HR Privacy Notice
German Auto Company Limited (“we”, “us”, “our”) values the protection of personal data belonging to data subjects involved in our human resources management. We have therefore created this privacy notice to inform you about our practices regarding the collection, use, disclosure, retention, and destruction (“Processing”) of personal data, as well as the various rights you are entitled to as a data subject under the Personal Data Protection Act, B.E. 2562 (2019) (PDPA).
This notice is intended for data subjects related to our human resources management, such as job applicants, employees, executives, directors, interns, contractors, and relevant third parties (e.g., emergency contacts, family members, reference persons), collectively referred to as “you” or the “Data Subject“.
This privacy notice applies only to data subjects related to our human resources. If you visit other websites, even through links on our site, the protection of your personal data will be subject to the privacy policy of that third party, with which we are not involved.
1. Personal Data We Collect
Personal Data means any information relating to a natural person that enables the identification of such person, whether directly or indirectly, but does not include the data of deceased persons specifically.
Special Category of Personal Data includes information such as religion, health data, disabilities, biometric data (e.g., fingerprints, facial recognition data), criminal records, and so on.
We collect personal data directly from you (e.g., through website registration and job applications, employment contracts, telephone or email correspondence, and daily work activities) and we may also collect your personal data from other sources, such as search engines, social media, government agencies, and reference persons.
The types of personal data may be categorized as follows:
Data Category | Examples of Personal Data |
Personal Details | E.g., Name, surname, nickname, gender, age, date of birth, nationality, data from official documents (e.g., National ID card, passport, photos, military service documents, house registration, educational documents), signature. |
Contact Details | E.g., Address, telephone number, email, Line ID, social media account information. |
Financial Details | E.g., Bank account information, salary, benefits, remuneration, asset information. |
Employment Details | E.g., Work history, training history, leave history, educational background, job position. |
Technical Details | E.g., IP address, videos, CCTV footage, information system usage data, GPS location. |
Special Category of Personal Data | E.g., Religion, health data (e.g., congenital diseases, food allergies), disabilities, biometric data (e.g., fingerprints, facial recognition data), criminal records. |
Other Identifying Data | E.g., Behavioral data, vehicle information, third-party data, and any other data that can identify you. |
2. Necessity of Processing Personal Data
In cases where we need to collect your personal data to enter into or perform a contract or to comply with the law, if you do not provide such personal data, we may be unable to proceed with your request.
If we receive a copy of your National ID card or any other document for identity verification or for any transaction with us, the document may contain your religion or other special category of personal data. We do not have a policy to collect such data unless there is a specific legal basis. Therefore, we request that you conceal or black out such information before submission. If you fail to do so, we will manage the document according to our internal practices and as permitted by law, such as by concealing or blacking out the information ourselves.
We may receive data about third parties provided by you, such as family members, emergency contacts, or reference persons. Please inform these third parties of this notice and obtain their consent if necessary, unless there is another legal basis for processing their personal data without consent.
We process the personal data of minors, quasi-incompetent persons, and incompetent persons only when there is a legal basis to do so. If necessary, we will also obtain consent from their legal guardian. If we become aware that we have processed the data of such individuals without legal compliance, we will take appropriate action promptly.
3. Legal bases and purpose for processing personal data
We will process your personal data only under legal bases permitted by law, such as obtaining consent for specific activities, performance of a contract, legal obligation, preventing harm to life or health, legitimate interest, managing legal claims, complying with labor protection laws, or other bases as permitted by law (depending on the activity). If no other basis can be used, we will request your consent.
We process data to fulfill the following purposes:
3.1 Recruitment and Hiring: E.g., receiving applications and selection, interviews and evaluation, criminal record checks, health checks.
3.2 Employment and Employee Data Management: E.g., offering and executing contracts, guarantees, managing the employee database, work time management, meetings, communications, and operations with clients or partners.
3.3 Compensation and Benefits: E.g., payment of remuneration, uniforms, provident funds, group health insurance, annual health checks, leave management, and other benefits.
3.4 Capacity Development: E.g., performance evaluation, training, and counseling.
3.5 Administration and Management: E.g., promotion evaluation, workforce requests, risk management, delegation of authority, disciplinary investigations, grievance management, operational audits, public relations, organizational structuring, and business planning.
