Kia Connect

This privacy notice (the “Privacy Notice”) of Kia Connect GmbH ("Kia", "we", "us", “our”) applies to the collection and processing of personal data in connection with the provision of our services via our app (the "Kia Connect App") and via the relevant vehicle’s head unit (the "Head Unit", together, the “Services”) and is addressed to our customers using these Services (“you”, “your”).

In addition to the Services, Kia may offer the purchase of certain features for its customers to use with their vehicle, such as upgrades or other add-ons to the software of the customer’s vehicle (“Upgrades”). This Privacy Notice also provides certain information about the processing of personal data in connection with the purchase of such Upgrades.

Kia takes the protection of your personal data and your privacy very seriously and will process your personal data only in accordance with the GDPR and other applicable data protection and privacy laws.

Please note that in addition to this Privacy Notice, where appropriate, we may inform you about the processing of your personal data separately, for example in consent forms or separate privacy notices.

We provide our Services and Upgrades to customers across Europe. As applicable data protection laws and requirements may differ in the relevant jurisdictions, please refer to Section 22 (Local Law Amendments) for specific information in relation to your jurisdiction.

Unless expressly stated otherwise, Kia Connect GmbH is the controller of the personal data collected and processed as set out in this Privacy Notice.

If you have any questions about this Privacy Notice or our processing of your personal data, or if you wish to exercise any of your rights, you may contact us at:

Kia Connect GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany

Email: info@kia-connect.eu

You may also use our contact form, which is available here: https://connect.kia.com/eu/customer-support/contact-form/

Alternatively, you may also contact our data protection officer at the contact details provided in Section 3 below.

Please note that we act as joint controllers with Kia Corporation, 12 Heolleung-ro, Seocho-gu, Seoul, 06797, Republic of Korea, for the purpose of ensuring appropriate cyber security standards for Kia vehicles and products (please refer to Section 7 for more details). We have agreed with Kia Corporation that we are the main contact point for you if you have any questions about the processing of your personal data or the essence of our arrangement with Kia Corporation in connection with the processing activities set out in Section 7 below. The same applies if you wish to exercise any of your rights in this regard. However, you may also choose to contact Kia Corporation directly. In this case, please contact Kia Europe GmbH as the designated EU Representative in accordance with Art. 27 GDPR:

Kia Europe GmbH

Data Protection Representative of Kia Corporation

Theodor-Heuss-Allee 11

60486 Frankfurt am Main, Germany

Email: dpo@kia-europe.com

Please note that we act as joint controllers with Kia Europe GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany, in relation to the provision of Vehicle System OTA Updates (please refer to Section 8.2 for more details). We have agreed with Kia Europe GmbH that we are the main contact point for you if you have any questions about the processing of your personal data or the essence of our arrangement with Kia Europe GmbH in connection with the processing activities set out in Section 8.2. The same applies if you wish to exercise any of your rights in this regard. However, you may also choose to contact Kia Europe GmbH directly:

Kia Europe GmbH

Data Protection Officer

Theodor-Heuss-Allee 11

60486 Frankfurt am Main, Germany

Email: dpo@kia-europe.com

We have appointed an external data protection officer (“DPO”). You may contact our DPO at:

Kia Connect GmbH

Data Protection Officer

Theodor-Heuss-Allee 11

60486 Frankfurt am Main, Germany

Email: dpo@kia-connect.eu

This Section 4 provides you with a high-level overview of our processing of personal data. Details about the purposes of and the legal bases for our processing of your personal data, and the categories of personal data that we process, are set out in Sections 5–13 below.

Purposes

We mainly process your personal data for theprovision of our Services and the Upgrades as set out in the contract that youare about to enter or have entered into with us (“Kia Connect Terms of Use”).

In the Privacy Settings of the Head Unit, you can find additional information about certain Services or Service categories and related processing of personal data, and can activate and deactivate such Services or Service categories accordingly.

When you activate a Service or Service category, you are expressly requesting the provision of the relevant Service or Service category.

If you are not using the latest version of the infotainment software for your vehicle, you can activate and deactivate such Services and Service categories in the service list of the Kia Connect App.

We also process personal data for the other purposes specified in Sections 5–13 below.

This includes the processing of personal data for: (i) communicating with you; (ii) providing technical support; (iii) conducting direct marketing activities; (iv) conducting surveys; (v) improving our Services and developing new services (the analysis of the relevant data is based on statistical and mathematical models); (vi) ensuring that relevant Kia products and Services can be provided securely; (vii) ensuring compliance with applicable law; (viii) operating our business; (ix) conducting investigations where necessary; and (x) establishing, exercising and defending legal claims.

Legal bases

Generally, we create, collect and process your personal data where this is necessary: (i) to take steps at your request prior to entering into a contract with you (“conclusion of contract”) (Art. 6(1) b) GDPR); (ii) to perform our contract with you (Art. 6 (1) b) GDPR); or(iii) for the purposes of the legitimate interests pursued by us or a third party (Art. 6 (1) f) GDPR). A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests.

With respect to certain processing activities, we process your personal data: (i) to the extent necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) where we have obtained your prior consent to the relevant processing of your personal data for a specific purpose (Art. 6 (1) a) GDPR). Please refer to Sections 5–13 for information about the legal basis applicable to the relevant processing activity.

Categories of personal data

The categories of personal data that we process are:

Sources

Unless otherwise expressly stated in this Privacy Notice, the personal data listed in Sections 5–13 are provided to us by you (e.g. by entering certain personal data in the Kia Connect App) or are collected from your vehicle (e.g. its sensors and related applications as made accessible via the Head Unit).

Your right not to provide your personal data

You have the right not to provide your personal data to us. However, please note that we will be unable to provide you with the full benefit of our Services and Upgrades or process (some of) your requests if you do not provide us with your personal data (e.g. we might not be able to process your requests without the necessary details).

Third-party use of the vehicle or Services

Generally, the information that we provide about our processing activities in this Privacy Notice also applies to cases in which a third party uses the vehicle for which you have activated or signed up to the Services. However, it should be noted that our processing activities as set out in this Privacy Notice mainly relate to vehicle-bound information.

Therefore, we are usually not able to identify the relevant person driving the car, unless such person is logged in with their personal profile or other identifiers related to the relevant person are provided.

The Kia Connect Terms of Use require you to inform third parties (i.e. other users/drivers of the vehicle) about: (i) the activation of the Services; (ii) the processing activities described in this Privacy Notice; and (iii) the fact that the provision of certain Services requires the collection and processing of location data (GPS data).

Please note that if another person uses the Kia Connect App and is connected to the same vehicle as you are (please refer to Section 4.1.2 of the Kia Connect Terms of Use for more details about the sharing of the vehicle), this person may also see the vehicle's location data (GPS data) in their account on the Kia Connect App (by using the "Find my Car and First Mile Navigation" Service), even if you are using the vehicle at this time. While this person will not be able to access your live routes, they may be able to see the live location of the vehicle.

The sign-up and log-in processes include the following:

Sign-up process for the Kia Connect App: To register on the Kia Connect App, you needto have or create a “Kia Account”,sign up to the Kia Connect App using your Kia Account login details and acceptthe Kia Connect Terms of Use. The Kia Account can also be used to register for servicesprovided by other Kia group members or certain third parties in Europe. Detailsabout our processing of your personal data in connection with the Kia Accountare provided in a separate Privacy Notice which is accessible here: https://connect.kia.com/eu/kia-account-docs/

Establishing the link between the end user device (i.e. smartphone) on which the Kia Connect App is installed, and the respective vehicle requires additional verification for which we will share with you a verification PIN.

For this purpose, the following categories of personal data are processed: personal details, contact details, contract details, vehicle data, verification data.

