Kia Connect Privacy Notice

PRIVACY NOTICE

Kia Connect

1.

Introduction
This privacy notice (the “Privacy Notice”) of Kia Connect GmbH ("Kia", "we", "us", “our”) applies to the collection and processing of personal data in connection with the provision of our services via our app (the "Kia Connect App") and via the relevant vehicle’s head unit (the "Head Unit", together, the “Services”) and is addressed to our customers using these Services (“you”, “your”).
In addition to the Services, Kia may offer the purchase of certain features for its customers to use with their vehicle, such as upgrades or other add-ons to the software of the customer’s vehicle (“Upgrades”). This Privacy Notice also provides certain information about the processing of personal data in connection with the purchase of such Upgrades.
Kia takes the protection of your personal data and your privacy very seriously and will process your personal data only in accordance with the GDPR and other applicable data protection and privacy laws.
Please note that in addition to this Privacy Notice, where appropriate, we may inform you about the processing of your personal data separately, for example in consent forms or separate privacy notices.
We provide our Services and Upgrades to customers across Europe. As applicable data protection laws and requirements may differ in the relevant jurisdictions, please refer to Section 21 (Local Law Amendments) for specific information in relation to your jurisdiction.

2.1.

Unless expressly stated otherwise, Kia Connect GmbH is the controller of the personal data collected and processed as set out in this Privacy Notice.

2.2.

If you have any questions about this Privacy Notice or our processing of your personal data, or if you wish to exercise any of your rights, you may contact us at:
Kia Connect GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany
Email: info@kia-connect.eu
You may also use our contact form, which is available here: https://connect.kia.com/eu/customer-support/contact-form/
Alternatively, you may also contact our data protection officer at the contact details provided in Section 3 below.

2.3.

Please note that we act as joint controllers with Kia Corporation, 12 Heolleung-ro, Seocho-gu, Seoul, 06797, Republic of Korea, for the purpose of ensuring appropriate cyber security standards for Kia vehicles and products (please refer to Section 7 for more details). We have agreed with Kia Corporation that we are the main contact point for you if you have any questions about the processing of your personal data or the essence of our arrangement with Kia Corporation in connection with the processing activities set out in Section 7 below. The same applies if you wish to exercise any of your rights in this regard. However, you may also choose to contact Kia Corporation directly. In this case, please contact Kia Europe GmbH as the designated EU Representative in accordance with Art. 27 GDPR:
Kia Europe GmbH
Data Protection Representative of Kia Corporation
Theodor-Heuss-Allee 11
60486 Frankfurt am Main, Germany
Email: dpo@kia-europe.com

2.4.

Please note that we act as joint controllers with Kia Europe GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany, in relation to the provision of Vehicle System OTA Updates (please refer to Section 8.2 for more details). We have agreed with Kia Europe GmbH that we are the main contact point for you if you have any questions about the processing of your personal data or the essence of our arrangement with Kia Europe GmbH in connection with the processing activities set out in Section 8.2. The same applies if you wish to exercise any of your rights in this regard. However, you may also choose to contact Kia Europe GmbH directly:
Kia Europe GmbH
Data Protection Officer
Theodor-Heuss-Allee 11
60486 Frankfurt am Main, Germany
Email: dpo@kia-europe.com

3.

Data Protection Officer
We have appointed an external data protection officer (“DPO”). You may contact our DPO at:
Kia Connect GmbH
Data Protection Officer
Theodor-Heuss-Allee 11
60486 Frankfurt am Main, Germany
Email: dpo@kia-connect.eu

4.

