This privacy notice (“Website Privacy Notice”) is issued by Kia Connect GmbH (“Kia Connect”, “we”, “us”, and “our”). It is addressed to individuals that visit our website at https://connect.kia.com/eu (“Website”) and other individuals outside Kia Connect with whom we communicate or have a business relationship with (together, “you”), including:

• our (potential) customers to whom we provide our services or sell our products or with whom we communicate regarding our services or products (including employees and other staff members, representatives, consultants and advisors of our (potential) business customers);

• our (potential) business partners (e.g. our vendors, service providers, affiliated entities, Kia dealers) and their employees, staff members, representatives, consultants and advisors;

• participants in our events (e.g. workshops or seminars), and

• visitors to our premises.

Defined terms used in this Website Privacy Notice are explained in Section 13 below.
Please note that in addition to the Website Privacy Notice, where appropriate, we may inform you about the Processing of your Personal Data separately, for example in consent forms or separate privacy notices.

For example:

• the Kia App Privacy Notice is made available here .
• the Kia Connect Privacy Notice is made available here .
• the Kia Account Privacy Notice is made available here .
• the Kia Connect Store Privacy Notice is made available here .

Unless expressly stated otherwise, Kia Connect GmbH is the Controller of the Personal Data Processed as set out in this Website Privacy Notice.

If you have any questions about this Website Privacy Notice or our Processing of your Personal Data, or if you wish to exercise any of your rights, you may contact us at:

• Kia Connect GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany, email: [email protected]

You may also use our contact form, which is available here .
Alternatively, you may contact our data protection officer at the contact details provided in Section 3 below.

We have designated an external data protection officer (“DPO”). You may contact our DPO at:

• Kia Connect GmbH, Data Protection Officer, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany, email: [email protected].

We collect or obtain Personal Data about you from the following sources:

• Data provided to us: We obtain Personal Data when those data are provided to us by you (e.g. when you contact us via email, telephone, our contact form, or by any other means).
• Website data: We collect or obtain Personal Data when you visit the Website.
• Third parties: To the extent permissible under applicable law, we may obtain your Personal Data from third parties (e.g. your employer), including other members of the Kia group. We may also obtain your Personal Data from public authorities (e.g. in connection with administrative and legal proceedings), or from certain service providers or advisors.
• Publicly available sources: In some cases, we may obtain your Personal Data from publicly available sources. This includes, but is not limited to, public registers or information available on the Internet (e.g. social media).
Subject to the business relationship that you have or your employer has with us, we may also create Personal Data about you (e.g. in connection with meetings, participation in our events or job interviews).

We Process the following types of Personal Data about you (“Relevant Personal Data”):

• Personal Details : data that relate directly to your identity (e.g. first name; surname; nationality; title).
• Contract Data : data that relate to the conclusion or performance of a contract (e.g., content of the contract; information about the services or products provided under the contract; information required or used for the performance of a contract; type and date of conclusion; duration; signature).
• Consent Records : records of any consents you have given, together with the date and time, means of consent, and any related information (e.g. subject matter of the consent).
• Contact Details : data that enable communication (e.g. correspondence address; email address; telephone number; social media details).
• Communication Data : data that form the content of communication (e.g. content of conversations; written correspondence sent via email, contact form, chat, letter or other means of communication; application documents; records of your interactions with us).
• Employer Details : data that relate to your employer and your role (e.g. name of your employer; your job title; department; your role or function in the company).
• Technical Data : data that relate to your device, your vehicle, your use of our Website or other online offerings (e.g., IP address; vehicle identification number (VIN); operating system; date and time of access; region; URL of the referring website; time zone; data volume transmitted; type of browser; language settings).
• Usage Data : records of your interactions with our online advertising and content on the Website (visited sections; time of access; access of content; interest in content; any mouse clicks or touchscreen interactions).
• Views and Opinions : data that relate to your views and opinions about us (e.g. views and opinions that you publicly post about us on social media platforms; views and opinions that you directly send to us; complaints; feedback).
• Visitor Details : data that relate to visits of our premises (e.g. time and date of visit; purpose of visit; specific needs of visitor).

