font-family:var(--m);font-size:11px;font-weight:500;letter-spacing:.16em;text-transform:uppercase;color:var(--w2);background:var(--k);border-top:1px solid var(--line)}\n.oth-gdpr .endline .r{color:var(--r)}\n@media (max-width:600px){.oth-gdpr .cta-sec{padding:72px 0}}\n<\/style>\n<noscript><style>\n.oth-gdpr [data-reveal], .oth-gdpr [data-reveal-stagger] > *, .oth-gdpr [data-reveal] .oth-gdpr [data-reveal-stagger] > *{opacity:1!important;transform:none!important}\n<\/style><\/noscript>\n\n\n<div class=\"oth-gdpr\" id=\"oth-gdpr-top\">\n\n<!-- STATUS STRIP -->\n<div class=\"strip\">\n  <div class=\"wrap\"><div class=\"strip-row\">\n    <div class=\"l\"><span class=\"strip-dot\"><\/span>COMPLIANCE \u00b7 GDPR \u00b7 DATA-PROCESSOR DISCIPLINE \u00b7 EU \u2192 BANGKOK UNDER SCCs<\/div>\n    <div class=\"r\">Art 28 DPA <span style=\"color:var(--r)\">\u00b7<\/span> 72-hour breach notice <span style=\"color:var(--r)\">\u00b7<\/span> <b>NDA from first email<\/b><\/div>\n  <\/div><\/div>\n<\/div>\n\n<!-- BREADCRUMB -->\n<div class=\"crumb\">\n  <div class=\"wrap\">\n    <a href=\"\/\">Othello<\/a>\n    <span class=\"sep\">\/<\/span>\n    <a href=\"\/certifications\/\">Certifications<\/a>\n    <span class=\"sep\">\/<\/span>\n    <span class=\"here\">GDPR<\/span>\n  <\/div>\n<\/div>\n\n<!-- ============ HERO ============ -->\n<section class=\"hero\">\n  <div class=\"wrap\"><div class=\"hero-inner\">\n    <div class=\"hero-tag\" data-reveal><span class=\"dot\"><\/span>\u2605 GDPR-ALIGNED \u00b7 DATA PROCESSOR \u00b7 SCCs + TIA \u00b7 ART 28 DPA \u00b7 NDA-FIRST \u00b7 PDPA-DOMICILED<\/div>\n    <h1 data-reveal>GDPR. <em>Processor-grade discipline<\/em>, EU to Bangkok.<\/h1>\n    <div class=\"hero-grid\">\n      <div class=\"hero-left\">\n        <p data-reveal><strong>Othello International processes client documents that contain personal data<\/strong> \u2014 names, addresses, financial figures, identifiers \u2014 so the <em>General Data Protection Regulation<\/em> (Regulation (EU) 2016\/679) is squarely in frame. Under Article 3, GDPR applies extraterritorially: a Bangkok firm processing the personal data of EU residents is in scope. Othello acts as a <em>data processor<\/em> on the client-controller&#8217;s documented instructions. <strong>Thailand holds no EU adequacy decision<\/strong> \u2014 so EU \u2192 Thailand transfers run on <em>Standard Contractual Clauses<\/em> plus a Transfer Impact Assessment and supplementary measures, not on a claim of adequacy Othello does not have. <strong>Article 28 DPA on request \u00b7 NDA from first email \u00b7 audit-trail retained Bangkok-side.<\/strong><\/p>\n        <div class=\"hs-grid\" data-reveal-stagger>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z\"\/><path d=\"M9 12l2 2 4-4\"\/><\/svg><\/div>\n            <div class=\"lb\">GDPR Effective<\/div>\n            <div class=\"v\"><span class=\"num\" data-count-to=\"2018\">2018<\/span><\/div>\n            <div class=\"sb\">Reg (EU) 2016\/679 \u00b7 25 May<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\/><polyline points=\"14 2 14 8 20 8\"\/><path d=\"M9 13h6M9 17h4\"\/><\/svg><\/div>\n            <div class=\"lb\">Transfer Mechanism<\/div>\n            <div class=\"v\" style=\"font-family:var(--d);font-size:36px\">SCCs<\/div>\n            <div class=\"sb\">2021\/914 + TIA \u00b7 EU\u2192TH<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"\/><polyline points=\"12 6 12 12 16 14\"\/><\/svg><\/div>\n            <div class=\"lb\">Breach Notice<\/div>\n            <div class=\"v\"><span class=\"num\" data-count-to=\"72\">72<\/span><span class=\"sm\">h<\/span><\/div>\n            <div class=\"sb\">Art 33 \u00b7 without undue delay<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M3 6h18M3 12h18M3 18h12\"\/><\/svg><\/div>\n            <div class=\"lb\">Max Penalty<\/div>\n            <div class=\"v\"><span class=\"num\" data-count-to=\"4\">4<\/span><span class=\"sm\">% \/ \u20ac20M<\/span><\/div>\n            <div class=\"sb\">Art 83 \u00b7 global turnover<\/div>\n          <\/div>\n        <\/div>\n        <div class=\"hctas\" data-reveal>\n          <a href=\"#posture\" class=\"btn btn-primary\">The Data-Protection Posture<\/a>\n          <a href=\"\/contact\/\" class=\"btn btn-outline\">Request a DPA<\/a>\n        <\/div>\n      <\/div>\n\n      <div data-reveal>\n        <div class=\"lp-card\">\n          <div class=\"lp-lb\">\u2605 DATA-PROTECTION POSTURE \u00b7 TRANSPARENT<\/div>\n          <div class=\"lp-head\">Processor role. <em>SCCs, not adequacy.<\/em> One DPA, one audit-trail.<\/div>\n          <ul class=\"lp-items\">\n            <li class=\"lp-item gold\"><span class=\"lp-k\">Role<\/span><span class=\"lp-v\"><b>Data processor<\/b> \u00b7 on instruction<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Scope<\/span><span class=\"lp-v\"><b>Art 3<\/b> \u00b7 extraterritorial<\/span><\/li>\n            <li class=\"lp-item gold\"><span class=\"lp-k\">EU\u2192TH transfer<\/span><span class=\"lp-v\"><b>SCCs + TIA<\/b> \u00b7 not adequacy<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Contract<\/span><span class=\"lp-v\"><b>Art 28 DPA<\/b> \u00b7 on request<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Breach<\/span><span class=\"lp-v\"><b>72h<\/b> \u00b7 notify controller<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Domicile<\/span><span class=\"lp-v\"><b>Thai PDPA<\/b> \u00b7 GDPR-aligned<\/span><\/li>\n            <li class=\"lp-item gold\"><span class=\"lp-k\">Confidentiality<\/span><span class=\"lp-v\"><b>NDA from first email<\/b><\/span><\/li>\n          <\/ul>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div><\/div>\n<\/section>\n<!-- ============ THE GDPR POSTURE MODEL ============ -->\n<section class=\"pm-sec\" id=\"posture\">\n  <div class=\"wrap\">\n    <div class=\"section-head\" data-reveal>\n      <div class=\"eyebrow\">\u2605 The GDPR Posture \u00b7 How A Bangkok Processor Stays Lawful<\/div>\n      <h2 class=\"title\">The posture, substantively. <em>Six points<\/em> that make EU-facing work lawful.<\/h2>\n      <p class=\"lead\"><strong>GDPR compliance for a translation and advisory firm is not a badge \u2014 it is a documented operating posture.<\/strong> Othello processes personal data inside client documents, so the questions that matter are: what role does Othello hold, what brings it into scope, how does data lawfully reach Bangkok, and what contract governs it. The six points below document the substantive posture.<\/p>\n    <\/div>\n\n    <div class=\"pm-grid\" data-reveal-stagger>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 01 \u00b7 ROLE<\/div>\n        <h3>Processor, <em>not controller.