Purposes, Legal Bases and Categories of Personal Data
This Section 4 provides you with a high-level overview of our processing of personal data. Details about the purposes of and the legal bases for our processing of your personal data, and the categories of personal data that we process, are set out in Sections 512.
Please note that we process personal data only to the extent permitted by law and to the extent necessary for the relevant purpose.
Purposes
We mainly process your personal data for the provision of our Services and the Upgrades as set out in the contract that you are about to enter or have entered into with us (“Kia Connect Terms of Use”). Details about the Services and Upgrades are provided in the Kia Connect Terms of Use.
We also process personal data for the other purposes specified in Sections 512 and always subject to applicable law.
For example, this includes the processing of personal data for: (i) communications; (ii) marketing; (iii) improving our Services and developing new services (the analysis of the relevant data is based on statistical and mathematical models); (iv) ensuring that relevant products and Services can be provided securely; and (v) complying with our legal and regulatory obligations under the applicable laws (e.g. disclosure of relevant personal data to courts or criminal prosecution authorities).
Legal bases
Generally, we collect and process your personal data where this is necessary: (i) to take steps at your request prior to entering into a contract with you (“conclusion of contract”) (Art. 6 (1) b) GDPR); (ii) to perform our contract with you (Art. 6 (1) b) GDPR); or (iii) for the purposes of the legitimate interests pursued by us or a third party (Art. 6 (1) f) GDPR). A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests.
With respect to certain processing activities, we process your personal data: (i) to the extent necessary for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) where we have obtained your prior consent to the relevant processing of your personal data for a specific purpose (Art. 6 (1) a) GDPR). Please refer to Sections 512 for information about the legal basis applicable to the relevant processing activity.
Sources
Unless otherwise expressly stated in this Privacy Notice, the personal data listed in Sections 512 are provided to us directly by you (e.g. by entering certain personal data in the Kia Connect App) or are collected directly from your vehicle (e.g. its sensors and related applications as made accessible via the Head Unit).
Your right not to provide your personal data
You have the right not to provide your personal data to us. However, please note that we will be unable to provide you with the full benefit of our Services and Upgrades or process (some of) your requests if you do not provide us with the necessary details and your personal data.
Third-party use of the vehicle or Services
Generally, the information that we provide about our processing activities in this Privacy Notice also applies to cases in which a third party uses the vehicle for which you have activated or signed up to the Services. However, it should be noted that our processing activities as set out in this Privacy Notice mainly relate to vehicle-bound information.
Therefore, we are usually not able to identify the relevant person driving the car, unless such person is logged in with their personal profile or other identifiers related to the relevant person are provided.
The Kia Connect Terms of Use require you to inform third parties (i.e. other users/drivers of the vehicle) about: (i) the activation of the Services; (ii) the processing activities described in this Privacy Notice; and (iii) the fact that the provision of certain Services requires the collection and processing of location data (GPS data).
Please note that if another person uses the Kia Connect App and is connected to the same vehicle as you are (please refer to Section 4.1.2 of the Kia Connect Terms of Use for more details about the sharing of the vehicle), this person may also see the vehicle's location data (GPS data) in their account on the Kia Connect App (by using the "Find my Car and First Mile Navigation" Service), even if you are using the vehicle at this time. While this person will not be able to access your live routes, they may be able to see the live location of the vehicle.

5.

Kia Connect App

5.1.

Sign-up and Log-in

5.1.1.

Sign-up process for the Kia Connect App: To register on the Kia Connect App, you need to have or create a “Kia Account”, sign up to the Kia Connect App using your Kia Account login details and accept the Kia Connect Terms of Use. The Kia Account can also be used to register for services provided by other Kia group members or certain third parties in Europe. Details about our processing of your personal data in connection with the Kia Account are provided in a separate Privacy Notice which is accessible here: https://connect.kia.com/eu/kia-account-docs/
Establishing the link between the end user device (i.e. smartphone) on which the Kia Connect App is installed and the respective vehicle requires additional verification for which we will share with you a verification PIN.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), email address, name, password, mobile number, country, preferred language, verification PIN, car ID, activation code, information about your acceptance of the Kia Connect Terms of Use.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us, or for the conclusion of the contract with us (Art. 6 (1) b) GDPR).

5.1.2.

Log-in process: To use the Services provided in the Kia Connect App or to purchase Upgrades, you need to log into the Kia Connect App. After logging in, you can add and remove your Kia vehicle(s) and use the Services or purchase Upgrades accordingly.
For this purpose, the following categories of personal data are processed: Email and password.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.

Remote Control and Supervision

5.2.1.

Remote Climate Control: This Service enables you to remotely control and schedule the air conditioning of your electric vehicle, including defrost functions, via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.2.

Remote Charging (electric and plug-in hybrid vehicles only): This Service enables you to remotely initiate and stop the charging of an electric and plug-in hybrid vehicle’s battery and to schedule the charging via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/close status; tyre pressure status; brake/engine oil status; charging information; reserve charging information; charging time; charging plug type information).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.3.