The purposes for which we Process the Relevant Personal Data, subject to applicable law, and the legal bases on which we perform such Processing are as follows:

When you visit our Website, certain technical information will be Processed automatically, which is necessary for the provision and use of the Website. Such information is Processed by us for the purposes of: (i) providing you with the Website; (ii) preventing and/or remedying malfunctions of the Website; and (iii) protecting the IT systems used to provide the Website.

Relevant Personal Data: Technical Data; Usage Data.

Legal bases: The Processing is necessary for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: delivering an appropriate, error-free and secure website.

We Process your Personal Data to communicate with (potential) customers regarding our services or products, to respond to and handle inquiries submitted via our contact form, email, letter, on the phone or by other means, and to update your contact details. When you use our contact form, your inquiry is automatically classified and categorized with AI-driven features in our service cloud environment.

Relevant Personal Data: Personal Details; Contract Data; Contact Details; Communication Data; Employer Details; Views and Opinions; Technical Data; Pseudonymized Identifiers.
Legal basis: The Processing is necessary: (i) for the performance of the contract that you have entered into with us, or for the conclusion of the contract with us (Art. 6 (1) b) GDPR); and (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: building or maintaining the relationship with our (potential) customers, providing the best possible service to our customers and appropriately answering relevant requests.

We Process your Personal Data for the purpose of creating and managing lists of visitors as well as taking measures to meet specific needs of visitors to our premises.

Relevant Personal Data: Personal Details, Contract Data, Contact Details, Communication Data, Visitor Details, Employer Details.

Legal basis: The Processing is necessary for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: managing visits to our premises and meeting specific needs of our visitors.

We Process your Personal Data for the purpose of invoicing, accounting, audits, vendor management and complying with applicable tax and financial laws and regulations.

Relevant Personal Data: Personal Details, Contract Data, Contact Details, Communication Data, Employer Details.

Legal basis: The Processing is necessary (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); and (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: managing of the financial affairs of our business.

We Process your Personal Data for the purpose of managing and operating our IT systems, conducting audits of our IT systems and monitoring of our IT systems and processes.

Relevant Personal Data: Personal Details, Contact Details, Communication Data, Technical Data.

Legal basis: The Processing is necessary (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); and (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring the efficient and secure operation of our IT systems.

We Process your Personal Data for the purpose of organising, hosting and running events and training sessions as well as creating and managing lists of participants and communicating with participants regarding details of relevant event(s) and training session(s).

Relevant Personal Data: Personal Details, Contact Details, Contract Data, Communication Data, Visitor Details, Employer Details.

Legal basis: The Processing is necessary for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: organising, hosting, and running an event or training session.

We Process your Personal Data for the purpose of carrying out the application process, reviewing applications, contacting and communicating with applicants as well as carrying out job interviews.

Relevant Personal Data: Personal Details, Contact Details, Contract Data, Communication Data, Employer Details.

Legal basis: The Processing is necessary for the performance of the contract that you have entered into with us, or for the conclusion of the contract with us (Art. 6 (1) b) GDPR, Sec. 26 BDSG).

We Process your Personal Data for the purpose vendor and business partner management, pre-contractual correspondence, requesting details about offers and cost estimates, receiving goods or services, performing the contract and communicating regarding the performance of the contract as well as payment processing.

Relevant Personal Data: Personal Details, Contact Details, Contract Data, Communication Data, Employer Details.

Legal basis: The Processing is necessary: (i) for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR); and (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: performance of the contract with a vendor or business partner.

We may Process Relevant Personal Data for internal management and administration purposes, including record management or maintaining other internal protocols.

Potentially all Relevant Personal Data could be Processed for this purpose (as this is subject to the content and the subject matter of business operation).

Legal basis: The Processing is necessary for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring the appropriate and efficient operation of our business.

