This privacy notice (the “Privacy Notice”) of Kia Connect GmbH, registered under the registration number HRB 112541, ("Kia", "we" or "us") applies to the collection and processing of personal data in connection with the provision of our services (the "Services") via our app (the "Kia Connect App") and/or via the relevant vehicle’s head unit (the "Head Unit") and is addressed to our customers using these Services (“you”, “your”). Kia takes the protection of your personal data and your privacy very seriously and will process your personal data only in accordance with applicable data protection and privacy laws.


We may update or amend this Privacy Notice from time to time. Such updates or amendments may be necessary in particular because of the implementation of new technologies or new services. We will publish the updated and/or amended Privacy Notice on our websites, in the Kia Connect App and the Head Unit.


Please note that in addition to this Privacy Notice, where appropriate, we may inform you about the processing of your personal data separately, for example in consent forms or separate privacy notices

2.1. Unless expressly stated otherwise, Kia Connect GmbH is the controller of the
personal data collected and processed in connection with the provision of the Services.
2.2. If you have any questions about this Privacy Notice or our processing of your personal data, or if you wish to exercise any of your rights, you may contact us at:


Kia Connect GmbH
Theodor-Heuss-Allee 11
60486 Frankfurt am Main
Germany
Email: info@kia-connect.eu


You may also use our contact form, which is available here: https://connect.kia.com/eu/customer-support/contact-form/

Alternatively, you may also contact our data protection officer at the contact details provided in Section 3 below.

We have appointed an external data protection officer (“DPO”). You may contact our DPO at:
Kia Connect GmbH
- Data Protection Officer -
Theodor-Heuss-Allee 11
60486 Frankfurt am Main
Germany
Email: dpo@kia-connect.eu

Details about the purposes of and the legal bases for our processing of your personal data, and the categories of personal data that we may process, are set out in Sections 4.1, 4.2 and 4.3 below. Please note that we will process personal data only to the extent permitted by law and to the extent necessary for the relevant purpose.


We will mainly process your personal data for the purpose of providing our Services to you. Further details about the Services are provided in the respective service description in the Kia Connect Terms of Use.


We may also process your personal data for the other purposes specified in Sections 4.1, 4.2 and 4.3 below. For example, this may include the processing of personal data for the purposes of: (i) communicating with you; (ii) direct marketing; or (iii) analysing relevant data to improve our Services, develop new mobility and mobility-related products and/or services, and/or to ensure that the relevant products or services can be provided securely. For the purposes mentioned in (iii), we may analyse the data based on statistical and mathematical models. Furthermore, we may also process your personal data for the purpose of complying with applicable laws or other legal obligations (e.g. disclosure of relevant personal data to courts or criminal prosecution authorities), or if we have separately informed you about such purposes.


Generally, in connection with the Services, we collect and process your personal data in order to take steps at your request prior to entering into a contract (“conclusion of contract”) or to the extent necessary for the performance of our contract with you (Art. 6 (1) b) GDPR), or to the extent to which the processing is necessary for the purposes of our or a third party’s legitimate interests (Art. 6 (1) f) GDPR). With respect to certain processing activities, we may process your personal data to the extent necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR), or where we have obtained your prior consent to the relevant processing of your personal data for a specific purpose (Art. 6 (1) a) GDPR).


Unless otherwise expressly stated in this Privacy Notice, the personal data listed in this Section 4 below is provided to us directly by you (e.g. by entering certain personal data in the Kia Connect App) or is collected from the Kia Connect App and/or the Head Unit. Generally, you have the right to not provide your personal data to us. However, in some cases (e.g. for the use of certain Services), we may require certain personal data from you to be able to process your enquiry or to provide the relevant Services. We will inform you about the required personal data accordingly.


Please note that if another person uses the Kia Connect App and is connected to the same vehicle as you are, this person may also see the vehicle's location data in their account on the Kia Connect App (by using the "Find My Car" service), even if you are using the vehicle at this time. However, this person will not be able to access your live routes.


The details about our processing activities as provided in this Privacy Notice also apply with regard to third-party usage of the relevant vehicle. However, in general the processing of data by Kia is based on vehicle-bound information as described in this Privacy Notice. Therefore, Kia will not be able to identify the relevant person driving the car, unless such person is logged in with their personal profile or other identifiers related to the relevant person are provided.
4.1.
KIA CONNECT APP
4.1.1.
Sign-up process for the Kia Connect App: To use the Kia Connect App, you need to sign up and create an account ("Kia Account"). Details about our processing of your personal data in connection with the Kia Account are provided in a separate privacy notice which is accessible here: https://connect.kia.com/eu/kia-account-docs/. You also need to accept the Kia Connect Terms of Use. Establishing the link between the end user device (i.e. smartphone) on which the Kia Connect App is installed and the respective vehicle requires verification.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), email address, name, password, salutation, birthday, mobile number, country, preferred language, verification PIN, car ID, activation code, the fact that you accepted the Kia Connect Terms of Use.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us, or for the conclusion of the contract with us (Art. 6 (1) b) GDPR).
4.1.2.
Log-in process: To use the Services via the Kia Connect App, you need to log in. After logging in, you can add and remove your Kia vehicle(s) and use the Services via the Kia Connect App.


