Skip to content Skip to footer

Privacy Notice for EMPLOYEES

          German Auto Company Limited (“we”, “us” or “our”) recognizes the importance of privacy and the protection of personal data for data subjects, including job applicants, employees, executives, directors, interns, contractors, and third parties involved in human resource management (e.g., emergency contacts, family members, reference persons) (collectively referred to as “you”). We have therefore established a privacy notice to inform you about our practices for collecting, using, and disclosing (“processing”) personal data, including the various rights you have under the Personal Data Protection Act B.E. 2562 (PDPA).

1. What personal data we collect

          Personal data means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased Persons in particular.

          Sensitive personal data includes information such as religious beliefs, health information, disabilities, biometric data (such as fingerprints and facial recognition data), criminal record, etc.

          We collect personal data directly from you (e.g., through registrations, job applications, our website, employment contracts, contact by phone or email, via Google Login, LINE Login, Facebook Login, etc.) and indirectly from other sources such as search engines, social media, government agencies, reference persons, and more. The details are as follows:

          1.1  Personal details, such as title, full name, gender, age, date of birth, nationality, national ID, passport, marital status, military status, photo;

          1.2  Contact details, such as address, telephone number, email address, LINE ID;

          1.3  Financial details, such as bank account details, salary, benefits;

          1.4  Work details, such as work permit, work information, performance evaluations, leave history, information about the use of our information systems;

          1.5  Technical information, such as IP address, Mac Addressr, video, and CCTV images;

          1.6  Sensitive data, such as race, religious information, health information (such as congenital diseases, food allergies), disability, biological information (such as fingerprints, facial recognition data), criminal records;

          1.7  Other information, such as: education, training seminars, reference information, family member information. 

2. Our need for processing personal data

          In cases where we need to collect your personal data to enter into a contract, perform a contract, or comply with the law, if you do not provide such personal data, we may not be able to fulfill your request.

          In cases where we receive a copy of your identification card or any other document for the purpose of verifying your identity before entering into a legal relationship and/or conducting any transactions with us, the received documents may contain information about your religion or other sensitive data. We do not have a policy to collect such data from you, except where there is a legal basis for doing so. In such cases, we will handle the data in accordance with standard practices and as permitted by law, such as through redaction.

          If you provide personal data of any third party to us, e.g., family name, emergency contact and reference person, please provide this privacy notice for their acknowledgment and/or obtain their consent where applicable.

          We only collect the information of children, quasi-incompetent persons, and incompetent persons where their parent or guardian has given their consent. We do not knowingly collect information from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardian’s consent. In the event we learn that we have unintentionally collected personal information from anyone under the age of 20 without parental consent when it is required, or from quasi-incompetent persons and incompetent persons without their legal guardians, we will delete it immediately or process only if we can rely on other legal bases apart from consent.

3. Legal bases for processing your personal data

          We will process your personal data under the following legal bases:

          3.1  Consent

          3.2  Archive/statistic/research

          3.3  To prevent or suspend danger to life, body, or health of individuals

          3.4  Entering into a contract or the performance of a contract

          3.5  Legitimate interest

          3.6  Legal obligation

          3.7  Data disclosed to the public with explicit consent

          3.8  Legal claims, Legal compliance, exercising legal rights, or defending legal claims

          3.9  Necessary for compliance with the law to achieve the following objectives:

                    3.9.1  Providing health or social services

                    3.9.2  Public interest in public health

                    3.9.3  Protecting labor and social security

                    3.9.4  Scientific research, historical, statistical, or other public interest

                    3.9.5  Substantial public interest

          3.10  Other legal bases as permitted by Law

4. The purposes for processing your personal data

          4.1  Manage human resources : recruiting, training, entering and exiting working hours, performance evaluation, change of position;

          4.2  Perfomance of contract : communication, payment of compensation, leave rights, providing welfare;

          4.3  Manage health and safety : annual health check, vaccinations, health insurance, prevention of health hazards;

          4.4  Comply with the law : withholding taxes, sending social security funds, employee registration;

          4.5  Maintain security within the organization and building : recording images with closed-circuit cameras (CCTV), making employee identification cards, setting access rights to our system;

          4.6 Carry out various policies : personal data protection, work regulations, organization management, information technology management;