Remote Door Control: This Service enables you to remotely lock/unlock the vehicle’s doors via certain user interfaces. You will be able to lock or unlock all doors. To ensure safety and security when using this Service, the Service will check several pre-conditions. This Service can help in situations where you cannot remember whether you locked the vehicle correctly by allowing you to perform this action remotely.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status; tyre pressure status; gear/seat status; fuel level; brake/engine oil status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.4.

Profile Backup and Restore: This Service enables you to back up vehicle settings information in the Kia Connect App and restore it to your vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, location data (GPS data), mobile number, SMS authentication code, user PIN code, report time, vehicle setup information, system setup information, navigation setup information, navigation point of interest (POI) information, list of favourite radio stations, profile picture (if provided).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.5.

Remote Heated and Ventilated Seats (electric vehicles only): This Service enables you to remotely control the front and rear seat heating and ventilation of your electric vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.6.

Remote Window Control: This Service enables you to remotely control the windows of your vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.7.

Remote Hazard Light Control: This Service enables you to remotely turn off the hazard lights.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on tail lamps and hazard lights; engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.8.

Remote Charging Door Control: This Service enables you to remotely control the charging door of your vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on charging door; engine and gears; door, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.9.

Remote Frunk: This Service enables you to remotely open the vehicle’s frunk via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status; tyre pressure status; gear/seat status; fuel level; brake/engine oil status), remote frunk eligibility check.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.10.

Remote Battery Conditioning: This Service enables you to remotely initiate and stop the conditioning of an electric vehicle’s battery via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status; tyre pressure status; gear/seat status; fuel level; brake/engine oil status; battery conditioning on/off status), remote battery conditioning eligibility check.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.11.

Remote Light: This Service enables you to activate the flashing hazard light for a short period via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on tail lamps and hazard lights; engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.2.12.

Remote Horn and Light: This Service enables you to activate the flashing hazard light and horn signal for a short period via the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), vehicle status information (status information on tail lamps and hazard lights; engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.3.

Remote Geolocation Services

5.3.1.

Send to Car: This Service enables you to send a point of interest (POI) to the vehicle’s navigation system and immediately use the POI (e.g. as a destination for route planning) once the vehicle’s ignition is turned on.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), point of interest (POl) information, search keyword, smartphone language settings.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.3.2.

Find my Car and First Mile Navigation: This Service enables you to locate the vehicle and to navigate to it using your smartphone. The vehicleֽ’s location will be displayed in the Kia Connect App. Please note that if another person uses the Kia Connect App and is connected to the same vehicle as you are (please refer to Section 4.1.2 of the Kia Connect Terms of Use for more details about sharing the vehicle), this person may also see the vehicle's location data (GPS data) in their account for the Kia Connect App (by using the "Find my Car and First Mile Navigation" Service), even if you are using the vehicle at this time. While this person will not be able to access your live routes, they may be able to see the live location of the vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, address, name, location data (GPS data) of user and vehicle, waypoint information, date, time, time stamp and speed.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.3.3.

My Trips: This Service provides a summary (for the last 90 days) of every journey with date and time, average and maximum speed, distance driven and travel time.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), driving information (run distance, average speed, maximum speed, total fuel consumption, total power consumption, electric power consumption, driving time, warm-up time, average odometer reading).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.3.4.

Last Mile Navigation: This Service enables you to continue navigating to your final destination using your smartphone after parking your vehicle.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, address, name, location data (GPS data) of the user and vehicle, waypoint information, time, speed.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.4.

Vehicle Information

5.4.1.

Vehicle Status: This Service displays the following vehicle information in the Kia Connect App:
Door status
Charging door status
Boot/bonnet status
Climate status
State of charge of battery, charging plug status, charging status (electric vehicles only)
Fuel level (fuel/hybrid vehicles only)
Seat heating and ventilation status
Window status
Sunroof status
12V battery status
Lights status
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.4.2.

Vehicle Report: You receive a report in the Kia Connect App that includes vehicle diagnostics information and information on driving patterns (number of vehicle starts, driving distance and driving time/idle time). This informs you of issues that require maintenance or repairs and provides information on the severity of the issue, the urgency of repairs/maintenance and the recommended actions.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), vehicle status information (engine status), driving pattern information (car speed information (maximum and average speed), acceleration status information, distance driven, battery consumption information (for electric vehicles)).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.4.3.