<\/em><\/h3>\n        <p><strong>Othello acts as a data processor<\/strong> \u2014 it processes personal data on the documented instructions of the client, who is the controller. Othello does not determine the purposes of processing; it translates, edits, and advises on documents the client supplies. <em>This role allocation is recorded in the engagement and the DPA<\/em>, and it dictates the Article 28 obligations Othello accepts.<\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Othello<\/span><span class=\"pm-spec-v\"><b>Processor<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Client<\/span><span class=\"pm-spec-v\">Controller<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Basis<\/span><span class=\"pm-spec-v\">Documented instruction<\/span><\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 02 \u00b7 SCOPE<\/div>\n        <h3>Extraterritorial. <em>Article 3<\/em> reaches Bangkok.<\/h3>\n        <p><strong>GDPR applies regardless of where the processor sits.<\/strong> Under Article 3, processing the personal data of individuals in the EU brings a non-EU firm into scope. Othello does not treat its Bangkok domicile as an exemption \u2014 <em>EU-facing engagements are run to GDPR standard<\/em>. This is the honest reading: the regulation follows the data subject, not the processor&#8217;s postcode.<\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Trigger<\/span><span class=\"pm-spec-v\">EU data subjects<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Article<\/span><span class=\"pm-spec-v\"><b>Art 3<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Exemption<\/span><span class=\"pm-spec-v\"><b>None claimed<\/b><\/span><\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 03 \u00b7 TRANSFER<\/div>\n        <h3>SCCs + TIA. <em>Not a claim of adequacy.<\/em><\/h3>\n        <p><strong>Thailand has no EU adequacy decision.<\/strong> So EU \u2192 Thailand transfers cannot rely on adequacy \u2014 they run on the modernised <em>Standard Contractual Clauses<\/em> (Decision (EU) 2021\/914), accompanied by a Transfer Impact Assessment and documented supplementary measures. <em>Othello will not pretend Thailand is &#8220;adequate&#8221;<\/em> \u2014 it documents the actual lawful mechanism the regulation requires for a non-adequate third country.<\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Adequacy<\/span><span class=\"pm-spec-v\"><b>None (TH)<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Mechanism<\/span><span class=\"pm-spec-v\">SCCs 2021\/914<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Plus<\/span><span class=\"pm-spec-v\"><b>TIA + measures<\/b><\/span><\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 04 \u00b7 CONTRACT<\/div>\n        <h3>Article 28 <em>Data Processing Agreement.<\/em><\/h3>\n        <p><strong>Every EU-facing engagement can run under an Article 28 DPA.<\/strong> The DPA records the subject matter and duration of processing, the nature and purpose, the types of personal data and categories of data subject, and the controller&#8217;s instructions \u2014 plus Othello&#8217;s confidentiality, security, sub-processor, breach-notification, audit, and deletion obligations. <em>The DPA is the instrument; SCCs sit inside it for the transfer.<\/em><\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Instrument<\/span><span class=\"pm-spec-v\"><b>Art 28 DPA<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Contains<\/span><span class=\"pm-spec-v\">SCCs \u00b7 scope \u00b7 duties<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Available<\/span><span class=\"pm-spec-v\">On request<\/span><\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 05 \u00b7 BREACH<\/div>\n        <h3>72-hour <em>notification<\/em> discipline.<\/h3>\n        <p>As a processor, Othello&#8217;s obligation under <strong>Article 33<\/strong> is to notify the controller <em>without undue delay<\/em> on becoming aware of a personal-data breach \u2014 so the controller can meet its own 72-hour supervisory-authority deadline. Othello maintains an incident-response procedure: detection, containment, assessment, controller notification, and documented remediation, with the event recorded in the audit-trail.<\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Duty<\/span><span class=\"pm-spec-v\">Notify controller<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Window<\/span><span class=\"pm-spec-v\"><b>Without undue delay<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Article<\/span><span class=\"pm-spec-v\">Art 33<\/span><\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"pm-card\">\n        <div class=\"pm-num\">POINT 06 \u00b7 RIGHTS<\/div>\n        <h3>Data-subject rights, <em>facilitated.<\/em><\/h3>\n        <p><strong>Othello assists the controller in honouring data-subject rights<\/strong> \u2014 access, rectification, erasure, restriction, portability, and objection (Articles 15\u201321). As processor, Othello does not field requests directly from data subjects; it <em>supports the controller&#8217;s response<\/em> with prompt retrieval, correction, or deletion of the relevant material from Othello-controlled infrastructure, recorded in the audit-trail.<\/p>\n        <div class=\"pm-spec\">\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Rights<\/span><span class=\"pm-spec-v\">Arts 15\u201321<\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Othello<\/span><span class=\"pm-spec-v\"><b>Assists controller<\/b><\/span><\/div>\n          <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Recorded<\/span><span class=\"pm-spec-v\">Audit-trail<\/span><\/div>\n        <\/div>\n      <\/div>\n\n    <\/div>\n\n    <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:88ch;padding:18px 22px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>\u2605 <b style=\"color:var(--r)\">WHY THE HONEST TRANSFER STORY MATTERS<\/b> \u00b7 <b style=\"color:var(--w)\">Vendors that claim &#8220;GDPR compliant&#8221; without naming a transfer mechanism are hiding the hard part.<\/b> For EU \u2192 Thailand, the hard part is the absence of adequacy \u2014 which is why SCCs + a Transfer Impact Assessment + supplementary measures are the real answer. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">Othello documents the mechanism rather than asserting a status it does not hold.<\/em> See <a href=\"\/certifications\/pdpa\/\" style=\"color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)\">PDPA Compliance<\/a> for the Thai-domicile counterpart.<\/p>\n  <\/div>\n<\/section>\n<!