For this purpose, the following categories of personal data are processed: Email and password.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.3.
Home menu map and search bar: The home menu map enables you to see your current location. The home menu search bar enables you to search for points of interest (POI).


For this purpose, the following categories of personal data are processed: GPS data, search keyword, smartphone language setting.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.4.
Use of Touch ID and Face ID (iOS) or fingerprint and face recognition (Android): You can use certain functions of the Kia Connect App with Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) to unlock. Your biometric data is only stored locally on your smartphone and is not transmitted to us. Therefore, we are not able to access this data. Only the information as to whether the verification of the biometric data was successful is transmitted to the Kia Connect App by a system function of your smartphone. You can turn off the use of Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) at any time in the respective settings of your smartphone.


For this purpose, the following categories of personal data are processed: Information on whether the verification of the biometric data was successful.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.5.
Remote Climate Control (electric vehicles only): This Service enables you to remotely control and schedule the air conditioning of your electric vehicle including defrost functions via the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, odometer information, vehicle status information (air conditioning status, engine status, door/boot/window/bonnet open/closed status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.6.
Remote Charging (electric and plug-in hybrid vehicles only): This Service enables you to remotely initiate and stop the charging of an electric and plug-in hybrid vehicle's battery and schedule the charging via the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, odometer information, vehicle status information (air conditioning status, engine status, door/boot/window/bonnet open/closed status, tyre pressure status, brake/engine oil status, charging information, reserve charging information, charging time, charging plug type information).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.7.
Remote Door Control: This Service enables you to remotely lock/unlock the vehicle's doors via certain user interfaces. You will be able to lock or unlock all doors. To ensure safety and security when using this Service, the Service will check several pre-conditions. This Service can help in situations where you might not remember if you locked the vehicle correctly by allowing you to perform this action remotely.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, odometer information, vehicle status information (air conditioning status, engine status, door/boot/window/bonnet open/closed status, tyre pressure status, gear/seat status, fuel level, brake/engine oil status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.8.
Send to Car: This Service enables you to send a point of interest (POI) to the vehicle's navigation system and allows you to immediately receive location information once the vehicle's ignition is turned on.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, point of interest (POl) information, search keyword, smartphone language setting.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.9.
Find My Car and First Mile Navigation: This Service enables you to locate the vehicle and to navigate to it using your smartphone. The vehicle's location will be displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, address, name, location information of user and vehicle, waypoint information, date, time, time stamp and speed.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.10.
My Trips: This Service provides a summary of every journey with date and time, average and maximum speed, distance driven and travel time.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, driving information (run distance, average speed, maximum speed, total fuel consumption, total power consumption, electric power consumption, driving time, warm-up time, average mileage).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.11.
Vehicle Status: This Service provides you with the following vehicle information in the Kia Connect App:


● Door status
● Charging door status
● Boot/bonnet status
● Climate status
● State of charge of battery, charging plug status, charging status (electric vehicles only)
● Fuel level
● Seat heating and ventilation status
● Window status
● Sunroof status
● 12V battery status
● Lights status


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, GPS data, odometer information, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.12.
Vehicle Report: You receive a report in the Kia Connect App that includes vehicle diagnostic information and information on driving patterns. This provides details on issues that require maintenance or repairs as well as information on the severity of the issue, the urgency of repairs/maintenance and the recommended actions.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, vehicle status information (engine status), driving pattern information (car speed information (maximum and average speed), acceleration status information, distance driven, battery consumption information (for electric vehicles)).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.13.
Vehicle Diagnostic: Provision of an automated diagnostic service. Upon turning on the ignition, the vehicle automatically performs a diagnostics scan (Diagnostics Trouble Code (DTC)). If a malfunction is detected, you receive a message explaining the detected malfunction, its severity as well as the recommended action to be taken.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, odometer information, results of the DTC scan, vehicle status information (air conditioning status, engine status, door/boot/window/bonnet open/closed status, tyre pressure status, gear/seat status, fuel level, brake/engine oil status, battery status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.14.
Vehicle Alert: Provision of an alert notification system. Whenever the window is open while the ignition is off, you will receive a notification message displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, GPS data, odometer information, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.15.
Burglar Alarm (only for vehicles that are equipped with a burglar alarm system): Provision of an alarm notification system. Whenever the burglar alarm sounds, you will receive a notification message displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, GPS data, odometer information, vehicle status information (air conditioning status, engine status, door/boot/window/bonnet open/closed status, tyre pressure status, gear/seat status, fuel level, brake/engine oil status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.16.
User Profile Transfer: This Service enables you to check and change vehicle settings in the Kia Connect App. You can back up settings information and apply it to your vehicle.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, user phone number, SMS authentication code, user PIN code, report time, vehicle setup information, system setup information, navigation setup information, navigation point of interest (POI) information, profile picture (if provided).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.17.
Remote Heated and Ventilated Seats (electric vehicles only): This Service enables you to remotely control the front and rear seat heating and ventilation of your electric vehicle.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.18.
Remote Window Control: This Service enables you to remotely control the windows of your vehicle.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.19.
Remote Hazard Light Control (for EV6 only): This Service enables you to remotely turn off the hazard lights.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, vehicle status information (status information on tail lamps and hazard lights; engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.20.
Remote Charging Door Control: This Service enables you to remotely control the charging door of your vehicle.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, vehicle status information (status information on charging door; engine and gears; door, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.21.
Last Mile Navigation: This Service enables you to continue navigating to your final destination using your smartphone after parking your vehicle.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, address, name, location information of user and vehicle, waypoint information, time, speed.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.22.
Battery Discharge Alarm: Provision of an alarm notification system. Whenever the 12V battery state of charge goes below a certain level, a notification message will be displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, battery status, vehicle status alert type.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.23.
Rear Passenger Alarm: Provision of an alert notification system. Whenever movement is detected on the rear seat, a notification message will be displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, GPS data, odometer information, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.24.
Vehicle Idle Alarm: Provision of an alert notification system. Whenever the vehicle is in the parking gear while the engine is running and a door is opened, a notification message will be displayed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, GPS data, odometer information, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.1.25.
High-Voltage Battery Monitoring Warning System: Provision of an alert notification system. The status of the high-voltage battery is monitored and whenever a malfunction is detected, you will receive a notification message in the Kia Connect App and the Head Unit.


