Skip to content Skip to footer

Privacy Notice for CUSTOMER

Privacy Notice for CUSTOMER

German Auto Company Limited (“we”, “us” or “our”) recognizes the importance of privacy and the protection of personal data for customers, service users, website visitors, and users of our applications, mobile phones, or systems (collectively referred to as “customers”, “you” or “your”). We have therefore established a privacy notice to inform you about our practices for collecting, using, and disclosing (“processing”) personal data, including the various rights you have under the Personal Data Protection Act B.E. 2562 (PDPA). This ensures you can use our websites, applications, mobile phones, customer service center (call center), social networking sites, all our online communication channels, events, and other venues with confidence.

  1. What personal data we collect

          Personal data means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased Persons in particular.

          Sensitive personal data includes information such as religious beliefs, health information, disabilities, biometric data (such as fingerprints and facial recognition data), criminal record, etc.

          We collect your personal data directly from you (e.g., through communication, contracting, or services), indirectly from other sources, and through our affiliates, other companies, business partners, government agencies, websites, or social media. The details are as follows:

                    1) Personal details, such as title, full name, gender, age, blood type, nationality, date of birth, marital status, occupation, job title, position, business type, income, years of work, information on government-issued cards (e.g., national identification number, passport number, tax identification number, driver’s license details or similar identifiers), information on name/surname change certificate, birth certificate, marriage/divorce certificate, foreigner related documents, work permit, residence certificate, house registration, and title deed, socio-cultural data, photograph, CCTV records, conversation records, life insurance information, VISA related documents, information on withholding tax certificate, VAT registration certificate, user profile (e.g., configured news, audio provider), and other legal documents;

                    2) Contact details, such as postal address, delivery details, billing address, telephone number, fax number, map, location data, email address, LINE ID, Facebook account, Instagram ID, and other ID from social networking sites; 

                    3) Financial details, such as bank account details, bank statement, financed amount, financial contract information (e.g., amount of finance, contract type, contract status, down payment, balloon amount, installment, guarantor name, down payment term, product type, balloon payment behavior), cheque details, NCB record, securities instrument details, details of deposit, tax amount, outstanding balance, arrears amount which relating to the debt collection, financial statement, company affidavit, shareholder lists and other financial related information;

                    4) Vehicle details, such as Vehicle Identification Number (VIN), license plate number, brand, model, year, color, engine number, chassis number, vehicle type, mileage, battery, voltage, door and hatch status, oil level, brake wear, position and movement data (e.g. time, position, speed), traffic information, environmental information, sensor information (e.g., radar, ultrasonic devices, gestures, voice), details of car insurance, credit life insurance, compulsory insurance and gap insurance, residual value, accessories, bluebook, vehicle price, due date of next service visit, vehicle check-up documents, details of ConnectedDrive and its operation, GPS coordinate and vehicle location, vehicle history report, police summon and letter, and other vehicle related information;

                    5) Transaction details, such as details about payment to and from you, payment date and/or time, payment amount, details about refund, date and location of purchase, address/date and time for pick up or delivery, service request form, acknowledgement of receipt, recipient signature, receipt, invoices, transaction, transaction history, location, transaction status, purchasing behaviour, and other details of products and services you have purchased, pay in slip, bill payment card, complaints and claims, intended purchasing time, and amount of debt;

                    6) Technical details, such as Internet Protocol (IP) address and telemetry data;

                    7) Behaviour details, such as information about your behavior, lifestyle, attitudes and convictions and interaction data;

                    8) Profile details, such as ConnectedDrive account, myCOMPANY account, login name or username, profile details and picture, contact history, compliant history, past orders, purchase history, your interests, preferences, feedback and satisfaction survey responses;

                    9) Marketing and communication details, such as your preference in receiving marketing from us, our affiliates, subsidiaries, third parties, business partners, and your communication preferences; and/or

                    10) Sensitive data, such as sensitive data as shown in the identification document, health data (e.g., congenital disease, allergic food), disability, biometric data (e.g. fingerprint, facial recognition), and criminal records.

