BMW (Thailand) Co., Ltd and BMW Leasing (Thailand) Company Limited ("we", "us" or "our") recognizes the importance of the protection of any information relating to an identified or identifiable natural person ("Personal Data") in our businesses. This Business Partner Privacy Notice ("Privacy Notice") describes how we collect, use, disclose, and/or transfer outside of Thailand Personal Data of employees, personnel, authorized persons, directors, shareholders and other contact persons ("you" or "your") of our business partners (e.g. dealers, suppliers, vendors, service providers and outsourcers) (each a "Business Partner"), and tells you about data protection rights.
Your Personal Data is collected, used, disclosed, and/or transferred outside of Thailand by us because we have an existing or potential business relationship with you or the Business Partner you work for, act for or represent. For example, our Business Partner provides products or services to us, or work together with us to provide our customers products or services, or otherwise communicates with us in relation to any business.
1. What Personal Data we collect
We may collect your Personal Data directly from you or your company or indirectly from other sources and through our affiliates, other companies or other business partners, or from publicly available sources where you allow such Personal Data to be shared publicly. The specific type of data collected will depend on the context of your interactions with us and within BMW Group. The following are example of Personal Data that may be collected:
1) Personal Details: such as, title, full name, gender, age, nationality, blood type, date of birth, photos, work-related information (e.g., position, function, occupation, job title, company you work for, employed at or holds shares of), information on government-issued cards (e.g., copy of national identification card, passport, VISA), work permit, residence certificate, house registration, and company affidavit, tax ID, signatures, and other identifiers.
2) Contact Details: such as, telephone number, fax number, postal address, e-mail address, map and other similar information.
3) Financial Details: such as, bank statement, bank account information, financial statement, VAT registration, payment term, and other contract related information.
4) Other information collected, used and/or disclosed in connection with the relationship between us and the Business Partner, such as, information you give us in contracts, forms or surveys.
"Sensitive Data" means Personal Data classified by law as sensitive data. We will only collect, use, and disclose Sensitive Data, and transfer it across borders, if we have received your explicit consent or as permitted by law.
We will also collect, use, disclose and/or cross-border transfer the following Sensitive Data about you:
1) health data (e.g., congenital disease, food allergy);
2) disability; and
If you provide Personal Data of any third party to us, e.g. their name and telephone number for emergency contact, please provide this Privacy Notice for their acknowledgement and/or obtaining consents where applicable.
2. Why we collect, use and/or disclose your Personal Data
2.1. The purpose of which you have given your consent:
We rely on your consent to collect, use, disclose and/or cross-border transfer your Sensitive Data for the following purposes:
- Health data, such as congenital disease and food allergy, for the purpose of facilitation and security in our events and activities, and for preparation in any emergency cases;
- Disability for the purpose of facilitation and security in our events and activities, and for preparation in any emergency cases; and
- Religion for the purpose of authentication and verification of a person, for the purpose of equal opportunities and diversity, and for the purpose of contractual sign-off/engagement if you are an authorized person or contact person of your company.
Where legal basis is consent, you have the right to withdraw consent at any time. This can be done so, by contacting BMW contact center at 1397 The withdrawal of consent will not affect the lawfulness of the collection, use and disclosure of your Personal Data and Sensitive Data based on your consent before it was withdrawn.
2.2. The purposes we may rely on and other legal grounds for processing your Personal Data
Depending on the nature of our relationship with you, we collect, use and/or disclose your Personal Data for the following purposes, on the legal basis of legitimate interests, entering into or performance of contract, legal compliance, consent, or any other basis as permitted by applicable laws, as the case may be:
1) Business purposes: such as, to proceed with the transaction made by Business Partner, and perform any obligations and/or request made by Business Partners; to communicate with the Business Partner about products, services and projects of us or Business Partner (e.g., by responding to inquiries or requests);
2) Business Partner selection: such as, to verify your identity and Business Partner status, to conduct due diligence or any other form of background checks or risk identification on you and the Business Partner (including screening against publicly available government law enforcement agency and/or official sanctions lists); to evaluate suitability and qualifications of you and the Business Partner, to issue request for quotation and bidding; to execute contract with you or the Business Partner;
3) Business Partner data management: such as, to maintain and update lists/directories of Business Partner (including your Personal Data); to keep contracts and associated documents in which you may be referred to;
4) Relationship management: such as, to plan, perform, and manage the (contractual) relationship with the Business Partner (e.g., by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries); to provide support services and keep tracks and records; to provide you a privilege and other offer; to learn more from your satisfaction; to manage and handling on complaint; to facilitate you on overseas events/trips and process on VISA application; to provide access to BMW system and other applications;
5) Business analysis and improvement: such as, to conduct research, data analytics, assessments, surveys and evaluation, reports on our products, services and your or the Business Partner's performance; to develop and improve marketing strategies and products and services;
6) Registration and Authentication: such as, to register, verify, identify, and authenticate you or your identity;
7) Complying with reasonable business requirements, including but not limited to internal management, training, service quality, auditing, reporting, submissions or filings, data processing, control or risk management, statistical, trend analysis and planning or other related or similar activities;
8) IT systems and support: such as, to provide IT and helpdesk supports; to create and maintain code and profile for you; to manage your access to any systems to which we have granted you access; to remove inactive accounts; to implement business controls to enable our business to operate; to enable us to identify and resolve issues in our IT systems; to keep our systems secure, to perform IT systems development, implementation, operation and maintenance;
9) Security and system monitoring: such as, to authenticate and access controls and logs where applicable; to monitor system, devices and internet; to ensure IT security, prevention and solving crimes, as well as risk management and fraud prevention;
10) Dispute handling, such as, to solve disputes, enforce our contracts, establish, and exercise or defense of legal claims;
11) Any investigation, complaints and/or crime or fraud prevention;
12) Compliance with internal policies and applicable laws, regulations, directives and regulatory guidelines;
13) Liaising and interacting with and responding to government authorities or courts or tribunals;
Where we need to collect your Personal Data as required by law, or for entering into or performing the contract we have with you or Business Partner and you fail to provide that data when requested, we may not be able to fulfill the relevant purposes as listed above.