Log-in process: To use the Services provided in the Kia Connect App or to purchase Upgrades, you need to log into the Kia Connect App. After logging in, you can add and remove your Kia vehicle(s) and use the Services or purchase Upgrades accordingly.

For this purpose, the following categories of personal data are processed: user profile information.

Legal basis: The processing of personal data in connection with the sign-up and log-in processes is necessary for the performance of the contract that you have entered into with us, or for the conclusion of the contract with us (Art. 6 (1) b) GDPR).

The Services and features related to the User Profile include the following:

Profile Backup and Restore: This Service enables you to back up vehicle settings information in the Kia Connect App and restore it to your vehicle.

For this purpose, the following categories of personal data are processed: contact details, user profile information, vehicle data, verification data, position and movement data, usage-based data .

Personal Calendar/Navigation Synchronisation: This Service enables you to synchronise your Google Calendar or Apple Calendar on your smartphone with the integrated calendar function of the Head Unit. This allows you to see your private calendar on the Head Unit screen and to use it to set a destination. This Service is compatible with Google Calendar and Apple Calendar.

For this purpose, the following categories of personal data are processed: contact details, vehicle data, verification data, pseudonymised identifiers, usage-based data.

Legal basis: The processing of personal data in connection with Services related to the User Profile is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The remote control services include the following:

Remote Climate Control: This Service enables you to remotely control and schedule the air conditioning of your electric vehicle, including defrost functions, via the Kia Connect App.

Remote Charging (electric and plug-in hybrid vehicles only): This Service enables you to remotely initiate and stop the charging of an electric and plug-in hybrid vehicle’s battery and to schedule the charging via the Kia Connect App.

Remote Door Control: This Service enables you to remotely lock/unlock the vehicle’s doors via certain user interfaces. You will be able to lock or unlock all doors. To ensure safety and security when using this Service, the Service will check several pre-conditions. This Service can help in situations where you cannot remember whether you locked the vehicle correctly by allowing you to perform this action remotely.

Remote Heated and Ventilated Seats (electric vehicles only): This Service enables you to remotely control the front and rear seat heating and ventilation of your electric vehicle.

Remote Window Control: This Service enables you to remotely control the windows of your vehicle.

Remote Hazard Light Control: This Service enables you to remotely turn off the hazard lights.

Remote Charging Door Control: This Service enables you to remotely control the charging door of your vehicle.

Remote Frunk: This Service enables you to remotely open the vehicle’s frunk via the Kia Connect App.

Remote Battery Conditioning: This Service enables you to remotely initiate and stop the conditioning of an electric vehicle’s battery via the Kia Connect App.

Remote Light: This Service enables you to activate the flashing hazard light for a short period via the Kia Connect App.

Remote Horn and Light: This Service enables you to activate the flashing hazard light and horn signal for a short period via the Kia Connect App.

Vehicle Alert: Whenever any of the vehicle’s windows are open while the ignition is off, a notification message will be displayed in the Kia Connect App.

For these purposes, the following categories of personal data are processed: vehicle data, vehicle status information, position and movement data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The location-based remote services include the following:

Send to Car: This Service enables you to send a point of interest (POI) to the vehicle’s navigation system and immediately use the POI (e.g. as a destination for route planning) once the vehicle’s ignition is turned on.

Find my Car and First Mile Navigation: This Service enables you to locate the vehicle and to navigate to it using your smartphone. The vehicleֽ’s location will be displayed in the Kia Connect App. Please note that if another person uses the Kia Connect App and is connected to the same vehicle as you are (please refer to Section 4.1.2 of the Kia Connect Terms of Use for more details about sharing the vehicle), this person may also see the vehicle's location data (GPS data) in their account for the Kia Connect App (by using the "Find my Car and First Mile Navigation" Service), even if you are using the vehicle at this time. While this person will not be able to access your live routes, they may be able to see the live location of the vehicle.

Last Mile Navigation: This Service enables you to continue navigating to your final destination using your smartphone after parking your vehicle.

For these purposes, the following categories of personal data are processed: personal details, vehicle data, position and movement data, trips/overall driving information, usage-based data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Vehicle Status: This Service displays the following vehicle information in the Kia Connect App:

door status; charging door status; boot/bonnet status; climate status; state of charge of battery; charging plug status; charging status (electric vehicles only); fuel level (fuel/hybrid vehicles only); seat heating and ventilation status; window status; sunroof status; 12V battery status; lights status.

Vehicle Report: You receive a report in the Kia Connect App that includes vehicle diagnostics information and information on driving patterns (number of vehicle starts, driving distance and driving time/idle time). This informs you of issues that require maintenance or repairs and provides information on the severity of the issue, the urgency of repairs/maintenance and the recommended actions.

Vehicle Diagnostics: Provision of an automated diagnostics service. Upon turning on the ignition, the vehicle automatically performs a diagnostics scan (Diagnostics Trouble Code (“DTC”)). If a malfunction is detected, you receive a message explaining the malfunction, its severity and the recommended action to be taken.

Energy Consumption (electric vehicles only): This Service visualises the current and average energy consumption, driving distance and energy recuperation information in the Kia Connect App.

Driving Safety Score: This Service provides you with a driving safety score (“Driving Safety Score”) in the Kia Connect App based on your driving history, which means that we will analyse your driving behaviour over the duration of each trip, including acceleration and braking patterns, average and top speed and driving hours. The driving safety score is derived from data collected over 187 days of data, i.e. the driving safety score displayed represents an interpretation of your driving behaviour over the aggregation of the past 187 days of data.

We have engaged LexisNexis Risk Solutions (Europe) Limited (“LNRSE”) to assist us with the analysis of the relevant data (see Section 15 for more details about this service provider). All data that we share with LNRSE is pseudonymised. Please note that, if you share your car with others, the driving safety score will reflect trips made by all drivers and their combined driving behaviour.

Therefore, you are required to inform other drivers of your car about the activation of this Service. Drivers who share your car may also be able to view the driving safety score information. If you de-activate this Service, all driving safety score data will be deleted permanently.

My Trips: This Service provides a summary (for the last 90 days) of every journey with the date and time, average and maximum speed, distance driven and travel time.

For these purposes, the following categories of personal data are processed: vehicle data, vehicle status information, pseudonymised identifiers, position and movement data, trips/overall driving information, usage-based data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The remote monitoring and alerts Services include the following:

Burglar Alarm (only for vehicles that are equipped with a burglar alarm system): Whenever the burglar alarm sounds, a notification message will be displayed in the Kia Connect App.

Battery Discharge Alarm: Whenever the state of charge of the 12V battery drops below a certain level, a notification message will be displayed in the Kia Connect App.

Rear Passenger Alarm: Whenever movement is detected on the rear seat and the vehicle is in Park, a notification message will be displayed in the Kia Connect App.

Vehicle Idle Alarm: Whenever the vehicle is in the parking gear while the engine is running and a door is opened, a notification message will be displayed in the Kia Connect App.

High-Voltage Battery Monitoring Warning System (electric vehicles only): The status of the high-voltage battery is monitored: Whenever a malfunction is detected, a notification message will be displayed in the Kia Connect App and the Head Unit. Where the malfunction could cause damage to the vehicle or physical harm to you or other persons in or outside the relevant vehicle, we will share that information and the vehicle identification number (VIN) of your vehicle with the Kia national sales company or the Kia distributor, who may get in touch with you directly to warn you about the malfunction and the potential risk of damage or physical harm. Upon receipt of the information from us, the relevant Kia national sales company or Kia distributor will process such information as a separate and independent controller. Please note that we will share such information only where the malfunction is considered severe and there is a risk of damage to the vehicle or physical harm.

Valet Parking Mode: This Service enables you to monitor the vehicle’s location, the time ignition was last turned off, driving time, driving distance and top speed in the Kia Connect App.

