Customer Privacy Notice
German Auto Company Limited (“we”, “us”, “our”) recognizes the importance of privacy and the protection of the personal data of our customers, service users, and visitors to our websites, applications, mobile platforms, or systems (collectively, “Customers” or “you”). We have therefore established this privacy notice to inform you of our practices regarding the collection, use, disclosure, retention, and destruction (“Processing”) of personal data, as well as the various rights you are entitled to under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA). This is to ensure you can use our websites, applications, mobile platforms, customer service center (call center), social network sites, online communication channels, events, and all other locations with confidence.
This privacy notice applies only to data subjects in their capacity as our customers. If you visit other websites, even through links on our site, the protection of your personal data will be subject to the privacy policy of that third party, with which we are not involved.
1. Personal Data We Collect
Personal Data means any information relating to a natural person that enables the identification of such person, whether directly or indirectly, but does not include the data of deceased persons specifically.
Special Category of Personal Data includes information such as religion, health data, disabilities, biometric data (e.g., fingerprints, facial recognition data), criminal records, and so on.
We collect personal data directly from you (e.g., through correspondence, contracts, service usage) and may also collect your personal data from other sources, such as the BMW Group, business partners, affiliated companies, government agencies, and social media networks.
The types of personal data may be categorized as follows:
Data Category | Examples of Personal Data |
Personal Details | E.g., Title, name-surname, gender, age, blood type, nationality, date of birth, marital status, occupation, job title, business type, income, years of work, data from official documents (e.g., National ID number, passport number, tax ID number, driver’s license details), name/surname change documents, birth certificate, marriage/divorce certificate, documents for foreign nationals, work permit, certificate of residence, house registration, land title deed, socio-cultural data, photographs, CCTV recordings, conversation recordings, life insurance data, visa-related documents, withholding tax certificate, VAT registration, user profile (e.g., configured news, voice providers), and other legal documents. |
Contact Details | E.g., Postal address, shipping details, billing address, telephone number, fax number, map, location data, email address, LINE ID, Facebook account, Instagram ID, and other IDs from social networking sites. |
Financial Details | E.g., Bank account details, bank statements, loan amount, financial contract details (e.g., amount, contract type, status, down payment, balloon payment, installment amount, guarantor’s name, down payment term, product type, balloon payment behavior), check details, credit records, financial instrument details, deposit details, tax amount, balance, outstanding debt, financial statements, company certificate, list of shareholders, and other financial data. |
Vehicle Details | E.g., Vehicle Identification Number (VIN), license plate number, make, model, year, color, engine number, chassis number, vehicle type, mileage, battery, voltage, door and tailgate characteristics, fuel level, brake wear, position and movement data (e.g., time, location, speed), traffic data, environmental data, sensor data (e.g., radar, ultrasonic devices, gestures, sound), vehicle insurance details, loan insurance, compulsory insurance, and gap insurance, residual value, accessories/custom parts, vehicle registration book (bluebook), vehicle price, next service appointment date, vehicle inspection documents, ConnectedDrive details and functionality, GPS data and vehicle location, vehicle history reports, summons and letters from police, and other vehicle-related data. |
Transaction Details | E.g., Payment details (to and from you), payment date and/or time, payment amount, refund request details, date and place of purchase, address/date and time of receipt or delivery, service request form, acceptance form, recipient’s signature, receipt, invoice, transaction history, location, transaction status, purchasing behavior, and other details of products and services you purchased, deposit/payment slip, payment card, complaints and claims, desired purchase time, and outstanding debt. |
Technical Details | E.g., Internet Protocol (IP) address, Telemetry data. |
Behavioral Details | E.g., Details about behavior, lifestyle, attitude, and other interaction data. |
Profile Details | E.g., ConnectedDrive account, myBMW account, myMINI account, login name or username, profile picture, contact history, complaint history, past orders, purchase history, your interests, preferences, feedback, and satisfaction survey responses. |
Marketing and Communication Details | E.g., Your preferences for receiving marketing from us, our affiliates, subsidiaries, third parties, the BMW Group, business partners, and your communication preferences. |
Special Category of Personal Data | E.g., Religion, health data (e.g., congenital diseases, food allergies), disabilities, biometric data (e.g., fingerprints, facial recognition), criminal records. |
Other Identifying Data | E.g., Behavioral data, vehicle information, third-party data, and any other data that can identify you. |
2. Necessity of Processing Personal Data
In cases where we need to collect your personal data to enter into or perform a contract or to comply with the law, if you do not provide such personal data, we may be unable to proceed with your request.