3.6 Legal Compliance: E.g., social security management, tax administration, Student Loan Fund management, compliance with government or court orders, maintaining the employee register, occupational safety management, training, and organizing activities.
3.7 Termination of Employment: E.g., resignation, issuance of employment certificate.
3.8 Other Management: E.g., accident information management, surveillance and security, disclosure to financial institutions at your request, business transfers or mergers, prevention of danger to life, body or health, and emergency contact.
4. Parties to Whom We May Disclose Your Personal Data
We may disclose your personal data to others as permitted by law, including the following:
4.1 Government Agencies: E.g., the Revenue Department, Social Security Office, Department of Labour Protection and Welfare, courts.
4.2 Business Partners: E.g., affiliated companies, BMW Group, financial institutions, insurance companies, and other relevant business partners.
4.3 Service Providers: We may engage other companies, agents, or contractors to provide services on our behalf or to assist in our business management, such as IT service providers, logistics and transport providers, payment and payment system providers, market analysis and survey providers, marketing and advertising media providers, campaign and event organizers, telecommunication providers, external administrative service providers, data storage and cloud service providers, printing service providers, and training providers.
4.4 Other Third Parties: E.g., business consultants, auditors, legal advisors, parties to whom you request disclosure (e.g., financial institutions, new employers), assignees of rights or debts, associations, and non-profit organizations.
5. Personal Data Retention Period
We will retain your personal data for the period necessary to achieve the purposes related to this privacy notice. It may be necessary to retain the data afterward if required by law, for example, for 10 years in accordance with the civil law prescription period.
6. Your Rights as a Data Subject
You have the right to take action under the Personal Data Protection Law. We may ask you to verify your identity before fulfilling your request.
6.1 Right to withdraw consent: You have the right to withdraw your consent at any time for activities to which you have given consent, subject to conditions prescribed by law.
6.2 Right to access: You have the right to access and receive a copy of your personal data under our responsibility, and to request that we disclose how we obtained your personal data, subject to conditions prescribed by law.
6.3 Right to data portability: You have the right to receive your personal data if we have arranged it in an electronic format that is readable or commonly used by automated means. You also have the right to request that we transfer such data to another data controller automatically, and the right to directly receive the data that we transfer to another data controller, subject to conditions prescribed by law.
6.4 Right to object: You have the right to object to the processing of your personal data, subject to conditions prescribed by law.
6.5 Right to erasure: You have the right to request the erasure or destruction of your personal data, subject to conditions prescribed by law.
6.6 Right to restriction of processing: You have the right to request the temporary suspension of the use of your personal data, subject to conditions prescribed by law.
6.7 Right to rectification: You have the right to request that your personal data be corrected, updated, complete, and not misleading, subject to conditions prescribed by law.
6.8 Right to lodge a complaint: You have the right to complain to the expert committee under the PDPA if you believe we have violated or failed to comply with the law.
You can exercise your rights as a data subject by contacting our Data Protection Officer using the details at the end of this document. We may refuse your request only in cases specified by law, such as a prohibiting court order, and we will inform you of the outcome within the period prescribed by law. If we deny the request, we will inform you of the reason for the denial.
7. Security of Personal Data
We will maintain the security of your personal data in accordance with the principles of confidentiality, integrity, and availability. This is to prevent loss, unauthorized access, use, alteration, correction, or disclosure. We will implement security measures for personal data that comply with legal requirements.
8. International Transfers of Personal Data
We may transfer personal data to the BMW Group, third parties, or servers located outside of Thailand. We will follow the procedures stipulated by the PDPA and implement measures to ensure that your personal data is transferred securely and that the receiving party has appropriate protection standards or that other exceptions permitted by law apply.
9. Contact Information
If you have suggestions or wish to inquire about the details of your personal data processing, including exercising your rights under this privacy notice, you can contact us or our Data Protection Officer as follows:
German Auto Company Limited: 441 Thepharat Road, Bang Na Nuea, Bang Na, Bangkok 10260
02-396-1199 ext. 111
Data Protection Officer
10. Amendments to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any significant changes through our website or our other communication channels.
This notice was last updated and is effective from September 1, 2025.