                    11) Other information such as, information of our contract (e.g., contract number, contract type, retention period), application form or survey. 

  1. Our need for processing personal data

          In cases where we need to collect your personal data to enter into a contract, perform a contract, or comply with the law, if you do not provide such personal data, we may not be able to fulfill your request.

          In cases where we receive a copy of your identification card or any other document for the purpose of verifying your identity before entering into a legal relationship and/or conducting any transactions with us, the received documents may contain information about your religion or other sensitive data. We do not have a policy to collect such data from you, except where there is a legal basis for doing so. In such cases, we will handle the data in accordance with standard practices and as permitted by law, such as through redaction.

          If you provide personal data of any third party to us, e.g., their name, family name, address details, and telephone number for emergency contact and debt collection, or family member income, please provide this privacy notice for their acknowledgment and/or obtain their consent where applicable.

          We only collect the information of children, quasi-incompetent persons, and incompetent persons where their parent or guardian has given their consent. We do not knowingly collect information from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian’s consent. In the event we learn that we have unintentionally collected personal information from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardians, we will delete it immediately or process only if we can rely on other legal bases apart from consent.

  1. Legal bases for processing your personal data

          We will process your personal data under the following legal bases:

                    1) Consent

                    2) Archive/statistic/research

                    3) To prevent or suspend danger to life, body, or health of individuals

                    4) Entering into a contract or the performance of a contract

                    5) Legitimate interest

                    6) Legal obligation

                    7) Data disclosed to the public with explicit consent

                    8) Legal claims, Legal compliance, exercising legal rights, or defending legal claims

                    9) Necessary for compliance with the law to achieve the following objectives:

  1. Providing health or social services
  2. Public interest in public health
  3. Protecting labor and social security
  4. Scientific research, historical, statistical, or other public interest
  5. Substantial public interest

                    10) Other legal bases as permitted by Law

  1. The purposes for processing your personal data

          We process your personal data when you use our services, visit our websites, applications, or mobile platforms, contact our customer service center (call center), use our social networking sites and online communication channels, or participate in our activities and other venues for the following purposes:

          1) To provide products and services to you: To enter into a contract and manage our contractual relationship with you (including contract activation, implementation); to book a test drive; to provide a car registration and other registration services; to carry out welcome package, contract details, financial transaction to support and perform other activities related to such services or products to process your orders, delivery, collections, returns, refund and exchange of products or services; to provide updates and on the delivery of the products, including maintenance and car repairing reservation; to provide basic BMW ConnectedDrive services (e.g., teleservices, intelligence emergency call); to provide mobility service (roadside assistance); to process on receipt issuance, cash disbursement, account payable, invoice, and proof of purchase; to issue bill payment card; to provide an insurance premium payment, insurance fee conciliation process and other insurance related services; to send reminding letter for insurance policy renewal; to inform you about car’s recall; to provide aftersales services;

          2) Marketing and Communications: To provide marketing, re-marketing, re-targeting, segmentation, communications, sales, special offers, promotions, notices, news, information about other products and services from BMW Group, our affiliates, subsidiaries and/or business partners in accordance with preferences you have expressed directly or indirectly;

          3) To contact and communicate with you: To provide you with marketing communications, sales, special offers, promotions, notices, news, and information about the products and services; to process and update your information;

          4) Recommendations and Personalization: To recommend products and services that might be of interest to you, identify your preferences, and personalize your experience;

          5) To manage our relationship with you: To communicate with you in relation to the products and services you obtain from us, across our company group, affiliates, subsidiaries, and business partners; to process and update your information as our member; to facilitate your use of the products and services; to handle customer service-related queries, request, feedback, complains, warranty claims, disputes or indemnity; to deal with technical issues, provide technical assistance, car repairing, warranty and goodwill; to conduct customer relationship management activities (e.g., customer satisfaction index survey);

          6) Profiling and data analytics: To measure your engagement with the products and services; to undertake data analytics for products and services development, market research, surveys, assessments, behaviour, statistics and segmentation, consumption trends and patterns; to know you better; to improve business performance and better adapt our content to the identified preferences of our customers; to determine the effectiveness of our promotional campaigns; to identify and resolve of issues with existing products and services, and qualitative information development;