We may Process Relevant Personal Data to comply with applicable laws, directives, recommendations or requests from regulatory bodies (e.g. requests to disclose Personal Data to courts or regulatory bodies, including the police).

Potentially all Relevant Personal Data could be Processed for this purpose (as this is subject to the content and the subject matter of the relevant applicable laws, directives, recommendations or request).

Legal basis: Such Processing is necessary: (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring our compliance with applicable legal obligations.

We may Process Relevant Personal Data in order to assess, enforce and defend our rights and interests.

Potentially all Relevant Personal Data could be Processed for this purpose (as this is subject to the content and the subject matter of the relevant proceedings or investigations).

Legal basis: The Processing is necessary for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: protecting our interests and enforcing our rights.

We Process certain Personal Data for the purpose of evaluating the use of the Website and its functions, and to compile reports on the Website activity. For this purpose, and subject to your prior consent, we store information in your browser or your end device (e.g. cookies) to obtain further details about your interaction with Website, and compile information relating to the use of the Website in a user profile. This will help us to identify: (i) the times during which the Website, its functions and/or content are most frequently accessed and used; and (ii) the parts or areas of the Website that require optimisation. Please refer to Section 7 for further details about our use of cookies and similar technologies.

For this purpose, we use the tool Google Analytics. Please note that any Personal Data (in particular, the IP address) collected for the purpose of analysis in connection with Google Analytics will first be transmitted and stored on servers controlled by us, where the relevant data will be allocated to an internal user identification number (which is linked to an end device). The relevant data will then be transferred to Google only in pseudonymised form. This process is also known as “server-side tracking”.

Relevant Personal Data: Consent Records, Technical Data, Usage Data.

Legal basis: The Processing is based on your prior consent (Art. 6 (1) a) GDPR).

We use cookies and other technologies such as pixel tags, web bugs, web storage and other similar files and technologies that may carry the same functions as cookies (“Cookies” ) on the Website and Process related information for the purposes set out below.

Cookie are small text files that may be placed on your device (e.g. computer; smartphone) when you visit a website. They are stored locally on your device and kept ready for later retrieval. Each cookie contains a characteristic sequence of numbers which allows the identification of the browser when you re-visit the relevant website or another website that recognises that cookie. Cookies store information, such as your language preferences, duration of your visit of or your entries on the website.

The information processed in connection with the use of Cookies might be information about you, your preferences or your device. The information that we process in connection with the use of Cookies includes Technical Data, Consent Records and Usage Data.

We use strictly necessary Cookies for our Website to function, to be provided securely and to store information about your consent or rejection of cookies ("Strictly Necessary Cookies" ). The legal basis for the processing of your Personal Data in connection with such Strictly Necessary Cookies is our legitimate interest (Art. 6 (1) f) GDPR) in operating the Website efficiently and providing it securely.

Subject to your prior consent, we may use Cookies that (i) enable the Website to provide enhanced functionality ("Functional Cookies” ); (ii) allow us to measure and improve the performance of the Website ("Performance Cookies" ); and/or (iii) allow to display personalised content in line with your interest (“Targeting Cookies” ). The legal basis for the processing of your Personal Data in connection with such cookies is your consent (Art. 6 (1) a) GDPR).

We use the tool OneTrust provided by the service provider OneTrust Technology Limited for the purpose of cookie-related consent management.

Please note that you can manage your consent preferences by accessing the "Privacy Preference Center", which is accessible by clicking on the floating cookie settings button found on any page of the Website in the bottom left corner. This is also where you can find further information about each cookie. In addition, you will find more information about cookies and their use on the Website in our Cookie Policy, which is available here .

When you contact us concerning a service that is provided by another Kia group entity or another third party, we share your Relevant Personal Data with such Kia group entity or third party so that your request can be answered accordingly. Such data will only be shared upon your request.