Valet Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle travels beyond the selected distance limit, speed limit and idle time limit you have predefined in the Kia Connect App. The permitted travel distance is the vehicle’s distance from the location where the Service was activated.

Geofence Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle exits an allowed area or enters a restricted area. You can set the boundaries for allowed areas and restricted areas in the Kia Connect App.

Speed Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle exceeds the speed limit you have preset in the Kia Connect App.

Time Fencing Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle is driven outside of the time windows you have predefined in the Kia Connect App.

Idle Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle is driven beyond the idle time limit you have predefined in the Kia Connect App.

For these purposes, the following categories of personal data are processed: vehicle data, position and movement data, trips/overall driving information, usage-based data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The sharing of the relevant information with third parties for the High-Voltage Battery Monitoring Warning System as mentioned in Section 5.5.5. is necessary for the purpose of the legitimate interests pursued by us, but also our customers and other third parties (Art. 6 (1) f) GDPR). The legitimate interests are: ensuring the proper provision and function of our Services, providing safe Services and products to our and Kia group customers, protecting our customers’ health and life, protecting our customers’ property, and protecting the health, life and property of other people in or around the vehicle.

This Service enables you to use your smartphone to carry out services such as locking and unlocking your vehicle, activating the vehicle’s climate control or starting the vehicle (only from inside the vehicle) using the built-in, ultra-wide band (“UWB”) functionality and near-field-communication (“NFC”) functionality of your smartphone. It allows you to share and manage your Digital Key with up to three additional devices, e.g. those belonging to family and friends. Please note that when using this Service, data is exchanged between the mobile smart device and the vehicle using the UWB or NFC functionalities. This data is not transmitted to us.

For this purpose, the following categories of personal data are processed: personal details, contact details, user profile information, pseudonymised identifiers, usage-based data, technical data, digital key information.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

By activating "Product/Service Improvement", data regarding the performance, usage, operation and condition of the vehicle will be processed by us in order to improve product and service quality based on your consent. Your consent is voluntary and can be withdrawn at any time by deactivating the respective button. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. To activate "Product/Service Improvement", it is also necessary to activate the geographic information system ("GIS") for technical reasons.

For this purpose, the following categories of personal data are processed: consent records, vehicle data, position and movement data, usage-based data.

Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR). Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

This Service allows you to synchronise the “Preferred Dealer” information between your account on the MyKia website and your account in the Kia Connect App. Synchronisation is optional and must be enabled before it can be used. If you choose not to synchronise the “Preferred Dealer” information, the “Preferred Dealer” feature in the Kia Connect App is still available but the information shown could differ from the information in your account on the MyKia website.

For this purpose, the following categories of personal data are processed: contact details, vehicle data, technical data, dealer information.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Car Sharing

You can share the remote Services with other users through the“Request to Share Car” function in the Kia Connect App. When you do so, we willprocess certain vehicle and user account-related data to initiate and processyour sharing request. Share request information such as your name and PIN willbe transmitted to and processed in the other user’s account for the Kia ConnectApp. The other user can use the Kia Connect App for the linked vehicle in thesame way as you. They can also use the “Find my car” function.

For this purpose, the following categories of personal data are processed: personal details, contact details, vehicle data, verification data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR) and in connection with our legitimate interests in delivering our Services (Art. 6 (1) f) GDPR). Please note that when you use this Service, you will share all of your personal data, excluding your login details, that is stored in your Kia Connect App account with the other users. You can deactivate this function at any time. Deactivation stops the sharing of data, and we will delete all shared data in the other user’s account for the Kia Connect App.

The home menu map displays your current location. The home menu search bar can be used to search for points of interest (POI).

For this purpose, the following categories of personal data are processed: position and movement data, usage-based data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

You can use certain functions of the Kia Connect App with Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) to unlock. Your biometric data is stored only locally on your smartphone and is not transmitted to us. Therefore, we are not able to access this data. Only the information on whether verification of the biometric data was successful is transmitted to the Kia Connect App by a system function of your smartphone. You can turn off the use of Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) at any time in the respective settings of your smartphone.

For this purpose, the following categories of personal data are processed: verification data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Firebase Crashlytics

To improve the security and stability of the Kia Connect App and the Services, we rely on the analysis of anonymised crash reports. For this purpose, we use “Firebase Crashlytics”, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland.

In order to provide us with anonymised crash reports, in the event of a crash or malfunction of the Kia Connect App, “Firebase Crashlytics” collects the information mentioned below and may transmit such information to Google servers in the USA. Please note that the crash reports that we will be provided with will not contain any information via which we could trace the identity of a user. Any information collected by and stored within “Firebase Crashlytics” will be deleted within 90 days’ upon collection.

For more information about “FirebaseCrashlytics” and how Google is processing your personal data, please refer tothe following links:

https://firebase.google.com/

https://firebase.google.com/terms/crashlytics/

https://firebase.google.com/support/privacy

For this purpose, the following categories of personal data are processed: technical data.

Legal basis: The processing is necessary forthe purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Ourlegitimate interests are: ensuring and optimising the security and stability ofthe Kia Connect App and our Services.

Notification Centre

For this purpose, the following categories of personal data are processed: vehicle data, pseudonymised identifiers, usage-based data.

The Notification Centre enables you to receive messages from Kia on the Head Unit screen. Such messages include inter alia Recall Campaign Notifications regarding your vehicle, Service Reminders and Service Action Notifications.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Vehicle related notifications

Recall Campaign Notifications: We will send you notifications about open recall campaign(s) to your vehicle using the Notification Centre referred to above. Recall campaign notifications may also be sent to you by other means (e.g. within the Kia Connect App, via email to your registered email address or by mailed letter).

Service Reminders: We will send you reminders for upcoming regular maintenance dates for your Kia vehicle using the Notification Centre referred to above.

Service Action Notifications: We may also inform you about outstanding recommended service actions (such as software updates, part replacements with improved parts or quality checks to be carried out on certain components of your Kia vehicle). Information on recommended service actions may be provided to you via the Notification Centre referred to above and/or within the Kia Connect App or via email to your registered email address.

Mandatory Vehicle Inspection Reminders (such as TÜV in Germany or MOT in the UK): We will inform you about upcoming mandatory vehicle inspections. For example, reminders about the “Ministry of Transport” test (commonly referred to as “MOT”) for vehicles in the UK. Except for the “MOT” in the UK, use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered. For vehicles registered in the UK, we have been authorised by the Department for Transport (“DfT”) of the Government of the UK to access certain MOT vehicle history data (namely, MOT due dates and vehicle registration numbers) via the DfT’s MOT history API. As we usually do not process vehicle registration numbers, we will work with Kia UK Limited to match the vehicle registration number with the VIN so that we can provide you with this Service.

For these purposes, the following categories of personal data are processed: consent records, vehicle data, vehicle status information, pseudonymised identifiers, usage-based data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR). The processing of data for Service Action Notifications (Section 6.1.2.3.) is subject to your prior consent (Art. 6 (1) a) GDPR). Your consent is voluntary and can be withdrawn at any time. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

Kia Connect Live Services include the following:

For these purposes, the following categories of personal data are processed: contact details, vehicle data, pseudonymised identifiers, position and movement data, usage-based data, technical data, dynamic traffic information, weather information, dealer information.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

We will also process the data referenced above for the purpose of improving the Kia Connect Live Services.

The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Kia Connect Live Services.

The location-based in-vehicle Services include the following:

EV Route Planner (only for electric vehicles and plug-in hybrid electric vehicles): When setting a navigation destination in the vehicles’ built-in navigation system, this Service evaluates whether reaching the destination will likely require a charging stop. If a charging stop will be required based on the vehicle’s current state of charge and the estimated rate of energy consumption, the Service will automatically add one or more charging points to the proposed route as intermediate stops. The Service will automatically adapt the proposed charging stops if the driver chooses to make an earlier charging stop, to skip a proposed charging stop or if the driving conditions result in a higher energy consumption than expected.