For this purpose, the following categories of personal data are processed: Air conditioning status, engine status, door/boot/bonnet/sunroof/window status, air temperature, defrost status, charging status, heating steering wheel status, side mirror / rear window heating status, tyre pressure status, 12V battery status, malfunction indicator lamp status, smart key battery status, fuel level status, washer fluid status, brake oil warning lamp status, sleep mode status, time, remote waiting time alert, system cut-off alert status, tail lamp status, hazard light status.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us, but also our customers and other third parties (Art. 6 (1) f) GDPR). The legitimate interests are: ensuring the proper provision and function of our Services, providing safe Services and products to our and Kia Group customers, protecting our customers’ health and life, protecting our customers’ property, and protecting the health, life and property of other people in or around the vehicle.


The relevant personal data will not be stored for longer than 90 days from collection.
4.1.26.
Product and Service Improvement: By activating "Product/Service Improvement", data regarding the performance, usage, operation and condition of the vehicle will be processed by us in order to improve product and service quality based on your consent. Your consent is voluntary and can be withdrawn at any time by deactivating the respective button. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. Once the data is collected and sent to our servers, we will anonymise it within 7 days. To activate "Product/Service Improvement", it is also necessary to activate the geographic information system ("GIS") for technical reasons.


For this purpose, the following categories of personal data are processed: Status information on the following: air control system; battery; technical and stability-related systems; dashboard usage; air conditioning and heating; engine, brake and powertrain; function; gears and consumption; warning and assistance system; steering and tyres; engine and charging; electric vehicle (EV)-specific usage; multimedia-related usage (e.g. "like" feature) and status as well as GPS and speed information.


Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).
4.2.
HEAD UNIT
4.2.1.
Kia Connect Live Services: These Services enable you to access the following functions:


● Traffic: Live traffic information to calculate routes and display traffic situation. Online navigation enables you to navigate to your desired destination based on the combination of real-time traffic data and historical traffic information.


● Live point of interest (POI): Information on nearby points of interest based on your current position.


● Weather: Local weather information.


● Parking: On- and off-street parking based on current position, nearby destination, nearby scrolled mark, nearby city centre.


● EV POI (only for electric vehicles and plug-in hybrid electric vehicles): Information on nearby charging stations including availability status based on current position.


● Dealer point of interest (POI): Nearby Kia dealer location information based on current position of the vehicle.


● Camera / danger zone alerts (if legally permissible in your country): The system provides alerts in areas where accidents are particularly common and warns you about accident black spots or speed cameras.


● Sports league: Sports league information.


For this purpose, the following categories of personal data are processed: GPS data, service requests and server search responses (point of interest (POI) data), dealer POI data, fuel-related information, parking-related information, speed camera information, electric vehicle (EV) station information, weather information, traffic information, unit of distance (kilometres, miles, metres), language settings, telecom carrier information, unique identifiers (e.g. vehicle identification number (VIN), driver ID, service ID), phone number, date and local time, protocol version, navigation device information (e.g. hardware version, software version), route information (e.g. start point, settings, goal point, estimated time), league match information request, team match information request, league ID , league match version, team code ID, country of interest ID, country code, league version, team version, logo version.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).


For the purpose of improving the Kia Connect Live Services, we may collect and store the GPS data (location) and the service ID for up to 93 days in order to analyse such data.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Kia Connect Live Services.
4.2.2.
Online Voice Recognition: This Service enables you to use spoken commands to access and control Kia Connect Live Services and draft and send text messages via a connected mobile device. Upon the activation of our Services in the Head Unit of your vehicle, Online Voice Recognition is activated as a default setting. When using Online Voice Recognition, your personal data will be processed in an online (i.e. cloud) environment.