          4.7 Legitimate interests : improving organizational structure, disciplinary management, work inspection, crime prevention, prosecution;

          4.8 Make business plans : risk management, in-house management, business planning;

          4.9 Communication and public relations: public relations, providing information to customers or business partners;

          4.10  Other purposes : disclosure to financial institutions as requested by you.

5. To whom we may disclose your personal data

          We may disclose your personal data to others as permitted by law, as follows:

          5.1  Government agencies : such as the Revenue Department, Social Security Office, Department of Labour Protection and Welfare, and courts;

          5.2  Business partners : such as our group, BMW AG, banking and financial partners, and insurance partners;

          5.3  Service providers : such as training or seminar providers, transportation service providers, document preservation and destruction service providers, security service providers, marketing service providers, and information technology service providers;

          5.4  Other third parties : such as business consultants, auditors, legal advisors, persons to whom you request disclosure (e.g., financial institutions, new employers), assignees of rights or debts, and associations or non-profit organizations.

6. How long do we keep your personal data

          We retain your personal data for as long as is reasonably necessary to fulfil purpose for which we obtained it, and to comply with our legal and regulatory obligations. However, we may have to retain your personal data for a longer duration, as required by applicable law, such as the 10-year retention period prescribed by civil law.

7. Your rights as a data subject

          Subject to applicable law and exceptions, before you exercise your rights, we may ask you to verify your identity. You have the following rights:

          7.1 Withdraw Consent : For the purposes you have consented to our processing of your personal data, you have the right to withdraw your consent at any time.

          7.2 Access : You have the right to access or request a copy of the personal datawe process about you, including asking us to disclose how we obtained your personal data.

          7.3 Data Portability : You may have the right to obtain personal datawe hold about you, in a structured, electronic format, and to send or transfer such data to another data controller, where this is (a) Personal datawhich you have provided to us, and (b) if we are processing such data on the basis of your consent or to perform a contract with you. 

          7.4 Objection : You have the right to object to certain processing of your personal data such as objecting to direct marketing.

          7.5 Deletion : You may have the right to request that we delete or de-identity personal data.

          7.6 Restriction : You have the right to restrict the use of your personal data in certain circumstances.

          7.7 Rectification : You may have the right to have incomplete, inaccurate, misleading, or not up-to-date personal data that we processing about you rectified.

          7.8 Lodge a complaint : You may have the right to lodge a complaint to the Expert Commitees where you believe our processing of your personal datais unlawful or noncompliant with applicable data protection law.

          You can exercise your rights as the data subject of the personal data mentioned above by contacting our Data Protection Officer, details of whom are provided at the end of this document. We may reject your request only in cases specified by law, such as a court order prohibiting it. We will notify you of the results of your request within the timeframe specified by law. If your request is rejected, we will inform you of the reason for the refusal. 

8. Personal data security

          We understand and recognize the importance of your personal data. Therefore, we have continuously improved and developed our personal data security system to comply with the law and meet modern international safety standards at all times. We are committed to adhering to this notice and emphasize to our personnel and data processors with access to personal data or legal obligations the importance of maintaining and respecting the security of your personal data.

9. International transfers

          We may transfer personal data to the BMW AG group of companies, third parties, or servers located outside Thailand. We will comply with the requirements of the Personal Data Protection Act B.E. 2562 (PDPA) and take measures to ensure the security of your personal data during such transfers. We will also ensure that the receiving party adheres to appropriate standards of protection, or any other derogations allowed by law.

10. Privacy notices for other websites

          This privacy notice is intended for our applicants, employees, personnel, and third parties involved in human resources. If you visit another website, even through a link on our website, the protection of personal data will be governed by the privacy policy of that website, with which we are not involved.

11. Our contact details

          If you wish to contact us to exercise the rights relating to your personal data or if you have any queries about your personal data under this privacy notice, please contact us or our Data Protection Officer at

Data Protection Officer

          Email :  dpo@bmw-germanauto.com

          Address :  441 Debaratana Rd, Bangna Nuea, Bangna, Bangkok 10260

12. Changes to this privacy notice

          We may amend this privacy notice from time to time. If our personal data protection practices change due to various reasons, such as technological changes or legal changes, 

          This privacy notice was last revised and is effective as of July 1, 2024. (Version 010767)