PRIVACY POLICY
WECO Co., Ltd
We co., Ltd. prioritizes the establishment of measures to protect the personal data of customers and/or users, particularly
the right to privacy of visitors and/or website users. It is important to be aware of the expectations
of visitors/website users regarding the protection of data provided to the company through this website.
The information that visitors/website users provide to Weco Co., Ltd. through this website will be appropriately protected.
Therefore, Weco would like to announce the following personal data protection policy for customers.
Customer Personal Data Protection Policy
Section 1: General information about Weco
1. What services does Weco offer?
WECO Co., Ltd. provide comprehensive, innovative, and reliable IT solutions that truly empower our clients.
IT Consulting & Design Solutions – Tailored strategies for your unique needs
IT Product & Service Supply – From hardware to software, we’ve got you covered
Helpdesk & Support Services – Fast, efficient, and always there when you need us
Manpower & Maintenance (MA) – Skilled professionals to keep your systems running smoothly
Section 2: Personal Data Protection Principles
“Weco provides consulting services in computer systems, network design and implementation, and information security solutions. Our goal is to become a trusted advisor who truly understands our clients’ business needs.
We take pride in the reliability and international-level security of our services, including system installation and comprehensive support for various solutions and services.
We place strong emphasis on implementing measures to protect personal data and ensure information security. These principles are core to how we care for our clients and users. This also reflects our readiness to comply with the Personal Data Protection Act B.E. 2562 (2019).”
1. The fundamental principles to protect privacy and information security
Weco offers infrastructure services related to information systems that require global-scale security. When providing these services, we adhere to three fundamental principles to protect the privacy of Personal Data and ensure information security, as follows:
1.1 Confidentiality
1.2 Integrity
1.3 Availability
2. Personal Data Protection Act B.E. 2562
The Personal Data Protection Act B.E. 2562 (“PDPA”) aims to safeguard Personal Data. Therefore, important principles have been set forth in the Personal Data Protection Act, as follows:
2.1 To determine the definition of Personal Data and its types.
2.2 Any action involving Personal Data, including collection, use, disclosure, or transfer, should adhere to specific purposes.
2.3 The rights of the Personal Data Subject to access, update, and delete Personal Data.
2.4 Responsibilities of the Data Controller and Data Processor.
3. What is “Personal Data”?
“Personal Data” refers to any information relating to a person that allows for their direct or indirect identification, but not including the information of deceased individuals and business contact information such as the name and address of a company or its Juristic Person’s Registration Number.
3.1 Personal Data that directly identifies an individual includes name, address, ID card number, passport number, Social Security number, etc.
Biometric data is information obtained through techniques or technologies that use physical features or behavior of an individual to identify them, such as facial recognition, iris recognition, fingerprints, etc.
3.2 Data that may indirectly identify an individual
Data that can be linked, such as when two sets of information, whether within the same system or across different systems, can be combined to identify a person.
4. How many types of Personal Data are there?
Personal Data can be divided into two categories:
4.1 Personally Identifiable Information (PII), which may also indirectly identify an individual.
4.2 Sensitive Data, such as race, ethnicity, political opinions, religion, genetic data, biometric data, etc.
5. Collection of Personal Data
This must be carried out with the consent of the Personal Data Subject unless otherwise prescribed by law.
6. Use or disclosure of Personal Data
This must align with the purpose for which the Personal Data Subject has provided consent unless otherwise prescribed by law.
7. Processing of Personal Data
refers to any action that involves automated methods of collecting, using, disclosing, rectifying, providing summary reports, as well as sending or transferring Personal Data.
8. Implementation of security measures
to safeguard Personal Data from unauthorized disclosure or to prevent information leakage.
9. Cross-border transfer of Personal Data
or to locations outside the kingdom, which requires obtaining prior consent from the Personal Data Subject, unless it is a legally mandated action.
10. The Data Subject
refers to a natural person whose Personal Data, whether directly or indirectly, can identify them. For example, a password that needs to be used together with another set of information, such as the Personal Data Subject’s name and surname, to identify their identity.
11. The Data Controller
refers to an individual who has the authority to make decisions regarding the processing of Personal Data, including its collection, use, or disclosure. They are also responsible for processing Personal Data in accordance with the request of the Personal Data Subject, allowing them to exercise their rights to access, edit, and correct their Personal Data to ensure its accuracy or update it, as well as request the deletion of Personal Data.
12. The Data Processor
refers to an individual or juristic person who operates in the collection, use, or disclosure of Personal Data in accordance with the instructions or on behalf of the Data Controller.