The recorded voice samples are transferred together with the GPS data and the service ID to our service provider for Online Voice Recognition, which is Cerence B.V., CBS Weg 11, 6412EX Heerlen, Netherlands (processor) ("Cerence") and its sub-processors, which may be located in countries outside the EU/EEA and may not provide for an adequate level of data protection (please refer to Sections 6 and 7 for more details). Cerence transforms the voice samples into text samples, semantically interpreting them (if necessary), and then sends the result back to the vehicle.


You can prevent the transfer of your personal data (i.e. voice samples) to Cerence by deactivating the Online Voice Recognition Service in the respective settings of your Head Unit. By deactivating the Online Voice Recognition Service, the functionality of the voice recognition may be limited or disabled.


For this purpose, the following categories of personal data are processed: Voice recording, GPS data (location), unique identifiers (e.g. vehicle identification number (VIN), service ID).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).


For the purpose of improving the Online Voice Recognition Service, we may collect and store the recorded voice samples and GPS data for up to 90 days in order to analyse such data.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Online Voice Recognition Service.
4.2.3.
Notification Centre: The Notification Centre enables you to receive messages from Kia on the Head Unit screen.


For this purpose, the following categories of personal data are processed: Unique identifiers (e.g. vehicle identification number (VIN)), sequence ID, read status, UTC time.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.4.
Recall Campaign Notifications and Service Reminders: We will send you the following notifications and reminders using the Notification Centre referenced above:
● notifications about open recall campaign(s) on your vehicle; and


● reminders for the upcoming regular maintenance of your vehicle.


For this purpose, the following categories of personal data are processed: Unique identifiers (e.g. vehicle identification number (VIN)), sequence ID, read status, UTC time, mileage, warranty start date).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.5.
Service Action Notifications: We will assess whether there are any upcoming recommended service actions (such as software updates, part replacements with improved parts or quality checks on dedicated vehicle components) to be carried out on your vehicle and notify you about such upcoming recommended service actions via the Head Unit of your vehicle (using the Notification Centre), via notifications within the Kia Connect App, and/or via the email address that is registered in the Kia Connect App. This processing is subject to your prior consent, which you may give by activating the respective consent button in the consent list of the Kia Connect App. Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, UTC time, mileage, warranty start date.


Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).
4.2.6.
Valet Parking Mode: When activated in the Head Unit and the vehicle is driven by another person, you can monitor the vehicle location, the time ignition was turned off last, driving time, driving distance and top speed in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Unique identifiers (e.g. vehicle identification number (VIN)), valet mode status information (activation status, valet mode start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.7.
Personal Calendar/Navigation Synchronisation: This Service enables you to synchronise your Google Calendar or Apple Calendar on your smartphone with the integrated calendar function of the Head Unit. This allows you to see your private calendar on the Head Unit screen / in the Kia Connect App and use it to set a destination. This Service is compatible with both Google Calendar and Apple Calendar.


For this purpose, the following categories of personal data are processed: Unique identifiers (e.g. vehicle identification number (VIN)), email address, email account calendar ID, Google token or iCloud password, calendar entries (e.g. title of appointment, date and time, address).


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.8.
Advanced Driver Assist System (ADAS): Within the scope of the Advanced Driver Assist System (ADAS), Kia collects and processes a static set of telematics data and transfers this data to preselected data aggregators. This information is static; i.e. it does not include driving information, so it is not possible to profile individuals’ driving behaviour. The purpose of this processing is to protect against possible fraudulent practices, to improve and develop our ADAS to increase the number of vehicles with a high level of safety equipment, and to simplify the insurance process for our customers.


For this purpose, the following categories of personal data are processed: The vehicle build information (VBI), which may include the vehicle identification number (VIN), model, trim, model year, price, colour, fuel type, voltage system, emissions, class, power and fitted equipment including ADAS safety systems.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our Services, providing enhanced products and increasing the sales of ADAS vehicles as well as developing new products and customer services.


In addition, your personal data as described above may be anonymised to perform our own analytics for improving and developing our products.
4.2.9.
Like button for USB music and radio: The like button for USB music and radio allows you to select and create a playlist with your favourite songs. You can like or unlike songs via the like button integrated in the music function of the infotainment system.


For this purpose, the following categories of personal data are processed: The source type (USB music, radio, Bluetooth music), the name of the song, artist and album, the like/unlike information, GPS data, ambient air temperature, vehicle speed, weather (based on your current location) and time information.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.10.
Maps and Infotainment OTA Update: The Maps and Infotainment Update enables:


● updates of the maps in the vehicle's navigation system (“Maps Update”); and/or


● updates of infotainment software or enhancements in the Head Unit software (jointly, the “Infotainment Update”)


from our servers to the embedded telematics system using the “over-the-air” method. Further details about the Maps Update and the Infotainment Update are provided in Section 3.1.2.6 of the Kia Connect Terms of Use.


For this purpose, the following categories of personal data are processed: Unique identifiers (e.g. vehicle identification number (VIN)), vehicle software version, Diagnostics Trouble Codes, vehicle manufacturing date, GPS data (longitude, latitude, altitude), telecommunications provider, language settings, country code or region code, Head Unit identifiers (e.g. type, system version, platform, manufacturer), relevant metadata.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR; Sec. 25 (2) No. 2 TTDSG).


