Privacy Notice for Business Partners
German Auto Company Limited (“we”, “us” or “our”) recognizes the importance of privacy and the protection of personal data for our business partners e.g. suppliers, vendors, service providers and outsourcers (collectively referred to as “business partner”, “you” or “your”). We have therefore established a privacy notice to inform you about our practices for collecting, using, and disclosing (“processing”) personal data including the various rights you have under the Personal Data Protection Act B.E. 2562 (PDPA).
1. What personal data we collect
Personal data means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.
Sensitive personal data includes information such as religious beliefs, health information, disabilities, biometric data (such as fingerprints and facial recognition data), criminal record, etc.
We collect your personal data directly from you (e.g., through communication, contracting, or services), indirectly from other sources, and through our affiliates, other companies, business partners, government agencies, websites, or social media. The details are as follows:
1.1 Personal Details : such as, title, full name, gender, age, nationality, date of birth, photos, work-related information, information on government-issued cards (e.g., national identification number, passport number), work permit, residence certificate, house registration, and company affidavit, tax ID, and signatures.
1.2 Contact Details : such as, telephone number, postal address, e-mail address, Line ID and other similar information.
1.3 Financial Details : such as, bank statement, bank account information, financial statement, VAT registration, payment term, and other contract related information.
1.4 Other information processed in connection with the relationship between us and the Business Partner, such as, information you give us in contracts, forms or surveys.
1.5 Sensitive Data such as sensitive data as shown in the identification document, health data (e.g., congenital disease, allergic food), disability, biometric data (e.g. fingerprint, facial recognition), and criminal records.
2. Our need for processing personal data
In cases where we need to collect your personal data to enter into a contract, perform a contract, or comply with the law, if you do not provide such personal data, we may not be able to fulfill your request.
In cases where we receive a copy of your identification card or any other document for the purpose of verifying your identity before entering into a legal relationship and/or conducting any transactions with us, the received documents may contain information about your religion or other sensitive data. We do not have a policy to collect such data from you, except where there is a legal basis for doing so. In such cases, we will handle the data in accordance with standard practices and as permitted by law, such as through redaction.
If you provide personal data of any third party to us, e.g., their name, address details, and telephone number for business contact, please provide this privacy notice for their acknowledgment and/or obtain their consent where applicable.
We only collect the information of children, quasi-incompetent persons, and incompetent persons where their parent or guardian has given their consent. We do not knowingly collect information from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian’s consent. In the event we learn that we have unintentionally collected personal information from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardians, we will delete it immediately or process only if we can rely on other legal bases apart from consent.
3. Legal bases for processing your personal data
We will process your personal data under the following legal bases:
3.1 Consent
3.2 Archive/statistic/research
3.3 To prevent or suspend danger to life, body, or health of individuals
3.4 Entering into a contract or the performance of a contract
3.5 Legitimate interest
3.6 Legal obligation
3.7 Data disclosed to the public with explicit consent
3.8 Legal claims, Legal compliance, exercising legal rights, or defending legal claims
3.9 Necessary for compliance with the law to achieve the following objectives:
3.9.1 Providing health or social services
3.9.2 Public interest in public health
3.9.3 Protecting labor and social security
3.9.4 Scientific research, historical, statistical, or other public interest
3.9.5 Substantial public interest
3.10 Other legal bases as permitted by Law
4. The purposes for processing your personal data
We process your personal data for the following purposes:
4.1 Business purposes : such as, to proceed with the transaction made by business partner, and perform any obligations and/or request made by business partners; to communicate with the business partner about products, services and projects of us or business partner.
4.2 Business partner selection : such as, to verify your identity and business partner status, to conduct due diligence or any other form of background checks or risk identification on you and the business partner (including screening against law enforcement agency and/or official sanctions lists); to evaluate suitability and qualifications of you and the business partner, to issue request for quotation and bidding; to execute contract with you or the business partner;
4.3 Business partner data management : such as, to maintain and update lists/directories of business partner (including your personal data); to keep contracts and associated documents;
4.4 Relationship management : such as, to plan, perform, and manage the (contractual) relationship with the business partner (e.g., by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries); to provide support services and keep tracks and records; to provide you a privilege and other offer; to learn more from your satisfaction; to manage and handling on complaint; to facilitate you on overseas events/trips and process on VISA application; to provide access to our system and other applications;
4.5 Business analysis and improvement : such as, to conduct research, data analytics, assessments, surveys and evaluation, reports on our products, services, and your or the business partner’s performance; to develop and improve marketing strategies and products and services;
4.6 Complying with reasonable business requirements : including but not limited to internal management, training, service quality, auditing, reporting, submissions or filings, data processing, control or risk management, statistical, trend analysis and planning or other related or similar activities;
4.7 IT systems and support : such as, to provide IT and helpdesk supports; to create and maintain code and profile for you; to manage your access to any systems to which we have granted you access; to remove inactive accounts; to implement business controls to enable our business to operate; to enable us to identify and resolve issues in our systems; to keep our systems secure, to perform systems development, implementation, operation and maintenance;
4.8 Security and system monitoring : such as, to authenticate and access controls and logs; to monitor system, devices and internet; to ensure IT security, prevention and solving crimes, as well as risk management and fraud prevention;
4.9 Compliance with internal policies and applicable laws : such as to conduct investigations, handle complaints, prevent crime or fraud, liaise and interact with, and respond to government authorities, courts, or tribunals. This also includes managing disputes, establishing, exercising, or defending legal claims.