-- ============ EIGHT DATA-PROTECTION PRACTICES ============ -->\n<section class=\"uc-sec\" id=\"practices\">\n  <div class=\"wrap\">\n    <div class=\"section-head\" data-reveal>\n      <div class=\"eyebrow\">\u2605 Operating Practices \u00b7 How The Posture Becomes Daily Discipline<\/div>\n      <h2 class=\"title\">Eight data-protection practices. <em>Where the posture becomes operational.<\/em><\/h2>\n      <p class=\"lead\">A posture is only as good as the daily handling. <em>The flagship practices are in-house processing and encryption<\/em> \u2014 the two that most often distinguish institutional-grade handling from consumer-tier translation tools that quietly send client content to third-party endpoints.<\/p>\n    <\/div>\n\n    <div class=\"uc-grid\" data-reveal-stagger>\n\n      <div class=\"uc-card flagship\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z\"\/><path d=\"M9 12l2 2 4-4\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 01 \u00b7 FLAGSHIP<\/div>\n        <h3>In-house processing<\/h3>\n        <p>The flagship practice. <strong>Othello does not route substantive client content through consumer LLM endpoints<\/strong> or unscreened third-party tools. Personal data inside documents is processed within Othello-controlled infrastructure by the named bench. <em>No silent data egress to free machine-translation services<\/em> \u2014 the single most common GDPR failure in the translation market.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag gold\">In-house<\/span><span class=\"uc-tag\">No consumer LLM<\/span><span class=\"uc-tag\">No egress<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card flagship\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><rect x=\"3\" y=\"11\" width=\"18\" height=\"11\" rx=\"2\"\/><path d=\"M7 11V7a5 5 0 0 1 10 0v4\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 02 \u00b7 FLAGSHIP<\/div>\n        <h3>Encryption in transit &amp; at rest<\/h3>\n        <p><strong>Personal data is encrypted in transit and at rest<\/strong> \u2014 a documented supplementary measure under the SCC transfer regime. Encryption with keys held by Othello is precisely the kind of technical measure a Transfer Impact Assessment calls for when the destination is a non-adequate third country. <em>Secure transfer channels, not email attachments by default.<\/em><\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag gold\">Encryption<\/span><span class=\"uc-tag\">In transit<\/span><span class=\"uc-tag\">At rest<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2\"\/><circle cx=\"9\" cy=\"7\" r=\"4\"\/><path d=\"M23 21v-2a4 4 0 0 0-3-3.87\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 03 \u00b7 ACCESS<\/div>\n        <h3>Least-privilege access control<\/h3>\n        <p><strong>Access to client documents is restricted to the named bench assigned to the engagement.<\/strong> Least-privilege controls mean a translator or editor sees only the material their role requires. Access is logged. <em>Need-to-know is enforced, not assumed<\/em> \u2014 a measure the TIA documents and the DPA records.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Least-privilege<\/span><span class=\"uc-tag\">Logged<\/span><span class=\"uc-tag\">Need-to-know<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M3 6h18M7 12h10M11 18h2\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 04 \u00b7 MINIMISATION<\/div>\n        <h3>Data minimisation &amp; purpose limitation<\/h3>\n        <p><strong>Othello processes only the personal data the engagement requires<\/strong>, for only the purpose the controller instructs (Article 5 principles). Where a document can be pseudonymised or redacted without harming the translation, it is. <em>No retention &#8220;just in case&#8221;<\/em> \u2014 minimisation is the default, not the exception.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Art 5<\/span><span class=\"uc-tag\">Minimise<\/span><span class=\"uc-tag\">Purpose-limit<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M3 6v6a9 3 0 0 0 18 0V6\"\/><path d=\"M3 6a9 3 0 0 0 18 0a9 3 0 0 0-18 0M3 12a9 3 0 0 0 18 0\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 05 \u00b7 RETENTION<\/div>\n        <h3>Retention &amp; scheduled deletion<\/h3>\n        <p><strong>Source documents and deliverables are retained only for the agreed period<\/strong>, then securely deleted on schedule (Article 5 storage limitation). The retention window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and <em>confirms deletion in writing<\/em>, recorded in the audit-trail.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Storage limit<\/span><span class=\"uc-tag\">Secure delete<\/span><span class=\"uc-tag\">Confirmed<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><circle cx=\"18\" cy=\"5\" r=\"3\"\/><circle cx=\"6\" cy=\"12\" r=\"3\"\/><circle cx=\"18\" cy=\"19\" r=\"3\"\/><path d=\"M8.6 13.5l6.8 4M15.4 6.5l-6.8 4\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 06 \u00b7 SUB-PROCESSORS<\/div>\n        <h3>Sub-processor screening &amp; flow-down<\/h3>\n        <p><strong>Where a sub-processor is engaged, it is screened and bound by back-to-back obligations<\/strong> no weaker than Othello&#8217;s own (Article 28(4)). The controller is informed of sub-processors and may object. <em>No undisclosed sub-processing<\/em> \u2014 the same transparency discipline Othello applies to partner-routed language work.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Art 28(4)<\/span><span class=\"uc-tag\">Flow-down<\/span><span class=\"uc-tag\">Disclosed<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z\"\/><line x1=\"12\" y1=\"9\" x2=\"12\" y2=\"13\"\/><line x1=\"12\" y1=\"17\" x2=\"12.01\" y2=\"17\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 07 \u00b7 BREACH RESPONSE<\/div>\n        <h3>Incident-response procedure<\/h3>\n        <p><strong>A documented incident-response procedure<\/strong> governs detection, containment, assessment, and controller notification without undue delay (Article 33). The procedure assigns responsibility, sets timelines, and ends in remediation and a recorded post-incident review. <em>The controller is notified in time to meet its own 72-hour deadline.