For the avoidance of doubt, if you receive the Maps Updates and/or Infotainment Updates by accessing the web page https://update.kia.com/EU/E1/Main or at the dealership, these updates are not offered to you via the “over-the-air” method and we are not the controller for related processing of personal data.
4.2.11.
Valet Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle travels beyond the selected distance limit, speed limit and idle time limit you have preset in the Kia Connect App. The permitted travel distance is from the location where the alert was activated.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, GPS data, valet alert status information (activation status, valet alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected distance limit, selected speed limit, selected idle time limit.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.12.
Geofence Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle exits an allowed area or enters a restricted area. You can set the boundaries for allowed areas and restricted areas from the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, GPS data, geofence alert status information (activation status, geofence alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected allowed areas, selected restricted areas.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.13.
Speed Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle exceeds the speed limit you have preset in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, GPS data, speed alert status information (activation status, speed alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected speed limit.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.14.
Time Fencing Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle is driven outside of the time windows you have preset in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, GPS data, time fencing alert status information (activation status, time fencing alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected time windows.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.2.15.
Idle Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle is driven beyond the idle time limit you have preset in the Kia Connect App.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, GPS data, idle alert status information (activation status, idle alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected idle time limit.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
4.3.
OTHER PROCESSING ACTIVITIES
In addition to the processing activities referred to in Sections 4.1 and 4.2 above, we may also process your personal data for the following purposes:
4.3.1.
Communication: We may process your personal data to communicate with you in relation to the Services or the contract that you have entered into with us (e.g. to provide customer support, to inform you about technical issues with the Services, to perform our contractual obligations, to inform you about changes to the Kia Connect Terms of Use or this Privacy Notice) via several communication channels, including the Head Unit of your vehicle (using the Notification Centre), email, telephone and notifications within the Kia Connect App (for this purpose, the Kia Connect App provides a separate inbox). When you contact us via available communication channels (e.g. contact form on our website, email or telephone), we may process your personal data to handle your request and communicate with you accordingly in relation to your request. For information about communication regarding our marketing activities, please see Section 4.3.3 below.


For this purpose, the following categories of personal data are processed: Contact details (e.g. email address, telephone number), data relevant for the use of the Notification Centre (i.e. unique identifiers, such as the vehicle identification number (VIN), sequence ID, read status, UTC time), data relevant for the sending of the notifications within the Kia Connect App (User ID, country, language, device ID, system token, platform, UUID, Contact ID), name, information provided by you in relation to the relevant request, contract data.


Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR), or for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: providing the best possible service for our customers and appropriately answering and processing our customers’ requests.
4.3.2.
Technical support: Where a technical issue has been detected in relation to your vehicle and the Services, we might be required to read out information from your vehicle for the purpose of analysing such information and to resolve the detected issue. Subject to your prior consent, we will collect and process what is known as a log file of the Head Unit from your vehicle, which contains certain categories of personal data. Your consent is voluntary and can be withdrawn at any time (e.g. by using our contact form available in the “Customer Support” section under “Contact Us” on our website (https://connect.kia.com/eu/customer-support/contact-form/)). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. However, please note that the refusal to grant or the withdrawal of your consent might prevent us from offering or completing an analysis of the detected issue of your vehicle and the Services.


For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), time stamps, geolocation data/GPS coordinates (such as your previous destinations) as well as vehicle diagnostics information regarding the performance, usage, operation and condition of the vehicle.


Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).
4.3.3.
Marketing: We may contact you via the Head Unit of your vehicle, email and/or notifications within the Kia Connect App (the Kia Connect App provides a separate inbox) to provide you with promotional information regarding our products and/or services, to ask you to participate in surveys or to provide your feedback. In relation to emails and notifications within the Kia Connect App, this is usually subject to your prior consent and to the scope of such consent. You may give your consent by activating the respective consent button in the consent list of the Kia Connect App or by other relevant means (if applicable). Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 5.6 below for more details).


If you provide us with your email address as part of signing up to the Services and unless you have objected, we may send you information about similar Kia Connect services or products to the relevant email address without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within app. However, you have the right to opt out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 5.6 below for more details).


For this purpose, the following categories of personal data are processed: Name, contact details (e.g., email), technical data (e.g. device information, IP address, User ID, UUID), information about your consent (e.g., date and time of opt-in).


Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR; Sec. 7 (2) No. 2 of the German Act against Unfair Competition (“UWG”)), or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR; Sec. 7 (3) UWG). Our legitimate interests are: promoting our services and products.
4.3.4.
Feedback and surveys: From time to time, we may invite you to provide your feedback and/or participate in surveys relating to us and our services, including support services (see Section 4.3.3 above for details about our communication with you). If you provide your feedback or participate in our surveys, we may process relevant personal data for the purpose of processing and evaluating the feedback or conducting, processing and evaluating the survey. This is in order to improve our services and adapt them to our customers’ needs.


In some cases, we may conduct surveys using the Salesforce Marketing Cloud platform provided by salesforce.com Germany GmbH or the online survey tool Surveymonkey provided by Momentive Europe UC (“Momentive”) (see Section 6 below for more details about these providers).