EV POI (only for electric vehicles and plug-in hybrid electric vehicles): This Service provides information on nearby charging stations including availability status based on the current position.

Preferred Route: This Service compares route types on your vehicle’s navigation system and provides alternative routes using preferred actual routes from the activated driver profile.

Google Places Search Improvement: This Service allows you to benefit from Google’s improved search functionality. For this purpose, we share location data with Google and Google provides us with relevant information via the Google Place API. Please note that Google does not receive any other information from us.

Emergency Vehicle Approaching: This Service notifies you in the Head Unit when an emergency vehicle such as an ambulance is approaching.

For these purposes, the following categories of personal data are processed: contact details, vehicle data, pseudonymised identifiers, position and movement data, usage-based data, technical data, dynamic traffic information.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR). We will also process the data referenced above for the purpose of improving the location-based in-vehicle Services. The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the location-based in-vehicle Services.

This Service enables the use of spoken commands to access and control certain functions of your vehicle and to draft and send text messages via a connected mobile device. Online Voice Recognition is operated in an online (cloud) environment. This Service requires the transfer of your personal data (i.e. voice samples) to our service provider Cerence B.V. and its sub-processors, which may be located in countries outside the EU/EEA and may not provide for an adequate level of data protection (please refer to Sections 15 and 16 for more details). You can prevent the transfer of your personal data to Cerence B.V. and its sub-processors by deactivating the Online Voice Recognition Service in the respective settings of your Head Unit. If you deactivate the Online Voice Recognition Service, the voice recognition functionality of your vehicle may be limited or disabled.

Cerence B.V. transforms the voice samples into text samples, semantically interpreting them (if necessary), and then sends the result back to the vehicle.

For this purpose, the following categories of personal data are processed: pseudonymised identifiers, position and movement data, usage-based data, recording data . As a pseudonymised identifier, a unique ID will be created for registering with the server of Cerence B.V. The user ID and vehicle identification number (VIN) or any other identifiers are not linked to each other. This means that Cerence B.V. cannot identify a natural personal from the data transmitted to it.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

We will also process position and movement data, recording data and usage-based data for the purpose of performing and improving the Online Voice Recognition Service.

The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Online Voice Recognition Service.

If you have activated the Online Voice Recognition Service mentioned above, you may use the Kia AI Assistant, which is an AI-powered chatbot based on the Online Voice Recognition Service and is designed to assist you with general queries about your journeys, managing your vehicle, and searching for information and places. The Kia AI Assistant is activated either by pressing the voice recognition button or by saying “Hey, Kia!”, both followed by your command. For the purpose of providing this Service, we have engaged the service providers Cerence B.V. for the Online Voice Recognition Service (cf. Section 6.4) and OpenAI Ireland Limited (“OpenAI”). However, please note that no personal data is shared with OpenAI.

For this purpose, the following categories of personal data are processed: pseudonymised identifiers, usage-based data, recording data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The relevant entertainment package needs to be activated via the Kia Connect Store before it is available in your vehicle.

Internet in the Car: When you activate the relevant entertainment package in the Kia Connect Store, you will be redirected to the registration page of the Vodafone group member or Vodafone partner that provides telecommunication services in your country (“Vodafone”) to register with their internet service so that you can be provided with internet in the car (“IITC”), without which you would not be able to use the Services of the entertainment package.

For the purposes of your registration with Vodafone and receiving IITC, we will share certain personal data about you with the Vodafone group (namely, Vodafone Global Enterprise Ltd (“VGEL”) and Vodafone GmbH (“Vodafone Germany”)).

In connection with managing your entertainment package and the applicable costs and fees, VGEL and Vodafone Germany will provide us with your account ID, information about the relevant SIM card, and other information about your order and data usage.

Please note that the relevant Vodafone group members and partners will process your personal data as separate and independent controllers. Please refer to their privacy notices for more details about their processing of your personal data.

For this purpose, the following categories of personal data are processed: personal details, contact details, contract details, pseudonymised identifiers, technical data, purchase details.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

The processing of your SIM card data (namely, IMSI) and related data usage is necessary for the purpose of the legitimate interests pursued by us (Art. 6(1) f) GDPR). The legitimate interests are: ensuring efficient allocation of costs within the Kia Group in relation to entertainment packages purchased by our customers.

Depending on the chosen entertainment package (Entertainment Standard, Entertainment Plus or Entertainment Plus Wi-Fi), the Services listed below are available through our various cooperation partners directly in the vehicle. In relation to webOS and the streaming services, please note that the content providers compatible with these Services may vary depending on your location and the software version of your Head Unit.

Wi-Fi Hotspot: The Wi-Fi hotspot allows you and your guests to access the internet and make use of the provided content through suitable end-devices (up to 5 devices).

Music Streaming: This Service allows you to enjoy your favourite music and audio (podcasts, audio books) streaming services via the vehicle’s infotainment system using the integrated screen and speakers. Please note that this Service does not include the subscription with the respective streaming service. You need to create an account and set up a subscription with your favourite streaming service provider separately. Further information about this Service is provided in Section 4.2.2.6 of the Kia Connect Terms of Use.

Video Streaming: Video streaming allows you to watch videos directly on the integrated screen of your car while the car is parked and in Park (P). You have access to the available content providers depending on the entertainment package you have purchased in the Kia Connect Store. Please note that this Service does not include the subscription with the respective streaming service. You need to create an account and set up a subscription with your streaming service provider separately if necessary.

Content access through provided apps (webOS): If you have selected and purchased the Entertainment Plus or Entertainment Plus Wi-Fi package, you will have access to the content which is provided through the LG webOS solution (Entertainment tile in the car). The following content is available: YouTube, Disney +, Netflix, LG Channels, Stingray Karaoke, Playworks, Baby Shark, El Dorado, Gold Tower Defence, TikTok. The content providers compatible with this Service may vary depending on your location and the software version of your Head Unit.

For this purpose, the following categories of personal data are processed: vehicle data, verification data, pseudonymised identifiers, usage-based data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Subject to the registration with Kia Pay and activation on the Kia Connect App, ICP allows you to conduct certain payments directly from your car. Details about our processing of your personal data in connection with this Service are provided in a separate Privacy Notice , which is accessible here: https://connect.kia.com/eu/downloads-in-car-payment/

When you activate the Services in the Head Unit, and depending on the technical equipment of your vehicle, we collect and process security event-related data of your vehicle for the purpose of managing and monitoring appropriate cyber security standards of Kia vehicles and products. However, such data will first be stored in your vehicle. Only if an abnormal signal is detected will the data be sent to our systems for further analysis. There is no continuous transfer of such data out of the vehicle, and your vehicle will periodically store the last 100 generated security events. In case of a new security event, the oldest security event and related data will be deleted.

We will share the relevant data with Kia Corporation, 12 Heolleung-ro, Seocho-gu, Seoul, 06797, Republic of Korea (“Kia HQ”), so that Kia HQ can monitor the appropriate cyber security standards of the relevant Kia vehicles and products on an operational and technical level. This means that the data will be processed and analysed for the purpose of preventing cyber security threats and vulnerabilities, responding to and eliminating detected threats and vulnerabilities from potential cyber security attacks, as well as ensuring the appropriate security of Kia vehicles and products.