<\/em><\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Detect<\/span><span class=\"uc-tag\">Contain<\/span><span class=\"uc-tag\">Notify<\/span><\/div>\n      <\/div>\n\n      <div class=\"uc-card\">\n        <div class=\"uc-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\/><polyline points=\"14 2 14 8 20 8\"\/><line x1=\"9\" y1=\"15\" x2=\"15\" y2=\"15\"\/><\/svg><\/div>\n        <div class=\"uc-num\">PRACTICE 08 \u00b7 RECORDS<\/div>\n        <h3>RoPA &amp; audit-trail<\/h3>\n        <p><strong>Othello maintains records of processing activities<\/strong> (Article 30) and a consolidated audit-trail per engagement \u2014 processing purpose, data categories, transfer mechanism, retention, deletion, and any incidents. <em>Retained Bangkok-side<\/em> and available to the controller for its own accountability and supervisory-authority obligations.<\/p>\n        <div class=\"uc-tags\"><span class=\"uc-tag\">Art 30 RoPA<\/span><span class=\"uc-tag\">Audit-trail<\/span><span class=\"uc-tag\">Accountable<\/span><\/div>\n      <\/div>\n\n    <\/div>\n\n    <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:88ch;padding:18px 22px;background:var(--k1);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>\u2605 <b style=\"color:var(--r)\">SUPPLEMENTARY MEASURES ARE THE POINT<\/b> \u00b7 <b style=\"color:var(--w)\">After Schrems II, SCCs alone are not enough.<\/b> The exporter must assess the destination and add measures \u2014 encryption, access control, minimisation, processing isolation \u2014 to bring protection up to EU-equivalent standard. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">The eight practices above are those supplementary measures, operationalised.<\/em> See <a href=\"\/our-process\/\" style=\"color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)\">Our Process<\/a> for the bench workflow they sit inside.<\/p>\n  <\/div>\n<\/section>\n<!-- ============ GDPR + PDPA DUAL FRAME ============ -->\n<section class=\"qd-sec alt\" id=\"gdpr-pdpa\">\n  <div class=\"wrap\">\n    <div class=\"section-head\" data-reveal>\n      <div class=\"eyebrow\">\u2605 GDPR + PDPA \u00b7 Two Regimes \u00b7 One Discipline<\/div>\n      <h2 class=\"title\">GDPR and PDPA <em>map closely<\/em> \u2014 but they are not the same instrument.<\/h2>\n      <p class=\"lead\">Othello is domiciled in Thailand, so Thailand&#8217;s <strong>Personal Data Protection Act<\/strong> (PDPA) is its home regime; the GDPR applies to EU-facing engagements. The two are closely aligned \u2014 PDPA was modelled on GDPR \u2014 but the obligations attach differently. Othello runs <strong>one operating discipline that satisfies both<\/strong>, and names which regime governs which engagement.<\/p>\n    <\/div>\n\n    <div class=\"qd-block thai\" data-reveal>\n      <div class=\"qd-eye\">\u2605 THE TWO REGIMES \u00b7 SIDE BY SIDE<\/div>\n      <h3>One handling standard. <em>Two regimes it answers to.<\/em><\/h3>\n      <p>Where the data subject is in the <strong>EU\/EEA<\/strong>, GDPR governs and the EU \u2192 Thailand transfer runs on SCCs + TIA. Where the data subject is in <strong>Thailand<\/strong>, PDPA governs directly. Many engagements touch both. Othello&#8217;s bench operates a single discipline \u2014 in-house processing, encryption, minimisation, retention control, breach response \u2014 calibrated to satisfy the stricter of the two on any given point. See <a href=\"\/certifications\/pdpa\/\">PDPA Compliance<\/a> for the Thai-domicile detail.<\/p>\n\n      <div class=\"qd-steps\" data-reveal-stagger>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 01<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Origin.<\/span><strong>GDPR:<\/strong> Regulation (EU) 2016\/679, effective 2018. <strong>PDPA:<\/strong> Thailand&#8217;s Personal Data Protection Act, fully effective 2022, <em>modelled on GDPR<\/em>.<\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 02<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">When it governs.<\/span><strong>GDPR:<\/strong> EU\/EEA data subjects (Art 3). <strong>PDPA:<\/strong> personal data processed in Thailand and Thai data subjects. <em>Othello names which applies per engagement.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 03<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Roles.<\/span>Both distinguish <strong>controller and processor<\/strong> with near-identical duties. Othello is the processor under either, on the client-controller&#8217;s documented instruction.<\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 04<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Cross-border transfer.<\/span><strong>GDPR:<\/strong> EU\u2192TH needs SCCs + TIA (no adequacy). <strong>PDPA:<\/strong> its own cross-border rules. <em>Othello documents the mechanism, never assumes free flow.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 05<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Data-subject rights.<\/span>Both grant access, rectification, erasure, and objection. <strong>Othello assists the controller<\/strong> in honouring them under either regime, recorded in the audit-trail.<\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">DIM 06<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Othello&#8217;s standing.<\/span><strong>PDPA:<\/strong> home regime, directly applicable. <strong>GDPR:<\/strong> applied to EU-facing work via SCCs + DPA. <em>Both run honestly \u2014 neither overclaimed.<\/em><\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n\n    <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:88ch;padding:18px 22px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>\u2605 <b style=\"color:var(--r)\">PLAIN LANGUAGE<\/b> \u00b7 <b style=\"color:var(--w)\">Othello is a Thai PDPA-domiciled firm that runs EU-facing work to GDPR standard via SCCs and an Article 28 DPA.<\/b> It does not claim Thailand is EU-adequate, and it does not treat its Bangkok base as a GDPR exemption. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">One handling discipline, two regimes, named per engagement.<\/em><\/p>\n  <\/div>\n<\/section>\n\n<!-- ============ DATA LIFECYCLE WORKFLOW ============ -->\n<section class=\"qd-sec\" id=\"lifecycle\">\n  <div class=\"wrap\">\n    <div class=\"section-head\" data-reveal>\n      <div class=\"eyebrow\">\u2605 Data Lifecycle \u00b7 Intake to Confirmed Deletion<\/div>\n      <h2 class=\"title\">Six stages. <em>Each with a documented gate.<\/em> Data is controlled end to end.<\/h2>\n      <p class=\"lead\">How personal data inside a client document is handled from arrival to deletion. <strong>The transfer gate is first<\/strong> \u2014 before any EU-origin data reaches Bangkok, the SCC + TIA + DPA basis is in place. Nothing is processed on a basis that is not documented. See <a href=\"\/our-process\/\">Our Process<\/a> for the bench workflow this sits inside.<\/p>\n    <\/div>\n\n    <div class=\"qd-block wf\" data-reveal>\n      <div class=\"qd-eye\">\u2605 LAWFUL-BASIS-FIRST \u00b7 AUDIT-TRAIL RETAINED<\/div>\n      <h3>From intake to confirmed deletion. <em>Bangkok-controlled throughout.