To participate in surveys conducted on Surveymonkey, you may have to click a link which will be included in the survey invitation. When you click on the link, you will be referred to a website of Momentive on which the survey will be conducted. Momentive will process the survey related information on our behalf and for our purposes. Furthermore, Momentive may: (i) collect and process information about your device and other technical data to avoid multiple participations; and (ii) use cookies to recognise whether the participant has already visited the survey and to reassign responses that the relevant participant has already given. More information about Momentive’s processing of personal data is available at https://www.surveymonkey.com/mp/legal/privacy/.


For this purpose, the following categories of personal data are processed: Name (if relevant and provided), content data (e.g., your feedback and/or responses), technical data (IP address, UUID, operating system version, device type, device ID/MAC address, system and performance information and browser type).


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our services.
4.3.5.
Data sharing: Details about our sharing of your personal data with third parties are provided in Section 6 below.
4.3.6.
Operation of business: We may process certain categories of the personal data referred to above for internal management and administration purposes, including record management or maintaining other internal protocols.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring the appropriate and efficient operation of our business.
4.3.7.
Legal compliance: We may process certain categories of the personal data referred to above (e.g., records of any consents that you have given, together with the date and time, as well as content and means of consent) to comply with applicable laws, directives, recommendations or requests from regulatory bodies (e.g. requests to disclose personal data to courts or regulatory bodies, including the police).


Legal basis: Such processing may be necessary: (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring our compliance with applicable legal obligations.
4.3.8.
Legal proceedings and investigations: We may process certain categories of the personal data referred to above in order to assess, enforce and defend our rights and interests.


Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: protecting our interests and enforcing our rights.

Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7 (3) GDPR). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.


Furthermore, under applicable data protection law, you may have the right to: obtain access to your personal data (Art. 15 GDPR), have your personal data rectified (Art. 16 GDPR), have your personal data erased (Art. 17 GDPR), have the processing of your personal data restricted (Art. 18 GDPR), data portability (Art. 20 GDPR) and to object to the processing of your personal data (Art. 21 (1) and (2) GDPR).


You also have the right to lodge a complaint with the competent data protection authority (Art. 77 GDPR).


Please note that these rights could be subject to certain limitations under applicable local data protection laws.
5.1.
Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data and certain additional information. Such information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data has been or will be disclosed. However, please note that the interests of other individuals may restrict your right of access.


You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
5.2.
Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Subject to the relevant purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
5.3.
Right to erasure ("right to be forgotten"): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may have the obligation to erase such personal data.
5.4.
Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be flagged accordingly and may only be processed by us for certain purposes.
5.5.
Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit this data to another controller without hindrance from us.
5.6.
Right to object: Under certain circumstances and where the processing is based on legitimate interests (Art. 6 (1) f) GDPR), you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we may be required to no longer process your personal data. Furthermore, where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.
5.7.
Right to make arrangements for the storage and communication of data after one’s death: You have a right to make specific arrangements for the storage and communication of your personal data after your death, and we will act accordingly. You may also make general arrangements with a third party, which will let us know about your instructions in due time.

Any access to your personal data at Kia is restricted to those individuals that have a need to know in order to fulfil their job responsibilities.

Kia may disclose your personal data for the respective purposes and in compliance with applicable data protection laws to the recipients and categories of recipients listed below:

● Kia Group companies – We may disclose your personal data to other companies that are members of the Kia Group, including our affiliated companies in Europe and Kia Corporation in the Republic of Korea. To the extent that we disclose such data to other members of the Kia Group for internal administrative purposes, such disclosure is necessary for our operational and business interests (Art. 6 (1) f) GDPR). We may also disclose such data because it is necessary for the performance of our contract with you (Art. 6 (1) b) GDPR).

Furthermore, in some cases, the disclosure may be based on your consent (Art. 6 (1) a) GDPR). For example, by activating the respective consent button in the consent list of the Kia Connect App, you may agree to the sharing of certain vehicle data with the relevant Kia national sales company or distributor in your country in Europe for various purposes. Please refer to the consent list of the Kia Connect App for more details. Where you give such consent, your consent is voluntary and can be withdrawn at any time (e.g. by de-activating the respective consent button in the consent list of the Kia Connect App). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.

● Telecommunications providers – For the purpose of providing our Services to you (Art. 6 (1) b) GDPR), we may disclose your personal data to Vodafone GmbH, Ferdinand-Braun-Platz 1, 40549 Düsseldorf, Germany, which provides the relevant telecommunications services. Vodafone GmbH will process your personal data as an independent controller.

● Service providers – We may disclose your personal data to certain third parties, whether affiliated or unaffiliated, that process such data as our service providers on our behalf under appropriate instructions as processors and as necessary for the respective processing purposes (Art. 28 (3) GDPR). These processors will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal data, and to process the personal data only in accordance with our instructions. Such service providers may include:

● The service provider for the technical infrastructure and maintenance services relevant to the Services, which is Hyundai Autoever Europe GmbH, Kaiserleistraße 8a, 63067 Offenbach am Main, Germany.