          7) To improve business operations, products, and services: To evaluate, develop, manage, improve, research and develop the services, products, system, and business operations for you and all of our customers and within within our group, including our business partners; to measure the performance of our physical products, digital properties, and marketing campaigns; to conduct a lead generation and sales funnel management; to assure products and service quality; to conduct a legal consulting; to create aggregated and anonymized reports; to identify and resolve issues; to provide training courses for sales personnel; to improve the request and sales process;

          8) Compliance with regulatory: To comply with legal obligations, legal proceedings, or government authorities’ orders which can include orders from government authorities outside Thailand, and/or cooperate with court, regulators, government authorities, and law enforcement bodies when we reasonably believe we are legally required to do so, and when disclosing your Personal datais strictly necessary to comply with the said legal obligations, proceedings, or government orders; to provide and handle VAT refund service; to issue tax invoices or full tax forms; to record and monitor communications; to handle with traffic fine letter and road tax; to disclose to tax authorities, financial service regulators, and other regulatory and governmental bodies, and investigating or preventing crime;

          9) Corporate transaction: in the event of sale, transfer, merger, reorganization, or similar event we may transfer your information to one or more third parties as part of that transaction;

          10) Other purposes: such as to registration and authentication, to IT management, to protection of our interests, to fraud detection, to risk management, and to prevention or suppression of danger to a person’s life, body, or health.

  1. To whom we may disclose your personal data

          We may have to disclose your personal data to the following third parties who process personal data in accordance with the purpose under this privacy notice. You can visit their privacy notice/privacy policy to learn more details on how they process your personal data.

          1) BMW Group Company: We are the official car dealer of BMW (Thailand) Co., Ltd. and are part of the BMW group of companies, (which includes companies both in Thailand and abroad under BMW AG). Together, we collaborate to serve customers and provide various systems, including services and systems related to our website. We may need to transfer your personal datato, or allow access to such personal data by, other companies within the BMW Group for the purposes specified in this notice. This enables other companies in the BMW Group to utilize the consents we obtain, or other legal bases.

          2) Our service providers: We may use other companies, agents or contractors to perform services on behalf or to assist with the provision of products and services to you. We may share your Personal datato our service providers or third-party suppliers including, but not limited to (1) internet, software, website developer, digital media, IT service providers and IT maintenance & support company; (2) logistic and courier service providers; (3) payment and payment system service providers; (4) research and market surveillance agencies; (5) analytics service providers; (6) survey agencies; (7) auditors; (8) marketing, advertising media, designer, creative, and communications agencies; (9) call center; (10) campaign, event, and market organizers, and CRM agency; (11) telecommunications and communication service providers; (12) outsourced administrative service providers; (13) data storage and cloud service providers; (14) printing service providers; (15) insurance company and broker; and/or (16) auction house service provider.

          In the course of providing such services, the service providers may have access to your personal data. However, we will only provide our service providers with the information that is necessary for them to perform the services, and we ask them not to use your information for any other purposes. We will ensure that the service providers we work with will keep your personal data secure as required under the laws.

          3) Our business partners: We may transfer your personal datato our business partners to conduct business and services related to banking, finance, credit, loan, vehicle, insurance, telecommunications, marketing, retail, wholesale, equipment rental, including platform sellers or providers whom we may jointly offer products or services, or whose products or services may be offered to you.

          4) Authorized dealer: such as sale representative agencies that you choose, or located near you, to serve you with our services.

          5) Third parties required by law: In certain circumstances, we may be required to disclose or share your Personal datain order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority or other third party where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security, or safety issues.

          6) Other third parties: This includes professional advisors, lawyers, auditors, technicians, assignees of rights and/or obligations, associations, and non-profit organizations.

  1. How long do we keep your personal data

          We retain your personal data for as long as is reasonably necessary to fulfil purpose for which we obtained it, and to comply with our legal and regulatory obligations. If data is processed for several purposes, the data is deleted automatically or saved in a form that cannot be traced back to you once the last specified purpose has been met. However, we may have to retain your personal data for a longer duration, as required by applicable law, such as the 10-year retention period prescribed by civil law.