<\/em><\/h3>\n      <p>Every engagement carrying personal data progresses through the six stages below. <strong>The lawful basis and transfer mechanism are set before intake<\/strong> \u2014 DPA executed, SCCs incorporated, TIA on file for EU-origin data. The data is then controlled inside Othello infrastructure to confirmed deletion.<\/p>\n\n      <div class=\"qd-steps\" data-reveal-stagger>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 01<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Basis &amp; transfer gate.<\/span>Regime identified (GDPR \/ PDPA \/ both). For EU-origin data, <strong>DPA executed, SCCs incorporated, TIA on file<\/strong>. NDA from first email already in force. <em>No data crosses without a documented basis.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 02<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Secure intake.<\/span>Documents received over <strong>encrypted transfer channels<\/strong>, not default email. Logged on receipt. Scope and data categories confirmed against the DPA. <em>Minimisation applied \u2014 only what the engagement needs.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 03<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Controlled processing.<\/span>Processed <strong>in-house by the named bench<\/strong> under least-privilege access \u2014 no consumer LLM endpoints, no unscreened tools. Encrypted at rest. <em>Access logged; need-to-know enforced.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 04<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Editorial &amp; QA.<\/span>Independent editor reviews within the same controlled environment (ISO 17100 stage two). <strong>No data leaves the perimeter for QA.<\/strong> Any sub-processor is screened and flow-down-bound. <em>Disclosed to the controller.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 05<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Delivery.<\/span>Deliverable returned over <strong>secure channel<\/strong>. Data-subject-rights requests (via the controller) actioned promptly \u2014 retrieval, correction, or extraction. <em>Every action recorded in the audit-trail \/ RoPA.<\/em><\/div>\n        <\/div>\n        <div class=\"qd-step\">\n          <div class=\"qs-num\">STAGE 06<\/div>\n          <div class=\"qs-body\"><span class=\"qs-title\">Retention &amp; deletion.<\/span>Held only for the DPA-agreed window, then <strong>securely deleted or returned, with written confirmation<\/strong> (Art 5 storage limitation). Audit-trail of the lifecycle <em>retained Bangkok-side<\/em> for accountability.<\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n<\/section>\n<!-- ============ ADJACENT ============ -->\n<section class=\"as-sec\" id=\"adjacent\">\n  <div class=\"wrap\">\n    <div class=\"section-head\" data-reveal>\n      <div class=\"eyebrow\">\u2605 Related Compliance &amp; Services \u00b7 One Engagement Letter<\/div>\n      <h2 class=\"title\">Data protection sits inside the engagement. <em>Not bolted on.<\/em><\/h2>\n      <p class=\"lead\">GDPR discipline runs through every service Othello delivers \u2014 translation, certified work, ESG advisory. The pages below document the adjacent compliance frame and the services it protects, all under <em>one engagement letter, one NDA, one audit-trail<\/em>.<\/p>\n    <\/div>\n\n    <div class=\"as-grid\" data-reveal-stagger>\n\n      <a href=\"\/certifications\/pdpa\/\" class=\"as-card gold\">\n        <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z\"\/><path d=\"M9 12l2 2 4-4\"\/><\/svg><\/div>\n        <div class=\"as-tag\">\u2605 HOME REGIME<\/div>\n        <h3>PDPA Compliance \u00b7 Thai domicile<\/h3>\n        <p>The <strong>Thai Personal Data Protection Act<\/strong> counterpart \u2014 Othello&#8217;s home data-protection regime, modelled on GDPR and directly applicable to Thai-origin data. <em>The other half of the one-discipline-two-regimes posture.<\/em><\/p>\n        <span class=\"as-arrow\">Open PDPA Compliance<\/span>\n      <\/a>\n\n      <a href=\"\/technical-translation\/\" class=\"as-card\">\n        <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\/><polyline points=\"14 2 14 8 20 8\"\/><line x1=\"9\" y1=\"13\" x2=\"15\" y2=\"13\"\/><line x1=\"9\" y1=\"17\" x2=\"15\" y2=\"17\"\/><\/svg><\/div>\n        <div class=\"as-tag\">PROTECTED SERVICE<\/div>\n        <h3>Technical Translation \u00b7 ISO 17100<\/h3>\n        <p><strong>ISO 17100 + ISO 9001 technical translation<\/strong> \u2014 the service most often carrying personal data inside documents. In-house processing, encryption, and minimisation apply to every engagement. <em>GDPR\/PDPA discipline built into the workflow.<\/em><\/p>\n        <span class=\"as-arrow\">Open Technical Translation<\/span>\n      <\/a>\n\n      <a href=\"\/contact\/\" class=\"as-card\">\n        <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z\"\/><polyline points=\"14 2 14 8 20 8\"\/><path d=\"M16 13H8M16 17H8M10 9H8\"\/><\/svg><\/div>\n        <div class=\"as-tag\">\u2605 REQUEST A DPA<\/div>\n        <h3>Data Processing Agreement<\/h3>\n        <p>Request an <strong>Article 28 Data Processing Agreement<\/strong> with SCCs incorporated for EU-facing work \u2014 issued under mutual NDA. <em>The contract that records role, scope, transfer mechanism, and Othello&#8217;s obligations before any data moves.<\/em><\/p>\n        <span class=\"as-arrow\">Request a DPA<\/span>\n      <\/a>\n\n    <\/div>\n  <\/div>\n<\/section>\n\n<!-- ============ FAQ ============ -->\n<section class=\"faq-sec\" id=\"faqs\">\n  <div class=\"wrap\">\n    <div class=\"section-head center\" data-reveal>\n      <div class=\"eyebrow\">\u2605 GDPR FAQ \u00b7 Ten Common Asks<\/div>\n      <h2 class=\"title\">Data-protection questions <em>answered up front.<\/em><\/h2>\n      <p class=\"lead\" style=\"margin:0 auto\">Substantive answers to what privacy officers, Big Law procurement, and EU-facing clients routinely ask about how a Bangkok firm handles personal data under GDPR. <em>Click to expand each.<\/em><\/p>\n    <\/div>\n\n    <div class=\"faq-grid\" data-reveal>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.01<\/span><span>Does GDPR even apply to a Bangkok-based firm?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>Yes, where EU data subjects are involved.<\/strong> Under Article 3, GDPR applies extraterritorially \u2014 processing the personal data of individuals in the EU brings a non-EU firm into scope regardless of where it sits. <em>Othello does not treat its Bangkok domicile as an exemption.