4.10 Other purposes : such as to registration and authentication, to IT management, to protection of our interests, to fraud detection, to risk management, and to prevention or suppression of danger to a person’s life, body, or health.
Where we need to collect your personal data as required by law, or for entering into or performing the contract we have with you or business partner and you fail to provide that data when requested, we may not be able to fulfill the relevant purposes as listed above.
5. To whom we may disclose your personal data
We may have to disclose your personal data to the following third parties who process personal data in accordance with the purpose under this privacy notice. You can visit their privacy notice/privacy policy to learn more details on how they process your personal data.
5.1 BMW group company : We are the official car dealer of BMW (Thailand) Co., Ltd. and are part of the BMW group of companies, (which includes companies both in Thailand and abroad under BMW AG). Together, we collaborate to serve customers and provide various systems, including services and systems related to our website. We may need to transfer your personal data to, or allow access to such personal data by, other companies within the BMW Group for the purposes specified in this notice. This enables other companies in the BMW Group to utilize the consents we obtain, or other legal bases.
5.2 Our service providers : We may use other companies, agents or contractors to perform services on behalf of or to assist with the business relationship with you. We may share personal data including, but not limited to
5.2.1 internet, software, website developer, digital media, IT service providers and IT support company;
5.2.2 logistic and courier service providers;
5.2.3 payment and payment system service providers;
5.2.4 analytics service providers;
5.2.5 survey agencies;
5.2.6 auditors;
5.2.7 marketing, advertising media, designer, creative, and communications agencies;
5.2.8 call center;
5.2.9 campaign, event, market organizers, and agency;
5.2.10 telecommunications and communication service providers;
5.2.11 outsourced administrative service providers;
5.2.12 data storage and cloud service providers;
5.2.13 printing service providers;
5.2.14 insurance company and broker;
5.2.15 collection and legal and registrations service providers; and/or
5.2.16 auction house service provider.
In the course of managing our business relationship, the service providers may have access to your personal data. However, we will only provide our service providers with the information that is necessary for them to perform the services, and we ask them not to use your information for any other purposes. We will ensure that all the service providers we work with will keep your personal data secure.
5.3 Our business partner : We may disclose your personal data to our business partner to conduct business and services provided that the receiving business partner agrees to treat your personal data in a manner consistent with this privacy notice, such as our dealer, and sale representative agencies.
5.4 Third parties permitted by law : In certain circumstances, we may be required to disclose or share your personal data in order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
5.5 Other third parties : This includes professional advisors, lawyers, auditors, technicians, assignees of rights and/or obligations, associations, and non-profit organizations.
6. International transfers
We may transfer your personal data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that your personal data is securely transferred and that the receiving parties have in place suitable data protection standards or other derogations as allowed by laws.
7. How long do we keep your personal data
We retain your personal data for as long as is reasonably necessary to fulfil purpose for which we obtained it, and to comply with our legal and regulatory obligations. If data is processed for several purposes, the data is deleted automatically or saved in a form that cannot be traced back to you once the last specified purpose has been met. However, we may have to retain your personal data for a longer duration as required by applicable law, such as the 10-year retention period prescribed by civil law.
8. Personal data security
We understand and recognize the importance of your personal data. Therefore, we have continuously improved and developed our personal data security system to comply with the law and meet modern international safety standards at all times. We are committed to adhering to this notice and emphasize to our personnel and data processors with access to personal data or legal obligations the importance of maintaining and respecting the security of your personal data.
9. Your rights as a data subject
Subject to applicable law and exceptions, before you exercise your rights, we may ask you to verify your identity. You have the following rights:
9.1 Withdraw Consent : For the purposes you have consented to our processing of your personal data, you have the right to withdraw your consent at any time.
9.2 Access : You have the right to access or request a copy of the personal datawe process about you, including asking us to disclose how we obtained your personal data.
9.3 Data Portability : You may have the right to obtain personal datawe hold about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is
(a) Personal datawhich you have provided to us, and
(b) if we are processing such data on the basis of your consent or to perform a contract with you.
9.4 Objection : You have the right to object to certain processing of your personal data such as objecting to direct marketing.
9.5 Deletion : You may have the right to request that we delete or de-identity personal data.
9.6 Restriction : You have the right to restrict the use of your personal data in certain circumstances.
9.7 Rectification : You may have the right to have incomplete, inaccurate, misleading, or not up-to-date personal data that we processing about you rectified.
9.8 Lodge a complaint : You may have the right to lodge a complaint to the Expert Commitees where you believe our processing of your personal datais unlawful or noncompliant with applicable data protection law.
You can exercise your rights as the data subject of the personal data mentioned above by contacting our Data Protection Officer, details of whom are provided at the end of this document. We may reject your request only in cases specified by law, such as a court order prohibiting it. We will notify you of the results of your request within the timeframe specified by law. If your request is rejected, we will inform you of the reason for the refusal.
10. Contact Us
If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries about your Personal Data under this Privacy Notice, please contact us or our Data Protection Officer at
Data Protection Officer
Email : dpo@bmw-germanauto.com
Address : 441 Debaratana Rd, Bangna Nuea, Bangna, Bangkok 10260
11. Changes to this privacy notice
We may amend this privacy notice from time to time. If our personal data protection practices change due to various reasons, such as technological changes or legal changes,
This privacy notice was last revised and is effective as of 1 July 2024 (Version 010767)