Please note that we and Kia HQ will process your personal data for such purposes as joint controllers.
For this purpose, the following categories of personal data are processed: vehicle data, cybersecurity data.
Legal basis: For Kia HQ, the processing is necessary for compliance with a legal obligation (Art. 6 (1) c) GDPR) and for the purpose of the legitimate interests pursued by Kia HQ (Art. 6 (1) f) GDPR). Kia HQ’s legitimate interests are: ensuring and improving the security of Kia vehicles. For us, the processing is necessary for the purpose of the legitimate interests pursued by us and Kia HQ (Art. 6 (1) f) GDPR). Our legitimate interests are: assisting Kia HQ with their efforts to comply with applicable laws, and ensuring and improving the security of Kia vehicles.

OTA (over-the-air) Updates include the following:

Maps and Infotainment OTA Update

The “Maps and Infotainment OTA Update” enables:

updates of the maps in the vehicle's navigation system (“Maps Update”); and/or

updates of infotainment software or enhancements of Head Unit software (“Infotainment Update”)

from our servers to the embedded telematics system using the “over-the-air” method.

Further information about the Maps Update and the Infotainment OTA Update is provided in Section 4.2.3. (b) of the Kia Connect Terms of Use.

For the avoidance of doubt, if you receive the Maps Updates and/or Infotainment Updates by accessing the web page https://update.kia.com/EU/E1/Main or at the dealership, these updates are not offered to you via the “over-the-air” method, and we are not the controller of the related processing of personal data.

Vehicle System OTA Update enables the updating of embedded software of certain control units of the vehicle with newer versions of the software or with updated parameters (“Vehicle System Update”) from our servers using the “over-the-air” method. We provide you with Vehicle System OTA Updates for various reasons and purposes, in particular to remedy a defect within the warranty period, within the scope of the manufacturer's guarantee or for other security-related reasons. Further information about Vehicle System OTA Updates is provided in Section 4.2.3.3 of the Kia Connect Terms of Use.

Please note that, in connection with the provision of vehicle system OTA Updates (including for making Vehicles System OTA Updates more efficient and convenient, ensuring that Vehicle System OTA Updates meet technical requirements and standards (in particular with regard to cyber security and system stability) and for steering the deployment and monitoring of the Vehicle System OTA Updates on a global level), we will share your personal data with Kia Europe GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany (“Kia EU”). Kia EU and we will process your personal data as joint controllers.

For the avoidance of doubt, if you receive Vehicle System Updates by accessing the web page https://update.kia.com/EU/E1/Main or at the dealership, these Updates are not offered to you via the “over-the-air” method, and we are not the controller of the related processing of personal data.

For this purpose, the following categories of personal data are processed: vehicle data, vehicle status information, pseudonymised identifiers, position and movement data, technical data, OTA-related data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR). With respect to the Vehicle System OTA Update, the processing is also necessary for the purpose of the legitimate interests pursued by us and Kia EU (Art. 6 (1) f) GDPR. The legitimate interests are: making Vehicle System OTA Updates more efficient and convenient and ensuring that Vehicle System OTA Updates meet technical requirements and standards, in particular with regard to cyber security and system stability. For Kia EU, the processing is necessary for compliance with a legal obligation (Art. 6 (1) c) GDPR), and for the purpose of the legitimate interests pursued by Kia EU and other members of the Kia group (Art. 6 (1) f) GDPR).

The legitimate interests are: ensuring that Kia EU and other members of the Kia group comply with legal obligations, ensuring that Kia as a member of the Kia group is able to provide good and appropriate Services to its customers, making Vehicle System OTA Updates more efficient and convenient, steering the deployment and monitoring of the Vehicle System OTA Updates on a global level, and ensuring that Vehicle System OTA Updates meet the technical requirements and standards, in particular with regard to cyber security and system stability.

Kia Connect Diagnosis: In case of malfunction of your type of Kia vehicle or vehicle model, we may assist the vehicle manufacturer in troubleshooting the issue on a general basis by way of a remote diagnosis. For this purpose, we will collect the diagnostics trouble code from the vehicle and then anonymise the relevant data before sharing the data with the vehicle manufacturer for their analysis.

For this purpose, the following categories of personal data are processed: vehicle data, technical data.

Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us, but also our Kia customers and the Kia vehicle manufacturer (Art. 6 (1) f) GDPR). The legitimate interests are: fixing technical issues in relation to certain types of Kia vehicles or vehicle models.

As referenced in the Kia Connect Terms of Use, Kia may offer Upgrades. Upgrades can be purchased in the store section of the Kia Connect App (“Kia Connect Store”). Please refer to Section 5 of the Kia Connect Terms of Use for more details about Upgrades.

The Upgrades themselves will not require the processing of personal data, unless the relevant Upgrade includes or relates to a Service referenced above. In such cases, we will inform you about the processing of personal data in connection with such Service in the relevant Section above. Please note that in some cases, the use of the Service “Vehicle System OTA Update” will be required to install an Upgrade. Please refer to Section 8.2 for more details about the personal data processed in connection with Vehicle System OTA Update and the applicable legal basis for such processing.

It is possible for a vehicle to be linked to the Kia Connect accounts of several users. Where this is the case, we will inform the user who first linked their Kia Connect account to the relevant vehicle (“Main User”) and any further users who have linked the vehicle to their Kia Connect account (“Shared Users”) via email about the purchase of an Upgrade by another Shared User and the activation and deactivation (if applicable) of the respective Upgrade.

For these purposes, the following categories of personal data are processed: personal details, contact details, vehicle data, pseudonymised identifiers, technical data, purchase details.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

You can select Upgrades and/or certain Services and purchase and/or activate them in the in the Kia Connect Store (as defined in Section 10.1). Details about the processing of your personal data in connection with the Kia Connect Store and the purchase process are provided in the Kia Connect Store Privacy Notice, which is accessible in the Kia Connect Store and is also made available here: https://connect.kia.com/eu/downloads.

The processing of your payment is subject to a separate privacy notice (“Kia Pay Privacy Notice”), which will be made available to you before you issue the payment for the relevant Upgrade or Service in the Kia Connect Store. The Kia Pay Privacy Notice is also available here: https://connect.kia.com/eu/downloads.

In addition to the processing activities set out above, we process your personal data for the following purposes:

Communication: We process your personal data to communicate with you in relation to the Services or the contract that you have entered into with us (e.g. to provide customer support, to inform you about technical issues with the Services, to perform our contractual obligations, to inform you about changes to the Kia Connect Terms of Use or this Privacy Notice) via several communication channels, including the Head Unit of your vehicle (for example, through the Notification Centre or the infotainment system), email, telephone and notifications within the Kia Connect App (for this purpose, the Kia Connect App provides a separate inbox). If you have the Kia Connect App installed on a device and permit push notifications via the device settings, we process your personal data to inform you about matters and updates that are essential for the maintenance of the Kia Connect App functionalities (for example, notification of a necessary security update or a lost vehicle connection). When you contact us via available communication channels (e.g. contact form on our website or in the Kia Connect App, email or telephone), we process your personal data to handle your request and communicate with you accordingly in relation to your request. Certain fields in the contact form in the Kia Connect App will be pre-filled to make using the contact form more convenient for you. For information about communication regarding our marketing activities, please see Section 13.3. For information about our communication with you regarding Upgrades purchased for your vehicle, please see Section 10.2 .

For this purpose, the following categories of personal data are processed: personal details, contact details, contract details, communication data, vehicle data, pseudonymised identifiers, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR), or for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: providing the best possible service to our customers and appropriately answering and processing our customers’ requests.

Technical Support: Where a technical issue has been detected in relation to your vehicle and the Services, we might be required to read out information from your vehicle for the purpose of analysing such information and to resolve the detected issue. Subject to your prior consent, we will collect and process what is known as a log file of the Head Unit from your vehicle, which contains certain categories of personal data. Your consent is voluntary and can be withdrawn at any time (e.g. by using our contact form available in the “Customer Support” section under “Contact Us” on our website (https://connect.kia.com/eu/customer-support/contact-form/)). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. However, please note that the refusal to grant or the withdrawal of your consent might prevent us from offering or completing an analysis of the detected issue of your vehicle and the Services.