Furthermore, we disclose Relevant Personal Data to other entities within the Kia group, for legitimate business purposes and the operation of the Website, in accordance with applicable law. We also disclose Relevant Personal Data to other entities within the Kia group in cases, in which we have obtained your prior specific consent for such disclosure. In addition, we disclose Relevant Personal Data to:

• you and, where appropriate, your appointed representatives;
• legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
• accountants, auditors, consultants, lawyers and other outside professional advisors to us, subject to binding contractual or legal obligations of confidentiality;
• third party Processors (such as providers for the technical infrastructure and maintenance services relevant to the Website; providers of services relating to customer support (e.g. call centre services));
• any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
• any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
• any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation).

If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under applicable law.

We are a member of an international group of companies. Therefore, we may transfer Personal Data within the Kia group and to other third parties as noted in Section 8 above.
Some of these recipients may be located or have relevant operations outside of your country and the EU/EEA (e.g. in the Republic of Korea, the United Kingdom or the USA) (“Third Country”). For some Third Countries, the European Commission has determined that they provide an adequate level of protection for Personal Data (e.g. the Republic of Korea, the United Kingdom), which also includes the USA to the extent that the receiving company in the USA participates in the EU-U.S. Data Privacy Framework (https://www.dataprivacyframework.gov ) (“Adequate Jurisdictions”).

Where we transfer Personal Data to a recipient that is located in a Third Country that has not been determined an Adequate Jurisdiction, we (or our Processors in the EU/EEA that transfer Personal Data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) with the recipients or taking other effective measures to provide an adequate level of data protection. A copy of the respective safeguards may be requested from us or our DPO (see Section 2 and Section 3).

Your Personal Data are stored by us for no longer than is necessary for the purposes for which the Personal Data have been collected as set out above. When we no longer require your Personal Data for such purposes, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from the data (unless we are required to retain the Personal Data to comply with legal or regulatory obligations to which we are subject; e.g. Personal Data contained in contracts, communications and business letters may be subject to statutory retention requirements).

The retention period may be extended in accordance with national laws when Processing is necessary for the establishment, exercise or defence of legal claims, and we or third parties have a corresponding legitimate interest (e.g. for the period of impending legal (administrative and/or judicial) procedures and for the duration of such legal proceedings, including the expiration periods of any recourse).

Subject to applicable law, you may have the following rights regarding the Processing of your Personal Data:

• the right not to provide your Personal Data to us (however, please note that we will be unable to carry out a respective contract, an application or provide you with the full customer support, if you do not provide us with your Personal Data (e.g., we might not be able to process your job application or customer requests without the necessary details);
• the right to request access to, or copies of, your Personal Data, together with information regarding the nature, Processing and disclosure of those Personal Data;
• the right to request rectification of any inaccuracies in your Personal Data;
• the right to request, on legitimate grounds: (i) erasure of your Personal Data; or (ii) restriction of Processing of your Personal Data;
• the right to have certain Personal Data transferred to another Controller, in a structured, commonly used and machine-readable format, to the extent applicable;
• where we Process your Personal Data on the basis of your consent, the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
• the right to lodge complaints regarding the Processing of your Personal Data with a Data Protection Authority (i.e. in relation to the UK, the Information Commissioner’s Office (https://ico.org.uk/ ) or in relation to the EU, the Data Protection Authority for the EU Member State in which you live, or in which you work, or in which the alleged infringement occurred (see the list here )).

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:
• the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such processing is based on Articles 6 (1) e) (public interest) or 6 (1) f) (legitimate interests) of the GDPR; and
• the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Website Privacy Notice, or about our Processing of your Personal Data, please use the contact details provided in Sections 2 and 3 above. Please note that:
• in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
• where your request requires the establishment of additional facts (e.g. a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

This Website Privacy Notice may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Website Privacy Notice carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Website Privacy Notice.

“BDSG” means the German Federal Data Protection Act (Bundesdatenschutzgesetz der Bundesrepublik Deutschland).

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.

“GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person.

“Process”/ ”Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.