Vehicle Diagnostics: Provision of an automated diagnostics service. Upon turning on the ignition, the vehicle automatically performs a diagnostics scan (Diagnostics Trouble Code (“DTC”)). If a malfunction is detected, you receive a message explaining the malfunction, its severity and the recommended action to be taken.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, results of the DTC scan, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status; tyre pressure status; gear/seat status; fuel level; brake/engine oil status; battery status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.4.4.

Energy Consumption (electric vehicles only): This Service visualises the current and average energy consumption, driving distance and energy recuperation information in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, cumulative odometer reading, total power consumption (motor power consumption, climate power consumption, electric device power consumption, battery care power information, regenerated power information).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.4.5.

Driving Safety Score: This Service allows you to display a driving safety score in the Kia Connect App that assesses your driving behaviour. The driving safety score is calculated based on your acceleration and braking patterns, speed data, and the time of day you typically drive, all captured over the duration of a trip. The driving safety score is derived from data collected over 187 days of data, i.e. the driving safety score displayed represents an interpretation of your driving behaviour over the aggregation of the past 187 days of data.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), trip date, length of trip, acceleration/deceleration at various speeds, max speed, run time of trip, time driven for every speed, average speed of trip.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.

Alerts and Security

5.5.1.

Vehicle Alert: Whenever any of the vehicle’s windows are open while the ignition is off, a notification message will be displayed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.2.

Burglar Alarm (only for vehicles that are equipped with a burglar alarm system): Whenever the burglar alarm sounds, a notification message will be displayed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (air conditioning status; engine status; doors, boot, windows and bonnet open/closed status; tyre pressure status; gear/seat status; fuel level; brake/engine oil status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.3.

Battery Discharge Alarm: Whenever the state of charge of the 12V battery drops below a certain level, a notification message will be displayed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, location data (GPS data), battery status, vehicle status alert type.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.4.

Rear Passenger Alarm: Whenever movement is detected on the rear seat and the vehicle is in the parking gear, a notification message will be displayed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.5.

Vehicle Idle Alarm: Whenever the vehicle is in the parking gear while the engine is running and a door is opened, a notification message will be displayed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), car ID, SIM ID, date and time stamp, location data (GPS data), odometer reading, vehicle status information (status information on engine and gears; doors, bonnet, boot and sunroof; heating, ventilation and air conditioning (HVAC); battery, fuel and distance to empty (DTE); fluids (washer fluid and brake oil); tyres, lamps and smart key; electric vehicle (EV) status).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.5.6.

High-Voltage Battery Monitoring Warning System (electric vehicles only): The status of the high-voltage battery is monitored: Whenever a malfunction is detected, a notification message will be displayed in the Kia Connect App and the Head Unit. Where the malfunction could cause damage to the vehicle or physical harm to you or other persons in or outside the relevant vehicle, we will share that information and the vehicle identification number (VIN) of your vehicle with the Kia national sales company or the Kia distributor, who may get in touch with you directly to warn you about the malfunction and the potential risk of damage or physical harm. Upon receipt of the information from us, the relevant Kia national sales company or Kia distributor will process such information as a separate and independent controller. Please note that we will share such information only where the malfunction is considered severe and there is a risk of damage to the vehicle or physical harm.
For this purpose, the following categories of personal data are processed: Location data (GPS data), air conditioning status, engine status, doors/boot/bonnet/sunroof/windows status, air temperature, defrost status, charging status, heating steering wheel status, side mirror/rear window heating status, tyre pressure status, 12V battery status, malfunction indicator lamp status, smart key battery status, fuel level status, washer fluid status, brake oil warning lamp status, sleep mode status, time, remote waiting time alert, system cut-off alert status, tail lamp status, hazard light status.
Legal basis: The processing is necessary for the monitoring of the status of the high voltage battery as part of performing the contract that you have entered into with us (Art. 6 (1) b) GDPR). The sharing of the relevant information with third parties (as mentioned above) is necessary for the purpose of the legitimate interests pursued by us, but also our customers and other third parties (Art. 6 (1) f) GDPR). The legitimate interests are: ensuring the proper provision and function of our Services, providing safe Services and products to our and Kia group customers, protecting our customers’ health and life, protecting our customers’ property, and protecting the health, life and property of other people in or around the vehicle.

5.6.

Remote Usage Monitoring

5.6.1.

Valet Parking Mode: This Service enables you to monitor the vehicle’s location, the time ignition was last turned off, driving time, driving distance and top speed in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), location data (GPS data), valet mode status information (activation status, valet mode start and end time, run time, odometer time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.6.2.