● The service providers for our customer data management platforms and connected car data management platforms, which are salesforce.com Germany GmbH, Erika-Mann-Strasse 31-37, 80636 Munich, Germany, and Amazon Web Services EMEA SARL, 38 avenue, John. F. Kennedy, L-1855, Luxembourg, with their servers located within the EU/EEA.

● The service provider Momentive Europe UC, Second Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin 4, Ireland, which provides the online survey tool Surveymonkey and related services for the purpose of conducting and evaluating surveys.

● The service provider Cerence B.V., CBS Weg 11, 6412EX Heerlen, Netherlands, which provides services in connection with the Online Voice Recognition Service.

● Affiliated entities of Kia in the EU/EEA, which provide services relating to customer support, including call centre services.

● The service providers TomTom Global Content B.V. and HERE Europe B.V., which provide map-related services.

● Other service providers in connection with specific Services.

● Governmental authorities, courts and similar third parties that are public bodies – We may disclose your personal data to governmental authorities, courts and similar third parties that are public bodies where we have a legal obligation to do so (Art. 6 (1) c) GDPR) or for the purpose of protecting our interests or enforcing our rights (Art. 6 (1) f) GDPR). These recipients will process the relevant personal data as independent controllers.

● Outside professional advisors – We may disclose your personal data to our tax consultants, auditors, accountants, legal advisors and other outside professional advisors for the purpose of operating our business (Art. 6 (1) f) GDPR). In some cases, we may also disclose the data for the purpose of protecting our interests or enforcing our rights (Art. 6 (1) f) GDPR). These recipients will usually process the relevant personal data as independent controllers.

● Third-party acquirers – In the event that we sell or transfer all or any relevant portion of our assets or business (including reorganisation or liquidation), we may disclose your personal data to third-party acquirers (Art. 6 (1) f) GDPR). These recipients will process the relevant personal data as independent controllers.

● Others – We may also disclose your personal data to other third parties (e.g. insurance companies, leasing companies, financial service providers, fleet companies, data aggregators); however, we will only share your personal data with such third parties if you have requested that we do so and gave your prior consent for such disclosure (Art. 6 (1) a) GDPR) or if such disclosure is necessary for the performance of our contract with you or for the performance of such a third party’s contract with you (Art. 6 (1) b) GDPR). These recipients will process the relevant personal data as independent controllers.

We are a member of an international group of companies. Therefore, we may transfer personal data within the Kia Group and to other third parties as noted in Section 6 above.

Some of these recipients may be located or have relevant operations outside of your country and the EU/EEA, e.g. in the Republic of Korea, the United Kingdom or the United States of America (“Third Country”). For some Third Countries, the European Commission has determined that they provide an adequate level of protection for personal data (e.g. the Republic of Korea, the United Kingdom) (“Adequate Jurisdiction”). Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction, we (or our data processors in the EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) with the recipients or taking other effective measures to provide an adequate level of data protection. A copy of the respective safeguards may be requested from our data protection officer (see Section 3 above).

8.1.
Your personal data is stored by Kia and/or our service providers for no longer than is necessary for the purposes for which the personal data is collected, and which are set out above. When we no longer require your personal data for such purposes, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we are required to retain the relevant personal data to comply with legal or regulatory obligations to which we are subject; e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements, which may require retention for up to 10 years).
8.2.
Reset of Kia Account and/or Head Unit: You can reset the Head Unit and you can reset or deactivate the Kia Account by setting the respective preference / selecting the respective option (e.g. in the Kia Connect App and/or in the Head Unit, as appropriate). In such a case, the relevant personal data related to your Kia Account and/or in the Head Unit will be blocked and then deleted, unless retention periods apply (see Section 8.1 above).

Upon resetting the Kia Account and/or Head Unit, you will be logged out of the Kia Connect App and/or Head Unit and will have to perform a new log-in procedure or log in with different credentials if you intend to use the Services via the Kia Connect App and/or Head Unit. Please note that when
● deactivating your Kia Connect App account, the Head Unit Services in the vehicle’s Head Unit will still be operating.

● resetting the Head Unit, your vehicle is disconnected from the Kia Connect App; however, this does not affect the Kia Connect App.

We have implemented appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful forms of processing. However, as the internet is an open system, the transmission of data via the internet is not completely secure. While we constantly improve our security measures in line with technical developments and in order to ensure an appropriate level of security for any of your personal data that we process, we cannot guarantee the security of your data transmitted to us using the internet.

You may choose to activate offline mode in the Head Unit by setting the respective preference. If offline mode is turned on, all Service functions are disabled and no personal data, in particular no GPS data, is collected. An offline mode icon is displayed at the top of the Head Unit screen in the vehicle.

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“GDPR” means: (i) Regulation (EU) 2016/679 (General Data Protection Regulation); or (ii) with regard to the United Kingdom, Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended from time to time (also known as the UK GDPR).

“personal data” means any information relating to an identified or identifiable natural person.

“process”/ ”processing” means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“TTDSG” means the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz).