We will only collect, use, and/or disclose sensitive data on the basis of your explicit consent or where permitted by law.
3. To whom we may disclose or transfer your Personal Data
3.1. BMW Group
As BMW (Thailand) Co., Ltd is part of a BMW Group which all collaborate and partially share Business Partner services and systems including website-related services and systems, we may need to transfer your Personal Data to, or otherwise allow access to such Personal Data by other companies within BMW Group for the purposes set out above. This will allow other companies within BMW Group to rely on consent obtained by BMW (Thailand) Co., Ltd
3.2. Our service providers
We may use other companies, agents or contractors to perform services on behalf of or to assist with the business relationship with you. We may share Personal Data including, but not limited to (1) internet, software, website developer, digital media, IT service providers and IT support company; (2) logistic and courier service providers; (3) payment and payment system service providers; (4) analytics service providers; (5) survey agencies; (6) auditors; (7) marketing, advertising media, designer, creative, and communications agencies; (8) call center; (9) campaign, event, market organizers, and agency; (10) telecommunications and communication service providers; (11) outsourced administrative service providers; (12) data storage and cloud service providers; (13) printing service providers; (14) insurance company and broker; (15) collection and legal and registrations service providers; and/or (15) auction house service provider.
In the course of managing our business relationship, the service providers may have access to your Personal Data. However, we will only provide our service providers with the information that is necessary for them to perform the services, and we ask them not to use your information for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure.
3.3. Our Business Partner
We may transfer your Personal Data to our Business Partner to conduct business and services provided that the receiving Business Partner agrees to treat your Personal Data in a manner consistent with this Privacy Notice, such as our dealer, and sale representative agencies.
3.4 Third parties permitted by law
In certain circumstances, we may be required to disclose or share your Personal Data in order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
3.5 Professional advisors
This includes lawyers and auditors who assist in running our business and defending or bringing any legal claims.
We may transfer your Personal Data to Thailand Hire-Purchase Association.
3.7 Assignee of rights and/or obligations
4. International Transfers
We may disclose or transfer your Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that your Personal Data is securely transferred and that the receiving parties have in place suitable data protection standards or other derogations as allowed by laws. We will request your consent where consent to cross-border transfer is required by law.
5. How long do we keep your Personal Data
We retain your Personal Data for as long as is reasonably necessary to fulfil purpose for which we obtained it, and to comply with our legal and regulatory obligations. If data is processed for several purposes, the data is deleted automatically or saved in a form that cannot be traced back to you once the last specified purpose has been met. However, we may have to retain your Personal Data for a longer duration, as required by applicable law
6. Your rights as a data subject
Subject to applicable laws and exceptions thereof, you may have the following rights to:
1) Access: You may have the right to access or request a copy of the Personal Data we are processing about you. For your own privacy and security, we may require you to prove your identity before providing the requested information to you.
2) Rectification: You may have the right to have incomplete, inaccurate, misleading, or or not up to date Personal Data that we process about you rectified.
3) Data Portability: You may have the right to obtain Personal Data we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal information which you have provided to us, and (b) if we are processing that data on the basis of your consent or to perform a contract with you.
4) Objection: You may have the right to object to certain processing of your Personal Data such as objecting to direct marketing.
5) Restriction: You may have the right to restrict our processing of your Personal Data where you believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose.
6) Withdraw Consent: For the purposes you have consented to our processing of your Personal Data, you have the right to withdraw your consent at any time.
7) Deletion: You may have the right to request that we delete or de-identity Personal Data that we process about you, except we are not obligated to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
8) Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe our processing of your Personal Data is unlawful or noncompliance with applicable data protection law.
7. Changes to this Privacy Notice
We may amend this Privacy Notice from time to time as our data protection practices change, due to various reasons, such as technological change, change in law. The amendments to this Privacy Notice will be effective upon being published by us on http://www.bmw.co.th/business-partner-privacy. If such amendment, however, substantially affects you as a data subject, we will give you a reasonable prior notice in a suitable manner before such amendment is effective.
8. Contact Us
If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries about your Personal Data under this Privacy Notice, please contact us or our Data Protection Officer at:
Company Name: BMW (Thailand) Co., Ltd
Address: 87/2 44th, 50th and 51st Floor, CRC Tower,
All Seasons Place, Wireless Rd.,
Kwaeng Lumpini, Khet Patumwan, Bangkok 10330
Data Privacy Protection Officer: Mr. Apichart Waranichsakul
E-mail Address: DataPrivacyOfficerfirstname.lastname@example.org
Contact No: +662 305 8914
Company Name: BMW Leasing (Thailand) Company Limited.
Address: 87/2 44th – 45th and 50th – 51st Floor, CRC Tower,
All Seasons Place, Wireless Road,
Lumpini Sub-District, Pathumwan District, Bangkok 10330.
Data Privacy Protection Officer: Miss Kamolwan Kongsawat
Contact Number: +662 305 4390