If we receive a copy of your National ID card or any other document for identity verification or for any transaction with us, the document may contain your religion or other special category of personal data. We do not have a policy to collect such data unless there is a specific legal basis. Therefore, we request that you conceal or black out such information before submission. If you fail to do so, we will manage the document according to our internal practices and as permitted by law, such as by concealing or blacking out the information ourselves.
If you provide us with the personal data of a third party (e.g., name, address, phone number for emergency contact or debt collection, family member’s income), please inform that person of this privacy notice and/or obtain consent as necessary.
We process the personal data of minors, quasi-incompetent persons, and incompetent persons only when there is a legal basis. If necessary, we will also obtain consent from their legal guardian. If we become aware that we have processed the data of such individuals without legal compliance, we will take appropriate action promptly.
3. Legal Bases and Purposes for Processing Personal Data
We will process your personal data only under legal bases permitted by law, such as obtaining consent for specific activities, performance of a contract, legal obligation, preventing harm to life or health, legitimate interest, managing legal claims, complying with labor protection laws, or other bases as permitted by law (depending on the activity). If no other basis can be used, we will request your consent.
We process data to fulfill the following purposes:
3.1 Product and Service Management: E.g., receiving contact information, providing consultation, offering products and services, arranging test drives, managing special offers.
3.2 Contract Fulfillment: E.g., executing booking contracts, managing contracts (e.g., hire-purchase, insurance), vehicle delivery, shipping, refunds, exchanges, managing special campaigns, delivering complimentary gifts, providing guidance on system connectivity, and vehicle trade-ins.
3.3 After-Sales Service: E.g., scheduling appointments, providing consultation, servicing, vehicle repairs, confirming additional repairs, vehicle returns, follow-ups on vehicle issues, managing technical problems, providing technical assistance, and sending service reminders.
3.4 Customer Relationship Management: E.g., communicating about products and services from us, the BMW AG Group, affiliates, and business partners, updating your member information, tracking satisfaction, facilitating product use, organizing prize draws and special events, recording images and videos at events, promoting events, following up with past customers, and sending insurance reminders.
3.5 Marketing and Communication: E.g., providing marketing information, remarketing, communicating campaigns, sales, special offers, promotions, news, and information about other products and services from us, the BMW AG Group, affiliates, and/or business partners, personalizing products and services, and data analysis.
3.6 Transaction Management: E.g., assisting with loan applications to financial institutions, managing insurance, insurance fund returns, obtaining repair approvals, vehicle inspections, managing refunds, receiving payments, managing receipts, and vehicle registration.
3.7 Organizational Management: E.g., auditing delivery information, managing customer databases, undergoing audits by the BMW AG Group, preparing reports, fraud prevention, complaint management, risk management, and service improvement.
3.8 Legal Compliance: E.g., Know Your Customer (KYC), tax management, insurance management.
3.9 Other Activities: E.g., information technology management, security, business transfers or mergers, preventing harm to life, body or health, debt collection, dispute resolution, and protecting our interests.
4. Parties to Whom We May Disclose Your Personal Data
We may disclose your personal data for the purposes under this notice to the following third parties. You can view the privacy policies of these parties to learn how they process your personal data.
4.1 Government Agencies: E.g., the Revenue Department, Royal Thai Police, Anti-Money Laundering Office, courts.
4.2 BMW Group: As an official dealer of BMW (Thailand) Co., Ltd., we are part of the BMW Group (which includes companies in Thailand and abroad under BMW AG). We cooperate to provide various services and systems to customers. We may need to disclose or grant access to your personal data to other companies within the BMW Group for the purposes stated in this notice. This allows other companies in the BMW Group to rely on the consent we have obtained or other legal bases.
4.3 Our Service Providers: We may engage other companies, agents, or contractors to provide services on our behalf or to assist in providing products and services to you. We may share your personal data with these external service providers, such as IT providers, logistics and transport providers, payment providers, market analysis providers, marketing and advertising media, campaign organizers, telecommunication providers, external administrative services, data storage and cloud providers, and printing services.
4.4 Our Business Partners: We may disclose your personal data to our business partners to conduct business and provide services related to banking, finance, credit, loans, vehicles, insurance, telecommunications, marketing, retail, wholesale, and equipment rental, as well as platform vendors with whom we may jointly offer products or services.