For this purpose, the following categories of personal data are processed: consent records, vehicle data, vehicle status information, position and movement data, usage-based data, technical data.

Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR). Your consent is voluntary and can be withdrawn at any time. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

Marketing: We may contact you via the Head Unit of your vehicle, email and/or notifications within the Kia Connect App (the Kia Connect App provides a separate inbox) to provide you with promotional information regarding our products and/or services or the products and/or services of other Kia group members, to ask you to participate in surveys or to provide your feedback.

In relation to emails and notifications within the Kia Connect App, this is usually subject to your prior consent and to the scope of such consent. You may give your consent by activating the respective consent button in the consent list of the Kia Connect App or by other relevant means (if applicable). Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 14 for more details).

If you provide us with your email address as part of signing up to the Services and unless you have objected, we may send you information about similar Kia Connect services or products to the relevant email address without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within the app. However, you have the right to opt out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 14 for more details).

Through the consent list of the Kia Connect App, we may also obtain consent from you on behalf of an affiliated Kia entity in Europe to contact you for their direct marketing purposes. Where this is the case, we inform the relevant Kia entity about your consent and share your relevant contact details with them accordingly. In relation to the relevant Kia entity’s direct marketing activities based on such consent, the relevant Kia entity acts as a controller and is responsible for the processing of your personal data in connection with such activities. If you wish to withdraw consent that we have obtained from you on behalf of the relevant Kia entity, in addition to de-activating the respective consent button in the Kia Connect App, you may also directly contact the relevant Kia entity for the to withdrawal of your consent.

For this purpose, the following categories of personal data are processed: personal details, contact details, consent records, vehicle data, pseudonymised identifiers, technical data.

Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR in conjunction with applicable local marketing laws (e.g. in Germany Section 7 (2) No. 2 of the German Act against Unfair Competition (“UWG”)); or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR in conjunction with the applicable local marketing laws (e.g., in Germany Sec. 7 (3) UWG)). Our legitimate interests are: promoting our services and products.

Your consent is voluntary and can be withdrawn at any time. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

Feedback and Surveys: From time to time, we may invite you to provide your feedback and/or participate in surveys relating to us and our services, including support services (see Section 13.1 for details about our communication with you). If you provide your feedback or participate in our surveys, we may process relevant personal data for the purpose of processing and evaluating the feedback or conducting, processing and evaluating the survey. This is in order to improve our services and adapt them to our customers’ needs.

In some cases, we may conduct surveys using the Salesforce Marketing Cloud platform provided by salesforce.com Germany GmbH or the online survey tool Surveymonkey provided by Momentive Europe UC (“Momentive”) (see Section 15 for more details about these providers). To participate in surveys conducted on Surveymonkey, you may have to click a link which will be included in the survey invitation. When you click on the link, you will be referred to a website of Momentive on which the survey will be conducted. Momentive will process the survey related information on our behalf and for our purposes. Furthermore, Momentive may: (i) collect and process information about your device and other technical data to avoid multiple participations; and (ii) use cookies to recognise whether the participant has already visited the survey and to reassign responses that the relevant participant has already given. More information about Momentive’s processing of personal data is available at https://www.surveymonkey.com/mp/legal/privacy/.

For this purpose, the following categories of personal data are processed: Personal Details, Technical Data, Views and Opinions.

Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our services.

Route Satisfaction: From time to time, we may ask you via the Head Unit of your vehicle (through the infotainment system) to submit your feedback in order to measure your satisfaction with our route guidance and location information.

For this purpose, the following categories ofpersonal data are processed: vehicle data, pseudonymised identifiers, position and movement data, technical data, views and opinions.

Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our services.

Enhanced POI Service: On eligible vehicles, the Service“Live Point of Interest (POI) and Online POI Search” (see Section 6.2) will be enhanced by data provided through our partner 4.screen GmbH,Sailerstraße 17, 80809 Munich, Germany (“4.screen”) (see https://www.4screen.com/). This means that the live POIs may contain additional content from third parties. You will receive information on stores or restaurants (such as their location) via branded pins on the map or via the search function of the map. You will also receive special deals and offers from stores and restaurants in the proximity of your vehicle.

To be able to provide you with this feature and the relevant information, it may be necessary to transfer the following data to 4.screen: Approximate search area, search term, search (POI) category, device ID, approximate location of the device, Head Unit language and generation, car brand, engine type (e.g. EV or petrol), vehicle class (e.g. small, SUV), vehicle production year and vehicle country. Furthermore, if relevant information and offers are provided to you, a unique offer ID is created. This offer ID is also transferred to 4.screen together with the event type (e.g. shown, clicked, navigation started), screen type (e.g. Head Unit, app) and the timestamp of when the offer was interacted with in order to validate the invoicing process. If offers and information from the vehicle are sent directly to the Kia Connect App as push notifications, we also process your user profile ID.

For this purpose, the following categories ofpersonal data are processed: vehicle data, pseudonymised identifiers, position and movement data, usage-based data, technical data.

Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

Data Sharing: Details about our sharing of your personal data with third parties are provided in Section 15.

Operation of Business: We may process the categories of the personal data mentioned above for internal management and administration purposes, including record management or maintaining other internal protocols.

Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring the appropriate and efficient operation of our business.

Legal Compliance: We may process the categories of the personal data mentioned above to comply with applicable laws, directives, recommendations or requests from regulatory bodies (e.g. requests to disclose personal data to courts or regulatory bodies, including the police).

Legal basis: Such processing is necessary: (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring our compliance with applicable legal obligations.

Legal Proceedings and Investigations: We may process the categories of personal data mentioned above in order to assess, enforce and defend our rights and interests.

Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: protecting our interests and enforcing our rights.

Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7 (3) GDPR). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

Subject to applicable law, you may have the following rights regarding the processing of your personal data: The right to obtain access to your personal data (Art. 15 GDPR), the right to have your personal data rectified (Art. 16 GDPR), the right to have your personal data erased (Art. 17 GDPR), the right to have the processing of your personal data restricted (Art. 18 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to the processing of your personal data (Art. 21 (1) and (2) GDPR).

You also have the right to lodge a complaint with the competent data protection authority (Art. 77 GDPR).

Please note that these rights could be subject to certain limitations under applicable local data protection laws. The contact details of the Hesse data protection authority (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit) are as follows: Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, phone: +49 (0) 611 / 1408-0, https://datenschutz.hessen.de/

For more information on each of these rights,including the circumstances in which they apply, please see details in this Section 14 or contact us. If you would like to exercise any of those rights, pleasecontact us or our DPO (see Sections 2 and 3 for contact information details).

Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data and certain additional information. Such information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data has been or will be disclosed. However, please note that the interests of other individuals may restrict your right of access.

You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Subject to the relevant purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure ("right to be forgotten"): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may have the obligation to erase such personal data.

For example, you may request erasure if the personal data is no longer necessary for the purposes for which they were collected or is otherwise processed. In some cases, we may however deny your request to erasure. For example, if the processing is necessary for us to exercise or defend legal claims.

Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. For example, if you contest the accuracy of your personal data, you may request the restriction of the processing of this personal data while we verify its accuracy. In this case, the respective data will be flagged accordingly and may only be processed by us for certain purposes.

Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit this data to another controller without hindrance from us.

RIGHT TO OBJECT: UNDER CERTAIN CIRCUMSTANCES AND WHERE THE PROCESSING IS BASED ON LEGITIMATE INTERESTS (ART. 6 (1) F) GDPR), YOU MAY HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA BY US AND WE MAY BE REQUIRED TO NO LONGER PROCESS YOUR PERSONAL DATA.

FURTHERMORE, WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IN THIS CASE YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES BY US.