<\/em> EU-facing engagements are run to GDPR standard, with the EU \u2192 Thailand transfer handled under Standard Contractual Clauses.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.02<\/span><span>Is Othello a data controller or a data processor?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>A data processor.<\/strong> Othello processes personal data inside documents on the documented instructions of the client, who is the controller and determines the purposes. This role allocation is recorded in the engagement and the Article 28 Data Processing Agreement, and it dictates the obligations Othello accepts \u2014 confidentiality, security, sub-processor control, breach notification, audit, and deletion.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.03<\/span><span>Thailand has no EU adequacy decision \u2014 so how is the transfer lawful?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>Through Standard Contractual Clauses, not adequacy.<\/strong> Thailand is not on the EU&#8217;s list of adequate countries, so EU \u2192 Thailand transfers run on the modernised SCCs (Decision (EU) 2021\/914) incorporated into the DPA, accompanied by a <em>Transfer Impact Assessment<\/em> and documented supplementary measures (encryption, access control, minimisation). <em>Othello will not claim Thailand is &#8220;adequate&#8221;<\/em> \u2014 it documents the actual lawful mechanism the regulation requires for a non-adequate third country.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.04<\/span><span>What is a Transfer Impact Assessment and do you do one?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p>After the Schrems II ruling, <strong>SCCs alone are not enough<\/strong> \u2014 the data exporter must assess whether the destination country offers protection essentially equivalent to the GDPR, and add supplementary measures where it falls short. That assessment is the <em>Transfer Impact Assessment<\/em>. For EU-origin engagements, the TIA documents the measures \u2014 encryption with Othello-held keys, least-privilege access, in-house processing, minimisation \u2014 and is reassessed at least annually.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.05<\/span><span>Will you sign a Data Processing Agreement?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>Yes.<\/strong> Every EU-facing engagement can run under an Article 28 DPA, available on request and issued under mutual NDA. The DPA records the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subject, the controller&#8217;s instructions, and Othello&#8217;s obligations \u2014 with the SCCs incorporated for the transfer. <em>The DPA is the instrument; SCCs sit inside it.<\/em><\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.06<\/span><span>Do you use machine translation or consumer AI tools on our documents?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>No \u2014 not for substantive client content.<\/strong> Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench. <em>Silent data egress to free translation tools is the single most common GDPR failure in the translation market<\/em> \u2014 and the one Othello is built to avoid.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.07<\/span><span>How fast do you notify us of a personal-data breach?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p>As a processor, Othello&#8217;s obligation under <strong>Article 33<\/strong> is to notify the controller <em>without undue delay<\/em> on becoming aware of a breach \u2014 so the controller can meet its own 72-hour supervisory-authority deadline. Othello runs a documented incident-response procedure: detection, containment, assessment, controller notification, remediation, and a recorded post-incident review.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.08<\/span><span>How do you handle data-subject rights requests?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p>As processor, Othello does not field requests directly from data subjects \u2014 it <strong>assists the controller<\/strong> in honouring them (Articles 15\u201321: access, rectification, erasure, restriction, portability, objection). On the controller&#8217;s instruction, Othello promptly retrieves, corrects, extracts, or deletes the relevant material from Othello-controlled infrastructure and records the action in the audit-trail.<\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.09<\/span><span>How long do you keep our documents, and do you confirm deletion?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>Only for the agreed retention window, then secure deletion with written confirmation<\/strong> (Article 5 storage limitation). The window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms in writing, with the lifecycle recorded in the audit-trail. <em>No retention &#8220;just in case.&#8221;<\/em><\/p>\n        <\/div>\n      <\/details>\n\n      <details class=\"faq\">\n        <summary><span class=\"faq-num\">Q.10<\/span><span>How does GDPR relate to PDPA, and to Othello&#8217;s wider engagement framework?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n        <div class=\"faq-body\">\n          <p><strong>PDPA is Othello&#8217;s home regime; GDPR applies to EU-facing work.<\/strong> Thailand&#8217;s PDPA was modelled on GDPR, so the two map closely \u2014 Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm&#8217;s founding standard \u2014 established 2020 on US government contracts under <em>FAR-grade verification and NDA-from-first-email confidentiality<\/em>. See <a href=\"\/certifications\/pdpa\/\">PDPA Compliance<\/a>. Email <a href=\"mailto:info@othelloshop.com?subject=GDPR%20%E2%80%94%20DPA%20Request\">info@othelloshop.com<\/a> or call <a href=\"tel:+6628592145\">+66 02-859-2145<\/a>.<\/p>\n        <\/div>\n      <\/details>\n\n    <\/div>\n  <\/div>\n<\/section>\n\n<!-- ============ FINAL CTA ============ -->\n<section class=\"cta-sec\" id=\"engage\">\n  <div class=\"cta-content\">\n    <h2 data-reveal>Personal data, <em>handled lawfully.<\/em><\/h2>\n    <p data-reveal>Othello runs EU-facing work to <strong>GDPR standard via SCCs and an Article 28 DPA<\/strong> \u2014 processor role, in-house processing, encryption, minimisation, 72-hour breach discipline, confirmed deletion \u2014 and is <em>PDPA-domiciled in Thailand<\/em>. <strong>The transfer basis is documented before any data crosses; the audit-trail is retained Bangkok-side.<\/strong> \u22641 BH acknowledgement \u00b7 DPA on request under mutual NDA.