The following local law amendments apply:

Austria
Section 8.1 shall be amended as follows:

Your personal data is stored by Kia and/or our service providers strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When Kia no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which Kia is subject; e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements, which may require retention for up to 7 years. This retention period may be extended, in particular if necessary for the purposes of the legitimate interests pursued by Kia (for example due to threatened or pending litigation)).

Belgium
Regarding the data retention period under Section 8.1, in Belgium, personal data relating to the contractual relationship in contracts, communications or commercial letters may be stored for a duration of up to 10 years from the end of the contractual relationship between Kia and you. If such data is relevant in the frame of any administrative or judicial proceedings, it can be stored by Kia for the whole duration of these proceedings, including the expiration of any recourse.

The contact details of the Belgian data protection authority are as follows:

Autorité de protection des données
Gegevensbeschermingsautoriteit
Rue de la presse 35
1000 Brussels
Tel.: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
Email: contact(at)apd-gba.be

Hungary
Section 8.1 shall be replaced as follows:

Your personal data is stored by Kia and/or our service providers strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When Kia no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which Kia is subject; e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements, which in the case of accounting documents may require retention for up to 8 years from their date of issue). If such data is relevant in the context of any administrative or judicial proceedings, it can be stored by Kia for the whole duration of these proceedings, including the expiration of any recourse.

The contact details of the Hungarian data protection authority are as follows:

Nemzeti Adatvédelmi és Információszabadság Hatóság
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Tel.: +36-1-391-1400
Fax: +36-1-391-1410
Email: ügyfelszolgalat@naih.hu

Italy
Notwithstanding anything to the contrary as indicated in the above Privacy Notice, the following will apply to the extent that Italian law will apply to the processing of your personal data: (i) in no event will Kia process your personal data for profiling purposes without your consent; (ii) if you are an existing customer and have provided Kia with your email address, and without prejudice to your right to object pursuant to point 5.6 above, Kia may send you marketing communications via email relating to products or services similar to the products or services previously purchased by you; (iii) with reference to storage periods, Kia will retain personal data processed for marketing or profiling purposes, if any, for 24 and 12 months, respectively, unless the Italian data protection supervisory authority authorises Kia to retain it for a longer period.

The contact details of the Italian data protection supervisory authority are the following:

Garante per la Protezione dei Dati Personali
Piazza Venezia n. 11 - 00187 Rome
www.gpdp.it - www.garanteprivacy.it
Email: garante@gpdp.it
Fax: (+39) 06 696773785
Tel.: (+39) 06 696771

The Netherlands
Section 8.1 shall be amended as follows:

The standard statutory data retention period for general bookkeeping purposes is 7 years in the Netherlands. Note that this retention period may be extended, in particular if the applicable law so requires and/or if necessary for the purposes of the legitimate interests pursued by Kia (for example due to threatened or pending litigation).

Poland
Section 5.6 shall be amended as follows:

Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Moreover, if your personal data is processed for direct marketing purposes, if you granted consent for the processing for such purposes, you have the right to withdraw at any time your consent for the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.

Section 8.1 shall be amended as follows:

Your personal data is stored by Kia and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When Kia no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which Kia is subject; e.g. the standard statutory data retention period for general bookkeeping purposes is 5 years from the end of the previous financial years in Poland. Note that this retention period may be extended, in particular if the applicable law so requires and/or if necessary for the purposes of the legitimate interests pursued by Kia (for example due to threatened or pending litigation)).

The contact details of the Polish data protection authority are as follows:

Prezes Urzędu Ochrony Danych Osobowych
Urząd Ochrony Danych Osobowych ul. Stawki 2
00 -193 Warszawa
Email: kancelaria@uodo.gov.pl

Slovakia
The contact details of the Slovak data protection authority are as follows:

Úrad na ochranu osobných údajov Slovenskej republiky Hraničná 12
820 07 Bratislava 27
Slovak Republic
https://dataprotection.gov.sk/uoou/sk
Tel.: + 421 2 32 31 32 14
Email: statny.dozor@pdp.gov.sk

Spain
Section 5.1 para. 2 shall be replaced as follows:

You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you within six months, unless there is legitimate cause to do so we may charge a reasonable fee based on administrative costs.

Section 8 shall be replaced as follows:

8.1. Your personal data is stored by Kia and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When Kia no longer needs to process your personal data, we will block it and once the period for the statute of limitation has elapsed (e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements, which may require retention for up to 10 years), we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from it.

8.2. Where no legal or regulatory retention periods apply, as a rule, all personal data processed in connection with the provision of the Services is blocked and subsequently erased or anonymised immediately after provision of the individual Services has been completed with the following exceptions:
● Sign-up and log-in data is stored for the duration of the contract (i.e. up to seven years)
● Online Voice Recognition: voice samples and GPS data (see Section 4.2.2 above) are stored for up to 90 days
● Kia Live: GPS data and Service ID (see Section 4.2.1 above) are stored for up to 93 days
8.3. Termination of account: If you choose to terminate your use of the Services (e.g. by setting the respective preference in the Kia Connect App) and/or the Kia Connect Account (e.g. by setting the respective preference in the Head Unit), all personal data related to your Kia Account will be blocked and subsequently deleted as explained above.


Effective from Dec. 2022