Any access to your personal data at Kia is restricted to those individuals that have a need to know in order to fulfil their job responsibilities.

We disclose your personal data for the respective purposes and in compliance with applicable data protection laws to the recipients and categories of recipients listed below:

We are a member of an international group of companies. Therefore, we may transfer personal data within the Kia group and to other third parties as noted in Section 15.

Some of these recipients may be located or have relevant operations outside of your country and the EU/EEA (e.g. in the Republic of Korea, the United Kingdom or the USA) (“Third Country”).

For some Third Countries, the European Commission has determined that they provide an adequate level of protection for personal data (e.g., the Republic of Korea, the United Kingdom), which also includes the USA to the extent that the receiving company in the USA participates in the EU-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov) (“Adequate Jurisdictions”).

Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction, we (or our processors in the EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) with the recipients or taking other effective measures to provide an adequate level of data protection.

A copy of the respective safeguards may be requested from us or our DPO (see Section 2 and Section 3).

General: Your personal data is stored by us and/or our service providers for no longer than is necessary for the purposes for which the personal data is collected, and which are set out above.

When we no longer require your personal data for such purposes, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from the data (unless we are required to retain the relevant personal data to comply with legal or regulatory obligations to which we are subject; e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements).

The retention period may be extended in accordance with national laws when processing is necessary for the establishment, exercise or defence of legal claims, and we or third parties have a corresponding legitimate interest (e.g. for the period of impending legal (administrative and/or judicial) procedures and for the duration of such legal proceedings, including the expiration periods of any recourse).

Manual Deletion of Data in the Head Unit and in the Kia Connect App: You can manually delete your personal data stored in the Head Unit by deactivating the Services in the Head Unit. To do so, please (1) click the "Kia Connect" icon on the vehicle's Head Unit, (2) select "Kia Connect settings", (3) scroll down in the menu on the left to select the "Deactivate Kia Connect" entry, (4) click the "Deactivate" button. The system will then guide you through the deactivation process and offer to delete the data.

Attention: Please note that resetting the Head Unit to factory default settings does not lead to the deactivation of the Services. You must follow the deactivation process described above.

After the deactivation as described above, the Services for the respective vehicle are deactivated, the data in the Head Unit is deleted and the vehicle is disconnected from your account on the Kia Connect App. The data that was transmitted to us via the Head Unit will also be deleted, unless retention periods apply (see Section 17.1).

Please note that the vehicle-related data will also be deleted in your account on the Kia Connect App. However, any other data in your account will remain unaffected. If you also wish to delete your account on the Kia Connect App, please follow the account deletion process in the Kia Connect App.

deactivate your Kia Connect App Account, the Head Unit Services in the vehicle’s Head Unit will still be operating.

reset the Head Unit, your vehicle is disconnected from the Kia Connect App; however, this does not affect the Kia Connect App.

We have implemented appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful forms of processing.

However, as the internet is an open system, the transmission of data via the internet is not completely secure. While we constantly improve our security measures in line with technical developments and in order to ensure an appropriate level of security for any of your personal data that we process, we cannot guarantee the security of your data transmitted to us using the internet.

You may choose to activate offline mode in the Head Unit by setting the respective preference. If offline mode is turned on, all Service functions are disabled and no personal data, in particular no location data (GPS data), is collected. An offline mode icon is displayed at the top of the Head Unit screen in the vehicle.

This Privacy Notice may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data, or changes in applicable law. We encourage you to read this Privacy Notice carefully, and to regularly review any changes we might make in accordance with the terms of this Privacy Notice.

We will publish the updated Privacy Notice on our websites, in the Kia Connect App and the Head Unit. The date of the last update is mentioned at the top of this Privacy Notice.

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“GDPR” means: (i) Regulation (EU) 2016/679 (General Data Protection Regulation); or (ii) with regard to the United Kingdom, Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended from time to time (also known as the UK GDPR).

“personal data” means any information relating to an identified or identifiable natural person.

“process”/ ”processing” means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The following local law amendments apply:

Austria

Regarding Section 13.3 (“Marketing”):

Legal Basis: The applicable local marketing law is Section 174(4) Austrian Telecommunications Act 2021.

Data Protection Authority: The contact details of the Austrian data protection authority are as follows: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria, phone: +43 (0) 1 52 152-0, email: dsb[at]dsb.gv.at, website: http://www.dsb.gv.at/

Belgium

Regarding Section 13.3 (“Marketing”):
Legal Basis: The applicable local marketing law is Article 1 of the Royal Decree of 4 April 2003.

Data Protection Authority: The contact details of the Belgian data protection authority are as follows: Autorité de protection des données Gegevensbeschermingsautoriteit, Rue de la presse 35, 1000 Brussels, Belgium, phone: +32 (0) 2 274 48 00, fax: +32 (0)2 274 48 35, email: contact[at]apd-gba.be, websites: https://www.autoriteprotectiondonnees.be / https://www.gegevensbeschermingsautoriteit.be

Bulgaria

Regarding Section 13.3 (“Marketing”):
Legal basis: The applicable local marketing lawis Art. 261 (2) of the Bulgarian Electronic Communication Act.

Data Protection Authority: The contact details of the Bulgarian data protection authority are as follows: Commission for Personal Data Protection of the Republic of Bulgaria, 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, phone: +359 (0) 2 915 3580, email: kzld[at]cpdp.bg, website: www.cpdp.bg

Cyprus

Data Protection Authority: The contact details of the Cypriot data protection authority are as follows: Office of the Commissioner for Personal Data Protection, Kypranoros 15, 1061 Nicosia, Cyprus, phone: +357 (0) 22 818 456, email: commissioner[at]dataprotection.gov.cy, website: http://www.dataprotection.gov.cy/

Czech Republic

Data Protection Authority:The contact details of the Czech data protection authority are as follows: Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, phone: +420 (0) 234 665 800, email: posta[at]uoou.gov.cz, website: http://www.uoou.cz/

Denmark

Data Protection Authority:The contact details of the Danish data protection authority are as follows: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, phone: +45 (0) 33 1932 00, email: dt[at]datatilsynet.dk, website: http://www.datatilsynet.dk/

Estonia

Data Protection Authority:The contact details of the Estonian data protection authority are as follows: Andmekaitse Inspektsioon, Tatari 39, Tallinn 10134, Estonia, phone: +372 (0) 627 4135, email: info[at]aki.ee, website: http://www.aki.ee/

Finland

Data Protection Authority:The contact details of the Finnish data protection authority are as follows: Tietosuojavaltuutetun toimisto, Lintulahdenkuja 4, 00530 Helsinki, Finland, phone: +358 (0) 29 566 6700, email: tietosuoja[at]om.fi, website: https://tietosuoja.fi

France

Regarding Section 14 (“Your Rights”):Post-mortem privacy: You also have the right to define specific instructions regarding the storage, erasure and communication of your personal data after your death.

Data Protection Authority:The contact details of the French data protection authority are as follows: Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy TSA 80715, 75334 Paris, Cedex 07, France, phone: +33 (0) 1 53 73 22 22, website: https://www.cnil.fr/

Greece

Section 13.3 (“Marketing”) shall be amended as follows:
If you are an existing customer and have provided us with your email address and without prejudice to your right to object under Section 14.6, we may send you marketing communications by email relating to products or services similar to the products or services previously purchased by you without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within the app. However, you have the right to opt-out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 14.6 for more details).

For this purpose, the following categories of personal data are processed: Name, contact details (e.g. email), technical data (e.g. device information, IP address, User ID, UUID), information about your consent (e.g. date and time of opt-in).

Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR; Article 11, Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: promoting our services and products.