<\/p>\n    <div class=\"cta-buttons\" data-reveal>\n      <a href=\"mailto:info@othelloshop.com?subject=GDPR%20%E2%80%94%20DPA%20Request\" class=\"btn btn-primary\">Request a DPA<\/a>\n      <a href=\"\/contact\/\" class=\"btn btn-outline\">4 Engagement Pathways<\/a>\n    <\/div>\n    <div class=\"cta-note\" data-reveal>\n      <a href=\"tel:+6628592145\"><b>+66 02-859-2145<\/b><\/a> <span class=\"sep\">\u00b7<\/span> <a href=\"mailto:info@othelloshop.com\"><b>info@othelloshop.com<\/b><\/a><br>\n      Unit 12-03, Chartered Square <span class=\"sep\">\u00b7<\/span> 152 N Sathon Rd <span class=\"sep\">\u00b7<\/span> Si Lom <span class=\"sep\">\u00b7<\/span> Bangkok 10500\n    <\/div>\n  <\/div>\n<\/section>\n\n<!-- ============ ENDLINE ============ -->\n<div class=\"endline\">\n  GDPR Compliance <span class=\"r\">\u00b7<\/span> Reg (EU) 2016\/679 <span class=\"r\">\u00b7<\/span> Data Processor \u00b7 Art 28 DPA <span class=\"r\">\u00b7<\/span> SCCs 2021\/914 + TIA <span class=\"r\">\u00b7<\/span> 72-Hour Breach Notice <span class=\"r\">\u00b7<\/span> In-House \u00b7 Encrypted \u00b7 Minimised <span class=\"r\">\u00b7<\/span> PDPA-Domiciled \u00b7 GDPR-Aligned <span class=\"r\">\u00b7<\/span> NDA From First Email <span class=\"r\">\u2014<\/span> Othello International\n<\/div>\n\n<\/div>\n<!-- \/.oth-gdpr PAGE END -->\n<script>\n(function(){\n  if (typeof window === 'undefined' || typeof document === 'undefined') return;\n  var root = document.querySelector('.oth-gdpr');\n  if (!root) return;\n  root.classList.add('js-on');\n  \/\/ safety net: after 4s, reveal anything still hidden\n  setTimeout(function(){ root.querySelectorAll('[data-reveal], [data-reveal-stagger]').forEach(function(el){ el.classList.add('in'); }); }, 4000);\n\n  \/\/ one-FAQ-open-at-a-time\n  var faqs = root.querySelectorAll('details.faq');\n  faqs.forEach(function(f){\n    f.addEventListener('toggle', function(){\n      if (f.open){ faqs.forEach(function(o){ if (o !== f && o.open) o.open = false; }); }\n    });\n  });\n\n  \/\/ smooth in-page anchors\n  root.querySelectorAll('a[href^=\"#\"]').forEach(function(a){\n    a.addEventListener('click', function(e){\n      var id = a.getAttribute('href');\n      if (id.length < 2) return;\n      var t = root.querySelector(id) || document.querySelector(id);\n      if (t){ e.preventDefault(); t.scrollIntoView({behavior:'smooth', block:'start'}); history.pushState(null,'',id); }\n    });\n  });\n\n  \/\/ reveal + counters\n  var revealEls = root.querySelectorAll('[data-reveal], [data-reveal-stagger]');\n  if ('IntersectionObserver' in window &#038;&#038; revealEls.length){\n    var io = new IntersectionObserver(function(entries){\n      entries.forEach(function(e){\n        if (e.isIntersecting){\n          e.target.classList.add('in');\n          var counters = e.target.querySelectorAll('[data-count-to]');\n          counters.forEach(function(c){\n            if (c.dataset.counted) return;\n            c.dataset.counted = '1';\n            var target = parseFloat(c.getAttribute('data-count-to')) || 0;\n            var decimals = parseInt(c.getAttribute('data-count-decimals') || '0', 10);\n            var dur = 1600;\n            var t0 = performance.now();\n            function step(now){\n              var p = Math.min((now - t0) \/ dur, 1);\n              var eased = 1 - Math.pow(1 - p, 3);\n              var val = target * eased;\n              c.textContent = decimals > 0 ? val.toFixed(decimals) : Math.round(val).toLocaleString();\n              if (p < 1) requestAnimationFrame(step);\n              else c.textContent = decimals > 0 ? target.toFixed(decimals) : Math.round(target).toLocaleString();\n            }\n            requestAnimationFrame(step);\n          });\n          io.unobserve(e.target);\n        }\n      });\n    }, { threshold: 0.12, rootMargin: '0px 0px -40px 0px' });\n    revealEls.forEach(function(el){ io.observe(el); });\n  } else {\n    revealEls.forEach(function(el){ el.classList.add('in'); });\n    root.querySelectorAll('[data-count-to]').forEach(function(c){\n      var target = parseFloat(c.getAttribute('data-count-to')) || 0;\n      c.textContent = Math.round(target).toLocaleString();\n    });\n  }\n})();\n<\/script>\n<script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@graph\": [\n    {\"@type\": \"WebPage\", \"@id\": \"https:\/\/www.othelloshop.com\/certifications\/gdpr\/#webpage\", \"name\": \"GDPR Compliance\", \"description\": \"How Othello International handles personal data under the EU General Data Protection Regulation (Regulation (EU) 2016\/679). Othello acts as a data processor on the client-controller's documented instructions; GDPR applies extraterritorially under Article 3. Thailand holds no EU adequacy decision, so EU-to-Thailand transfers run on Standard Contractual Clauses (Decision (EU) 2021\/914) plus a Transfer Impact Assessment and supplementary measures, under an Article 28 Data Processing Agreement. In-house processing (no consumer LLM endpoints), encryption in transit and at rest, least-privilege access, data minimisation, scheduled deletion, sub-processor screening, 72-hour breach notification, and Record of Processing Activities. PDPA-domiciled in Thailand, GDPR-aligned for EU-facing work.\", \"publisher\": {\"@type\": \"Organization\", \"name\": \"Othello International\", \"url\": \"https:\/\/www.othelloshop.com\/\", \"address\": {\"@type\": \"PostalAddress\", \"streetAddress\": \"Unit 12-03, Chartered Square, 152 North Sathon Road\", \"addressLocality\": \"Bang Rak\", \"addressRegion\": \"Bangkok\", \"postalCode\": \"10500\", \"addressCountry\": \"TH\"}, \"telephone\": \"+66-2-859-2145\", \"email\": \"info@othelloshop.com\"}},\n    {\"@type\": \"BreadcrumbList\", \"itemListElement\": [\n      {\"@type\": \"ListItem\", \"position\": 1, \"name\": \"Home\", \"item\": \"https:\/\/www.othelloshop.com\/\"},\n      {\"@type\": \"ListItem\", \"position\": 2, \"name\": \"Certifications\", \"item\": \"https:\/\/www.othelloshop.com\/certifications\/\"},\n      {\"@type\": \"ListItem\", \"position\": 3, \"name\": \"GDPR\", \"item\": \"https:\/\/www.othelloshop.com\/certifications\/gdpr\/\"}\n    ]},\n    {\"@type\": \"FAQPage\", \"mainEntity\": [\n      {\"@type\": \"Question\", \"name\": \"Does GDPR apply to a Bangkok-based firm?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes, where EU data subjects are involved. Under Article 3, GDPR applies extraterritorially - processing the personal data of individuals in the EU brings a non-EU firm into scope regardless of where it sits. Othello does not treat its Bangkok domicile as an exemption. EU-facing engagements are run to GDPR standard, with the EU-to-Thailand transfer handled under Standard Contractual Clauses.