Section 3: Compliance with the Personal Data Protection Act
To comply with the requirements of the Personal Data Protection Act, Weco has formulated a policy to operate in alignment with the principles outlined in the aforementioned law, as follows:
1. The collection and purposes of Personal Data collection
Weco collects Personal Data only as deemed necessary for legitimate purposes. The data will be collected directly from the Personal Data Subject, and Weco will inform the Personal Data Subject prior to or at the time of collection unless they are already aware of the details. The mentioned details encompass the following:
1.1 Purpose of collecting Personal Data for use or disclosure.
1.2 Personal Data which shall be collected, used, or disclosed.
1.3 In the event that the Personal Data Subject must provide Personal Data to comply with a law or contract or if it is necessary to provide Personal Data to enter into a contract, as well as informing about the potential consequences of not providing the Personal Data.
1.4 The types of individuals or organizations to which Personal Data collected may be disclosed.
1.5 Rights of the Personal Data Subject.
1.6 Collection of Personal Data in other cases where the consent of the Personal Data Subject is not required, in accordance with the Personal Data Protection Act.
2. Use of cookies
The Weco website utilizes cookies, which are text files designed to record the usage or origin of visits to the Weco website. Customers or users of the Weco website have the ability to manage their browser cookies through their browser settings. Generally, customers or service users can set up their browsers to prevent accepting cookies from the website, receive notifications when they receive new cookies, refuse new cookies, and delete cookies from the Weco website when needed.
3. Collecting Personal Data from other sources
In cases where Weco needs to collect data from a source other than directly from the Personal Data Subject or where Personal Data is not collected without the explicit consent of the Personal Data Subject in accordance with the Personal Data Protection Act,
Weco will only do so when absolutely necessary for the Company’s business operations and to provide benefits to its customers or users. The Personal Data Subject will be promptly notified about such actions, either directly or through announcements on the Company’s website. This applies to the following cases:
3.1 Research studies or statistics
3.2 Sales and Marketing
3.3 Advertising
3.4 Recruitment
3.5 Any other necessary and relevant actions
Weco is committed to implementing appropriate protection measures to safeguard the rights and freedoms of Personal Data Subjects. The Company places great importance on defining the conditions or principles individuals must prioritize when sharing necessary data with Weco. This ensures that their actions are righteous and in compliance with the Personal Data Protection Act.
4. Usage or disclosure of Personal Data
Weco will only use or disclose Personal Data when necessary and in accordance with the purpose of collection. Prior consent or notification (as applicable) will be obtained or provided to ensure that the Personal Data Subject is aware of such usage or disclosure, enabling effective services or fulfillment of legal obligations. Weco may disclose Personal Data to the following parties:
4.1 Affiliates
4.2 Business partners
4.3 Domestic and international data processing service providers
4.4 Government agencies or officials exercising legal authority
By disclosing Personal Data to such parties, Weco will ensure that they maintain the confidentiality of the Personal Data and restrict its use to the defined scope established by Weco. The Personal Data provided to Weco will be stored in the data center (cloud) of a third-party data processing provider, with servers located overseas. The transfer of customer Personal Data to the third-party data processing service provider is conducted with the objective of facilitating service provision, ensuring secure data storage, facilitating data retrieval services, and serving as a backup. Weco has undertaken a thorough review and selection process for the service provider and has established an agreement regarding data security measures and the extent of data processing. By providing Personal Data to Weco, you are deemed to have consented to the cross-border transfer and overseas storage of your Personal Data for the aforementioned purposes.
However, if you suspect that an individual to whom Weco has disclosed your Personal Data as mentioned above has utilized it beyond the specified scope, you can notify Weco as outlined in this Privacy Policy to initiate the appropriate action.
Furthermore, Weco may need to disclose your Personal Data to fulfill legal obligations. This may occur when data needs to be shared with government agencies, regulatory bodies responsible for overseeing service provisions, or entities supervising service users. Additionally, Weco may receive requests, supported by lawful authority, to disclose data for purposes such as legal prosecutions or from private agencies or other third parties involved in the legal process. In addition, the disclosure of data may occur when it is reasonably necessary to enforce Weco’s Terms and Conditions or in the context of organizational restructuring, amalgamation, or business acquisition. In such cases, Weco may transfer your Personal Data, either in whole or in part, to the relevant companies as required.
5. Retention of Personal Data
Weco will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes stated in this Personal Data Privacy Policy and as required by applicable laws. If legal or disciplinary actions are initiated, Weco may be obligated to retain your Personal Data until the completion of such proceedings, including the duration for any appeals. Subsequently, your Personal Data will be deleted or archived in compliance with relevant laws. Once your Personal Data is no longer necessary or when there is no legal obligation to retain it, Weco will delete or destroy the Personal Data without prior notification.
6. Sending or transferring Personal Data
In the event that Personal Data is sent or transferred overseas, Weco will proceed with such transfer only if the receiving country possesses adequate Personal Data protection standards and meets the criteria established by the Personal Data Protection Committee of that country. This will be done unless prescribed by laws or with the consent of the Personal Data Subject, and the Personal Data Subject is informed of the inadequate personal data protection standards of the destination country.
Weco will implement the aforementioned measures when sending or transferring Personal Data overseas. This applies when sending or transferring Personal Data to Data Controllers or Processors who are located overseas and are affiliated with or in the same business network for the purpose of conducting joint business. In such case, Weco will take appropriate protective measures to comply with the criteria set forth by the Personal Data Protection Committee. These measures include enforcing the rights of the Personal Data Subject and implementing effective legal remedial measures.
7. Processing the Personal Data of minors
Weco does not provide services to minors under 20 years of age unless such person is using the service solely under the supervision or approval of a parent or guardian.
8. Security measures
Weco understands the importance of implementing security measures when providing services to customers or service users to prevent unauthorized access, usage, disclosure, sharing, alteration, duplication, or deletion of Personal Data.
Weco would like to assure customers or service users that its services have been certified and have implemented security measures and Personal Data protection in accordance with international standards, as specified in Article 5. Regular reviews and assessments are conducted to enhance security measures, ensuring their appropriateness and effectiveness in handling technological advancements and countering the increasing complexity of online threats. These actions are taken to comply with the regulations established by the Personal Data Protection Committee.
9. Rights of the Data Subject
9.1 Customers or service users who are the owners of the Personal Data have the right to request access and obtain a copy of their Personal Data. They also have the right to request disclosure regarding the acquisition of any Personal Data that they have not given consent to. In addition, they have the right to request rectification to ensure that their Personal Data is current, as well as to obtain Personal Data related to them in a format that can be read or used by an automated tool or device. Furthermore, they have the right to request the transfer of their Personal Data to another Data Controller if such transfer can be facilitated in an automated manner. However, it is important to note that these actions must not infringe upon the rights or freedoms of other individuals and must comply with the provisions specified in the Personal Data Protection Act.
9.2 Customers or service users who are the owners of the Personal Data have the right to request the Data Controller to delete, destroy, or anonymize their data if its retention is no longer necessary for the purpose for which it was collected, used, or disclosed.
9.3 Customers or service users who are the owners of the Personal Data have the right to withdraw their consent for the collection, use, or disclosure of their Personal Data. However, it is important to note that the withdrawal of consent will not affect the collection, use, or disclosure of the Personal Data that has already been legally obtained with the individual’s consent. The Data Controller is responsible for informing the Personal Data Subject about the consequences of withdrawing consent.
10. Actions when Personal Data is infringed
Weco has established procedures and processes to manage cases where there is a breach of Personal Data. In the event of such a breach, Weco will report the incident to the Office of the Personal Data Protection Commission without delay, within 72 hours from the date of knowledge of the incident, unless it is determined that the violation poses no risk to the rights and freedoms of the individual. If the violation has a high risk of affecting the rights and freedoms of the individual, Weco will take appropriate measures to notify the Personal Data Subject about the breach and provide guidelines for remedies without delay, or take any other action as prescribed by the Personal Data Protection Committee.
11. Appointment of the Data Protection Officer
Weco has appointed a Data Protection Officer (DPO) to manage and protect the Personal Data in accordance with the legal requirements of the Personal Data Protection Act B.E. 2562. The DPO is responsible for providing advice, monitoring the handling of Personal Data, and collaborating with the Office of the Personal Data Protection Commission (PDPC).
12. Data Governance
Weco acknowledges the significance of data governance in safeguarding the privacy and security of Personal Data, demonstrated by granting DPOs the autonomy to fulfill their legal responsibilities. Additionally, Weco places emphasis on conducting regular assessments of its service systems by independent auditors who hold certifications aligned with international standards. Weco’s systems are certified in accordance with ISO/IEC 27001 (Information Security Management Systems (ISMS)).
Weco has established a system to monitor actions for the protection of Personal Data and ensuring its deletion and destruction after the designated retention period, such as removing data stored in cookies. Furthermore, if requested by the Personal Data Subject or if the Personal Data Subject withdraws their consent, their Personal Data will be deleted unless the collection of such data without consent is required by the Personal Data Protection Act and appropriate safeguards are in place to protect the rights and freedoms of the Personal Data Subject. Exceptions to this may include:
12.1 Fulfilling the purpose of documenting history or creating archives for the public benefit or to support educational or research endeavors.
12.2 Preventing or suppressing a danger to a person’s life, body, or health.
12.3 When it is necessary to comply with a contract in which the Personal Data Subject is a party or to process the Personal Data Subject’s request prior to entering into that contract.
12.4 When it is necessary for the Data Controller to carry out duties for the public interest or exercise the authorized power granted by the state.
12.5 In cases where sensitive Personal Data, such as race, ethnicity, religion, biometric data, etc., needs to be collected in compliance with the Preventive Medicine Law for purposes such as medical treatment, health management, public health benefits, labor protection, social security, National Health Insurance, scientific research studies, history or statistics, or other public interest or important public interest as prescribed by the Committee.