Data Protection Authority:The contact details of the Hellenic Data Protection Authority are as follows: Hellenic Data Protection Authority, Kifissias 1-3, 11523, Athens, Greece, phone: +30 (0) 210 6475 600, email: contact[at]dpa.gr, website: http://www.dpa.gr/

Hungary

Data Protection Authority: The contact details of the Hungarian data protection authority are as follows: Nemzeti Adatvédelmi és Információszabadság Hatóság, Falk Miksa utca 9-11, 1055 Budapest, Hungary, phone: +36 (0)1 391 1400, fax: +36 (0)1 391 1410,

Ireland

Section 6 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows:
Mandatory Vehicle Inspection Reminders (such as NCT in Ireland): We will inform you about upcoming mandatory vehicle inspections, e.g reminders about the National Car Testing Service (commonly referred to as “NCT”) for vehicles in Ireland. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.

Data Protection Authority:The contact details of the Irish data protection authority are as follows: Data Protection Commission, 21 Fitzwilliam Square, D02 RD28 Dublin 2, Ireland, phone: +353 (0) 1 7650100, email: info[at]dataprotection.ie, website: http://www.dataprotection.ie/

Italy

In no event will Kia process your personal data for profiling purposes without your consent.

Data Protection Authority: The contact details of the Italian data protection authority are as follows: Garante per la Protezione dei Dati Personali, Piazza Venezia n. 11, 00187 Rome, Italy, email: garante[at]gpdp.it, phone: +39 (0) 06 69677 1, fax: +39 (0) 06 69677 785, websites: https://www.gpdp.it, https://www.garanteprivacy.it/

Latvia

Data Protection Authority:The contact details of the Latvian data protection authority are as follows: Datu valsts inspekcija (Data State Inspectorate), Elijas Street 17, LV-1050 Riga, Latvia, phone: +371 (0) 6722 3131, email: pasts[at]dvi.gov.lv, website: https://www.dvi.gov.lv/

Lithuania

Data Protection Authority:The contact details of the Lithuanian data protection authority are as follows: Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate), L. Sapiegos str. 17, 10312 Vilnius, Lithuania, phone: +370 (0) 5 271 2804 / +370 (0) 5 279 1445, email: ada[at]ada.lt, website: https://vdai.lrv.lt/lt/

The Netherlands

Data Protection Authority: The contact details of the Dutch data protection authority are as follows: Autoriteit Persoonsgegevens, Hoge Nieuwstraat 8, 2514 EL Den Haag, The Netherlands, phone: +31 (0) 70 888 8500, website: https://autoriteitpersoonsgegevens.nl/

Norway

Section 4 (“Third-party use of the vehicle or Services”) will be amended as follows:
Section 10.2 of the Kia Connect Terms of Use requests you to inform any other user/driver of the vehicle about: (i) the activation of the Services; (ii) the data processing activities described in this Privacy Notice; and (iii) the fact that the Services may require the collection and processing of location data (GPS data).

Data Protection Authority: The contact details of the Norwegian data protection authority are as follows: Datatilsynet, P.O. Box 458 Sentrum, 0105 Oslo, Norway, phone: +47 (0) 22 39 69 00, email: postkasse[at]datatilsynet.no, website: https://www.datatilsynet.no

Poland

Regarding Section 13.3 (“Marketing”): Consent for electronic and telephone marketing results also in addition from Art. 172 of the Polish Telecommunication Law and Art. 10 of the Act on Provision of Electronic Services.

Data Protection Authority: The contact details of the Polish data protection authority are as follows: Prezes Urzędu Ochrony Danych Osobowych, Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00 -193 Warszawa, Poland, phone: +48 (0) 22 531 03 00, email: kancelaria[at]uodo.gov.pl,

Portugal

Section 6 para 1 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows:
Mandatory Vehicle Inspection Reminders (such as“Inspeção Automóvel” in Portugal): We will inform you about upcoming mandatory vehicle inspections, e.g. reminders about the “Periodic Inspections” for vehicles in Portugal. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.

Regarding Section 13.3 (“Marketing”): Legal basis: The applicable local marketing law is Article 13.º-A of the Law no. 41/2004 of 18 August.

Data Protection Authority: The contact details of the Portuguese data protection authority are as follows: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal, phone: +351 (0) 21 392 84 00, email: geral[at]cnpd.pt, website: www.cnpd.pt

Romania

Data Protection Authority: The contact details of the Romanian data protection authority are as follows: The National Supervisory Authority for Personal Data Processing, 28-30 G-ral Gheorghe Magheru Bld, District 1, 010336 Bucharest, Romania, phone: +40 (0) 318 059 211, fax +40 (0) 318 059 602, email: anspdcp[at]dataprotection.ro, website: https://www.dataprotection.ro/

Slovakia

Regarding Section 13.3 (“Marketing”): Legal basis: Regarding consent, the legal basis is Art. 6 (1) a) GDPR in conjunction with Sec. 116 (3) of the Slovak Act on Electronic Communications (“AEC”). Regarding the necessity for the purpose of the legitimate interest pursued by us, the legal basis is Art. 6 (1) f) GDPR in conjunction with Sec. 116 (15) AEC. Our legitimate interests are: promoting our services and products.

Data Protection Authority: The contact details of the Slovak data protection authority are as follows: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, Slovak Republic, phone: + 421 (0) 2 32 31 32 14, email: statny.dozor[at]pdp.gov.sk,

Spain

Section 14.1 para. 2 (“Right of access”) shall be amended as follows: You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you within six months, unless there is legitimate cause to do so, we may charge a reasonable fee based on administrative costs.

Data Protection Authority: The contact details of the Spanish data protection authority are as follows: Agencia Española de Protección de Datos (AEPD), C/Jorge Juan, 6, 28001 Madrid, Spain, phone: +34 (0) 91 266 3517, email: internacional[at]aepd.es, website: https://www.aepd.es/

Sweden

Section 14.5 (“Right to data portability”) shall be amended as follows: Under certain circumstances, for example if Art. 6 (1) a or Art. 6 (1) b GDPR constitutes a legal basis for the processing, you may have the right to receive the personal data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit this data to another controller without hindrance by us.

Data Protection Authority: The contact details of the Swedish data protection authority are as follows: Integritetsskyddsmyndigheten, Drottninggatan 29, Box 8114, 104 20 Stockholm, Sweden, phone: +46 (0) 8 657 6100, email: imy[at]imy.se, website: http://www.imy.se/

Switzerland

Data Protection Authority: The contact details of the Swiss data protection authority are as follows: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Feldeggweg 1,3003 Bern, Switzerland, phone: +41 (0) 58 462 43 95, website: https://www.edoeb.admin.ch

Section 16 shall be complemented with the following information: Your personal data is stored in the following countries/jurisdictions: [WORLDWIDE].

Regarding references to the GDPR, to the extent that Swiss data protection laws and related laws apply, references to Articles of the GDPR shall be read as references to the respective Articles of the Swiss Federal Act on Data Protection as from 1st September 2023 (“FADP”), and references to sections of the UWG shall be read as references to the respective Articles of the Swiss Federal Act against Unfair Competition (“Swiss UWG”), namely:

Section 16 (“Cross-border data transfer”) shall be supplemented as follows:
Similarly to “Adequate Jurisdictions”determined by the European Commission, the government in the United Kingdom has decided that particular countries (see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#adequacy) ensure an adequate level of protection of personal data in accordance with Article 45, UK GDPR (“Adequacy Regulation”). Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction or compliant with the Adequacy Regulation, we (or our processors in the UK/EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) or the United Kingdom (if applicable) with the recipients or by taking other effective measures to provide an adequate level of data protection. A copy of the respective safeguards may be requested from us or our DPO (see Section 2 and Section 3).

Data Protection Authority: The contact details of the UK data protection authority are as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, phone: +44 (0) 303 123 1113, website: https://ico.org.uk/