4.5 Other Third Parties: E.g., consultants, lawyers, technical staff, auditors, assignees of rights or debts, associations, and non-profit organizations.
5. Personal Data Retention Period
We will retain your personal data for the period necessary to achieve the purposes related to this privacy notice. It may be necessary to retain the data afterward if required by law, for example, for 10 years in accordance with the civil law prescription period.
6. Your Rights as a Data Subject
You have the right to take action under the Personal Data Protection Law. We may ask you to verify your identity before fulfilling your request.
6.1 Right to withdraw consent: You have the right to withdraw your consent at any time for activities to which you have given consent, subject to conditions prescribed by law.
6.2 Right to access: You have the right to access and receive a copy of your personal data under our responsibility, and to request that we disclose how we obtained your personal data, subject to conditions prescribed by law.
6.3 Right to data portability: You have the right to receive your personal data if we have arranged it in an electronic format that is readable or commonly used by automated means. You also have the right to request that we transfer such data to another data controller automatically, and the right to directly receive the data that we transfer to another data controller, subject to conditions prescribed by law.
6.4 Right to object: You have the right to object to the processing of your personal data, subject to conditions prescribed by law.
6.5 Right to erasure: You have the right to request the erasure or destruction of your personal data, subject to conditions prescribed by law.
6.6 Right to restriction of processing: You have the right to request the temporary suspension of the use of your personal data, subject to conditions prescribed by law.
6.7 Right to rectification: You have the right to request that your personal data be corrected, updated, complete, and not misleading, subject to conditions prescribed by law.
6.8 Right to lodge a complaint: You have the right to complain to the expert committee under the PDPA if you believe we have violated or failed to comply with the law.
You can exercise your rights as a data subject by contacting our Data Protection Officer using the details at the end of this document. We may refuse your request only in cases specified by law, such as a prohibiting court order, and we will inform you of the outcome within the period prescribed by law. If we deny the request, we will inform you of the reason for the denial.
7. Personal data security
We will maintain the security of your personal data in accordance with the principles of confidentiality, integrity, and availability. This is to prevent loss, unauthorized access, use, alteration, correction, or disclosure. We will implement security measures for personal data that comply with legal requirements.
8. International Transfers of Personal Data
We may transfer personal data to the BMW Group, third parties, or servers located outside of Thailand. We will follow the procedures stipulated by the PDPA and implement measures to ensure that your personal data is transferred securely and that the receiving party has appropriate protection standards or that other exceptions permitted by law apply.
9. Cookies and Similar Technologies
When you visit our website, we automatically collect certain information from you using cookies for your Browse history. Cookies are small text files that a website copies to your hard disk; they do not damage your computer and contain no viruses. As a rule, cookies are used on our website for the duration of your session for anonymous statistical evaluation and to improve usability. Occasionally, cookies may be used for other purposes in certain sections of the website; you will be notified if you access these sections.
Additionally, we install pixels, an analysis tool we use to understand you better based on your activities on our website. This helps us get to know you better. You can disable cookie and pixel settings by going to your browser’s settings and adjusting your privacy settings to restrict data collection.
When we use social plugins on our website from social media like Facebook and Twitter, we implement them in a way that when you visit our site, the plugins are deactivated. This means no data is transmitted to the providers of these networks. If you wish to use one of the networks, simply click the social plugin to connect to the respective server. If you have an account on that network and are logged in when you activate the plugin, the network can associate your visit with your user account. If you do not want this, please log out of the network before activating the social plugin. The social network cannot associate a visit to other websites until you have activated an existing social plugin there as well. When you activate a social plugin, the network transfers the content that becomes available directly to your browser, which integrates it into our websites. In this case, data transfer that is initiated and controlled by the respective social network may also take place. Your connection to a social network, the data transfers taking place between the network and your system, and your interactions on that platform are governed by the privacy policies of that network.
10. Contact Information
If you have questions, complaints, access requests, or any inquiries regarding this privacy notice and/or wish to verify what personal data of yours is in our possession, you can contact us through our channels:
German Auto Company Limited: 441 Thepharat Road, Bang Na Nuea, Bang Na, Bangkok
Data Protection Officer
Email : dpo@bmw-germanauto.com
11. Amendments to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any significant changes through our website or our other communication channels.
This notice was last updated and is effective from September 1, 2025.