  1. Personal data security

          We understand and recognize the importance of your personal data. Therefore, we have continuously improved and developed our personal data security system to comply with the law and meet modern international safety standards at all times. We are committed to adhering to this notice and emphasize to our personnel and data processors with access to personal data or legal obligations the importance of maintaining and respecting the security of your personal data.

  1. International transfers

          We may transfer personal data to the BMW AG group of companies, third parties, or servers located outside Thailand. We will comply with the requirements of the Personal Data Protection Act B.E. 2562 (PDPA) and take measures to ensure the security of your personal data during such transfers. We will also ensure that the receiving party adheres to appropriate standards of protection, or any other derogations allowed by law.

  1. Cookies and similar technologies

          When you visit our website, we automatically collect certain information from you using browsing history cookies. Cookies are small text files that a website stores on your hard disk. They do not harm your computer or contain viruses. Typically, cookies are only used on our website for the duration of your session for anonymous statistical evaluation and to enhance user experience. Occasionally, cookies may serve other purposes on specific parts of the website, and you will be notified if you access these areas. Additionally, we use pixels, which are analytics tools helping us better understand your interactions with our website. This enables us to improve our services and tailor them to your needs. You can manage your cookie and pixel settings by adjusting your browser’s privacy settings to restrict the collection of information.

          When we incorporate social media plugins, such as those from Facebook and Twitter, on our website, they are initially disabled. This means no data is sent to the operators of these networks when you visit our website. To use a specific network, simply click on the social plugin to connect to the relevant network’s server. If you are logged into your account on that network, activating the social plugin allows the network to associate your visits to our website with your user account. If you prefer not to allow this association, please log out of the network before using the social plugin. This prevents the social network from linking your traffic to our website until you choose to enable existing social plugins. When you activate a social plugin, the network may initiate and control data transfer directly through your browser. This interaction with social media networks involves data transmission between your network and system. Your interactions on these platforms are governed by the privacy policy of each respective network.

  1. Your rights as a data subject

          Subject to applicable law and exceptions, before you exercise your rights, we may ask you to verify your identity. You have the following rights:

          1) Withdraw Consent: For the purposes you have consented to our processing of your personal data, you have the right to withdraw your consent at any time.

          2) Access: You have the right to access or request a copy of the personal datawe process about you, including asking us to disclose how we obtained your personal data.

          3) Data Portability: You may have the right to obtain personal datawe hold about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is (a) Personal datawhich you have provided to us, and (b) if we are processing such data on the basis of your consent or to perform a contract with you. 

          4) Objection: You have the right to object to certain processing of your personal data such as objecting to direct marketing.

          5) Deletion: You may have the right to request that we delete or de-identity personal data.

          6) Restriction: You have the right to restrict the use of your personal data in certain circumstances.

          7) Rectification: You may have the right to have incomplete, inaccurate, misleading, or not up-to-date personal data that we processing about you rectified.

           8) Lodge a complaint: You may have the right to lodge a complaint to the Expert Commitees where you believe our processing of your personal datais unlawful or noncompliant with applicable data protection law.

          You can exercise your rights as the data subject of the personal data mentioned above by contacting our Data Protection Officer, details of whom are provided at the end of this document. We may reject your request only in cases specified by law, such as a court order prohibiting it. We will notify you of the results of your request within the timeframe specified by law. If your request is rejected, we will inform you of the reason for the refusal.  

  1. Our contact details

          If you wish to contact us to exercise the rights relating to your personal data or if you have any queries about your personal data under this privacy notice, please contact us or our Data Protection Officer at:

          German Auto Company Limited

          Address: 441 Debaratana Rd, Bangna Nuea, Bangna, Bangkok 10260

          Data Protection Officer: (Email)

          Telephone number: 0XXXXXXXXX

Changes to this privacy notice

          We may amend this privacy notice from time to time. If our personal data protection practices change due to various reasons, such as technological changes or legal changes, we will notify you through the following channels: