Privacy Notice for Business Partners
German Auto Company Limited (“we”, “us”, “our”) recognizes the importance of the privacy and protection of our business partners’ personal data. We have therefore established this privacy notice to inform you about our practices regarding the collection, use, disclosure, retention, and destruction (“Processing”) of personal data, as well as the various rights you are entitled to as a data subject under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA).
This notice is intended for data subjects related to the management of our business partnerships, such as business partners, service providers, contractors, and relevant third parties (e.g., coordinators, contact persons), collectively referred to as “Business Partners” or “you“.
This privacy notice applies only to data subjects in their capacity as our business partners. If you visit other websites, even through links on our site, the protection of your personal data will be subject to the privacy policy of that third party, with which we are not involved.
1. Personal Data We Collect
Personal Data means any information relating to a natural person that enables the identification of such person, whether directly or indirectly, but does not include the data of deceased persons specifically.
Special Category of Personal Data includes information such as religion, health data, disabilities, biometric data (e.g., fingerprints, facial recognition data), criminal records, and so on.
We collect personal data directly from you (e.g., through correspondence, contracts, service usage) and may also collect your personal data from other sources, such as affiliated companies, other companies, business partners, government agencies, and social media networks.
The types of personal data may be categorized as follows:
Data Category | Examples of Personal Data |
Personal Details | E.g., Title, name-surname, gender, age, nationality, date of birth, marital status, occupation, job title, business type, income, years of work, data from official documents (e.g., National ID number, passport number), work permit, certificate of residence, house registration, company certificate, taxpayer ID number, signature. |
Contact Details | E.g., Telephone number, postal address, email address, LINE ID, or other similar information. |
Financial Details | E.g., Bank account details, bank statements, financial information, VAT information, payment agreements, relevant contract details. |
Employment Details | E.g., Service history, training history. |
Technical Details | E.g., IP address, videos, CCTV footage, information system usage data, GPS location. |
Special Category of Personal Data | E.g., Religion, health data (e.g., congenital diseases, food allergies), disabilities, biometric data (e.g., fingerprints, facial recognition data), criminal records. |
Other Identifying Data | E.g., Data processed based on the legal relationship between us (from contracts, evaluations, communications). |
2. Necessity of Processing Personal Data
In cases where we need to collect your personal data to enter into or perform a contract or to comply with the law, if you do not provide such personal data, we may be unable to proceed with your request.
If we receive a copy of your National ID card or any other document for identity verification or for any transaction with us, the document may contain your religion or other special category of personal data. We do not have a policy to collect such data unless there is a specific legal basis. Therefore, we request that you conceal or black out such information before submission. If you fail to do so, we will manage the document according to our internal practices and as permitted by law, such as by concealing or blacking out the information ourselves.
If you provide us with the personal data of a third party (e.g., name, surname, address, telephone number for business contact), please inform that person of this privacy notice and/or obtain their consent as necessary.
We process the personal data of minors, quasi-incompetent persons, and incompetent persons only when there is a legal basis to do so. If necessary, we will also obtain consent from their legal guardian. If we become aware that we have processed the data of such individuals without legal compliance, we will take appropriate action promptly.
3. Legal Bases and Purposes for Processing Personal Data
We will process your personal data only under legal bases permitted by law, such as obtaining consent for specific activities, performance of a contract, legal obligation, preventing harm to life or health, legitimate interest, or managing legal claims. If no other basis can be used, we will request your consent.
We process data to fulfill the following purposes:
3.1 Partner Selection: E.g., communication, registration, requesting quotations, meetings.
3.2 Procurement: E.g., issuing purchase orders, identity verification, negotiation, and contracting.
3.3 Contract Management: E.g., conducting transactions and ordering goods or services, payment, accounting, auditing, invoicing, delivery acceptance, problem notification and resolution, and receiving consultation.
3.4 Internal Administration: E.g., managing the partner database, business analysis and improvement, complaint management, training, auditing, and reporting.
3.5 Security: E.g., access rights verification, crime prevention and resolution, risk management, and fraud prevention.
3.6 Legal Compliance: E.g., tax management, accounting management, occupational safety management.
3.7 Other Purposes: E.g., preventing or suppressing danger to a person’s life, body, or health, organizing events, public relations, dispute management, and managing legal claims.
4. Parties to Whom We May Disclose Your Personal Data
We may disclose your personal data for the purposes under this notice to the following third parties. You can view the privacy policies of these parties to learn how they process your personal data.
4.1 Government Agencies: E.g., the Revenue Department, Royal Thai Police, Anti-Money Laundering Office, courts.
4.2 BMW Group: As an official dealer of BMW (Thailand) Co., Ltd., we are part of the BMW Group (which includes companies in Thailand and abroad under BMW AG). We cooperate to provide various services. We may need to disclose or grant access to your personal data to other companies within the BMW Group for the purposes stated in this notice, which allows them to rely on the consent we have obtained or other legal bases.
4.3 Our Service Providers: We may engage other companies, agents, or contractors to provide services on our behalf or to assist in our business management, such as IT providers, logistics and transport providers, payment providers, market analysis providers, marketing and advertising media, campaign organizers, telecommunication providers, external administrative services, data storage and cloud providers, printing services, and training providers.
4.4 Business Partners: E.g., affiliated companies, BMW Group, financial institutions, insurance companies, and other relevant business partners.
4.5 Other Third Parties: E.g., business consultants, auditors, legal advisors, assignees of rights or debts, associations, and non-profit organizations.
5. Personal Data Retention Period
We will retain your personal data for the period necessary to achieve the purposes related to this privacy notice. It may be necessary to retain the data afterward if required by law, for example, for 10 years in accordance with the civil law prescription period.
6. Your Rights as a Data Subject
You have the right to take action under the Personal Data Protection Law. We may ask you to verify your identity before fulfilling your request.
6.1 Right to withdraw consent: You have the right to withdraw your consent at any time for activities to which you have given consent, subject to conditions prescribed by law.
6.2 Right to access: You have the right to access and receive a copy of your personal data under our responsibility, and to request that we disclose how we obtained your personal data, subject to conditions prescribed by law.
6.3 Right to data portability: You have the right to receive your personal data if we have arranged it in an electronic format that is readable or commonly used by automated means. You also have the right to request that we transfer such data to another data controller automatically, and the right to directly receive the data that we transfer to another data controller, subject to conditions prescribed by law.
6.4 Right to object: You have the right to object to the processing of your personal data, subject to conditions prescribed by law.
6.5 Right to erasure: You have the right to request the erasure or destruction of your personal data, subject to conditions prescribed by law.
6.6 Right to restriction of processing: You have the right to request the temporary suspension of the use of your personal data, subject to conditions prescribed by law.
6.7 Right to rectification: You have the right to request that your personal data be corrected, updated, complete, and not misleading, subject to conditions prescribed by law.
6.8 Right to lodge a complaint: You have the right to complain to the expert committee under the PDPA if you believe we have violated or failed to comply with the law.
You can exercise your rights as a data subject by contacting our Data Protection Officer using the details at the end of this document. We may refuse your request only in cases specified by law, such as a prohibiting court order, and we will inform you of the outcome within the period prescribed by law. If we deny the request, we will inform you of the reason for the denial.
7. Security of Personal Data
We will maintain the security of your personal data in accordance with the principles of confidentiality, integrity, and availability. This is to prevent loss, unauthorized access, use, alteration, correction, or disclosure. We will implement security measures for personal data that comply with legal requirements.
8. International Transfers of Personal Data
We may transfer personal data to the BMW Group, third parties, or servers located outside of Thailand. We will follow the procedures stipulated by the PDPA and implement measures to ensure that your personal data is transferred securely and that the receiving party has appropriate protection standards or that other exceptions permitted by law apply.
9. Contact Information
If you have questions, complaints, access requests, or any inquiries regarding this privacy notice and/or wish to verify what personal data of yours is in our possession, you can contact us through our channels:
German Auto Company Limited Address: 441 Thepharat Road, Bang Na Nuea, Bang Na, Bangkok
Data Protection Officer
Email : dpo@bmw-germanauto.com
10. Amendments to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any significant changes through our website or our other communication channels.
This notice was last updated and is effective from September 1, 2025.