\"}},\n      {\"@type\": \"Question\", \"name\": \"Is Othello a data controller or a data processor?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"A data processor. Othello processes personal data inside documents on the documented instructions of the client, who is the controller and determines the purposes. This is recorded in the engagement and the Article 28 Data Processing Agreement, dictating the obligations Othello accepts: confidentiality, security, sub-processor control, breach notification, audit, and deletion.\"}},\n      {\"@type\": \"Question\", \"name\": \"Thailand has no EU adequacy decision, so how is the transfer lawful?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Through Standard Contractual Clauses, not adequacy. Thailand is not on the EU's list of adequate countries, so EU-to-Thailand transfers run on the modernised SCCs (Decision (EU) 2021\/914) incorporated into the DPA, accompanied by a Transfer Impact Assessment and documented supplementary measures such as encryption, access control, and minimisation. Othello documents the actual lawful mechanism rather than claiming adequacy it does not have.\"}},\n      {\"@type\": \"Question\", \"name\": \"What is a Transfer Impact Assessment and does Othello do one?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"After Schrems II, SCCs alone are not enough - the data exporter must assess whether the destination country offers protection essentially equivalent to the GDPR and add supplementary measures where it falls short. That is the Transfer Impact Assessment. For EU-origin engagements, the TIA documents the measures (encryption with Othello-held keys, least-privilege access, in-house processing, minimisation) and is reassessed at least annually.\"}},\n      {\"@type\": \"Question\", \"name\": \"Will Othello sign a Data Processing Agreement?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. Every EU-facing engagement can run under an Article 28 DPA, available on request and issued under mutual NDA. The DPA records the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subject, the controller's instructions, and Othello's obligations, with the SCCs incorporated for the transfer.\"}},\n      {\"@type\": \"Question\", \"name\": \"Does Othello use machine translation or consumer AI tools on client documents?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"No, not for substantive client content. Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench. Silent data egress to free translation tools is the single most common GDPR failure in the translation market.\"}},\n      {\"@type\": \"Question\", \"name\": \"How fast does Othello notify a personal-data breach?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"As a processor, Othello's obligation under Article 33 is to notify the controller without undue delay on becoming aware of a breach, so the controller can meet its own 72-hour supervisory-authority deadline. Othello runs a documented incident-response procedure: detection, containment, assessment, controller notification, remediation, and a recorded post-incident review.\"}},\n      {\"@type\": \"Question\", \"name\": \"How does Othello handle data-subject rights requests?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"As processor, Othello does not field requests directly from data subjects - it assists the controller in honouring them under Articles 15 to 21 (access, rectification, erasure, restriction, portability, objection). On the controller's instruction, Othello promptly retrieves, corrects, extracts, or deletes the relevant material from Othello-controlled infrastructure and records the action in the audit-trail.\"}},\n      {\"@type\": \"Question\", \"name\": \"How long does Othello keep documents and is deletion confirmed?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Only for the agreed retention window, then secure deletion with written confirmation (Article 5 storage limitation). The window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms in writing, with the lifecycle recorded in the audit-trail.\"}},\n      {\"@type\": \"Question\", \"name\": \"How does GDPR relate to PDPA and Othello's wider framework?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"PDPA is Othello's home regime; GDPR applies to EU-facing work. Thailand's PDPA was modelled on GDPR, so the two map closely. Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm's founding standard, established 2020 on US government contracts under FAR-grade verification and NDA-from-first-email confidentiality.\"}}\n    ]}\n  ]\n}\n<\/script>\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>COMPLIANCE \u00b7 GDPR \u00b7 DATA-PROCESSOR DISCIPLINE \u00b7 EU \u2192 BANGKOK UNDER SCCs Art 28 DPA \u00b7 72-hour breach notice \u00b7 NDA from first email Othello \/ Certifications \/ GDPR \u2605 GDPR-ALIGNED \u00b7 DATA PROCESSOR \u00b7 SCCs + TIA \u00b7 ART 28 DPA \u00b7 NDA-FIRST \u00b7 PDPA-DOMICILED GDPR. Processor-grade discipline, EU to Bangkok. Othello International processes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":30875,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_yoast_wpseo_title":"GDPR Compliance \u2014 Data Protection | Othello","_yoast_wpseo_metadesc":"How Othello International handles personal data under the EU GDPR \u2014 secure processing and confidentiality for translation and ESG advisory clients.","_yoast_wpseo_focuskw":"gdpr compliance","_yoast_wpseo_canonical":"","rank_math_title":"GDPR Compliance \u2014 Data Protection | Othello","rank_math_description":"How Othello International handles personal data under the EU GDPR \u2014 secure processing and confidentiality for translation and ESG advisory clients.","rank_math_focus_keyword":"gdpr compliance","rank_math_canonical_url":"","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","footnotes":"","rank_math_robots":["index"]},"class_list":["post-30959","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/30959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/comments?post=30959"}],"version-history":[{"count":4,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/30959\/revisions"}],"predecessor-version":[{"id":31896,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/30959\/revisions\/31896"}],"up":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/30875"}],"wp:attachment":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/media?parent=30959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}