Valet Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle travels beyond the selected distance limit, speed limit and idle time limit you have predefined in the Kia Connect App. The permitted travel distance is the vehicle’s distance from the location where the Service was activated.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, location data (GPS data), valet alert status information (activation status, valet alert status start and end time, run time, odometer time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected distance limit, selected speed limit, selected idle time limit.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.6.3.

Geofence Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle exits an allowed area or enters a restricted area. You can set the boundaries for allowed areas and restricted areas in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, location data (GPS data), geofence alert status information (activation status, geofence alert status start and end time, run time, odometer time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected allowed areas, selected restricted areas.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.6.4.

Speed Alert: When activated in the Head Unit, this Service enables you to receive notifications in the Kia Connect App if your vehicle exceeds the speed limit you have preset in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, location data (GPS data), speed alert status information (activation status, speed alert status start and end time, run time, mileage time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected speed limit.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.6.5.

Time Fencing Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle is driven outside of the time windows you have predefined in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, location data (GPS data), time fencing alert status information (activation status, time fencing alert status start and end time, run time, odometer time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected time windows.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.6.6.

Idle Alert: This Service enables you to receive notifications in the Kia Connect App if your vehicle is driven beyond the idle time limit you have predefined in the Kia Connect App.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), date and time stamp, location data (GPS data), idle alert status information (activation status, idle alert status start and end time, run time, odometer time, idle engine time, maximum speed, run distance), vehicle indicators (location, speed, time, accuracy, direction), selected idle time limit.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.7.

Preferred Dealer Information
This Service allows you to synchronise the “Preferred Dealer” information between your account on the MyKia website and your account in the Kia Connect App. Synchronisation is optional and must be enabled before it can be used. If you choose not to synchronise the “Preferred Dealer” information, the “Preferred Dealer” feature in the Kia Connect App is still available but the information shown could differ from the information in your account on the MyKia website.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), email address, UUID, dealer name, dealer address, dealer contact details, dealer information, dealer opening hours.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.8.

Digital Key
This Service enables you to use your smartphone to carry out services such as locking and unlocking your vehicle, activating the vehicle’s climate control or starting the vehicle (only from inside the vehicle) using the built-in, ultra-wide band (“UWB”) functionality and near-field-communication (“NFC”) functionality of your smartphone. It allows you to share and manage your Digital Key with up to three additional devices, e.g. those belonging to family and friends. Please note that when using this Service, data is exchanged between the mobile smart device and the vehicle using the UWB or NFC functionalities. This data is not transmitted to us.
For this purpose, the following categories of personal data are processed: User ID, profile name, email address, phone number, smart device information (device ID, device name, device types, OS version, app version), Digital Key information (Digital Key ID, Digital Key status, Digital Key type, access authorisation/profile, vehicle ID, ID of the physical key fobs, number of shared keys); for shared Digital Keys: additional information which includes the start and end dates (or fixed term) of Digital Key use, name of the shared Digital Key user(s), user authentication policy/authorisation profile as specified by you, diagnostics information (error codes), vehicle status information.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.9.

Car Sharing
You can share the remote Services with other users through the “Request to Share Car” function in the Kia Connect App. When you do so, we will process certain vehicle and user account-related data to initiate and process your sharing request. Share request information such as your name and PIN will be transmitted to and processed in the other user’s account for the Kia Connect App. The other user can use the Kia Connect App for the linked vehicle in the same way as you. They can also use the “Find my car” function.
For this purpose, the following categories of personal data are processed: PIN, vehicle identification number (VIN), your username and the other user’s phone number.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR) and in connection with our legitimate interests in delivering our Services (Art. 6 (1) f) GDPR). Please note that when you use this Service, you will share all of your personal data, excluding your login details, that is stored in your Kia Connect App account with the other users. You can deactivate this function at any time. Deactivation stops the sharing of data, and we will delete all shared data in the other user’s account for the Kia Connect App.

5.10.

Home menu map and search bar
The home menu map displays your current location. The home menu search bar can be used to search for points of interest (POI).
For this purpose, the following categories of personal data are processed: Location data (GPS data), search keyword, smartphone language setting.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.11.

Use of Touch ID and Face ID (iOS) or fingerprint and face recognition (Android)
You can use certain functions of the Kia Connect App with Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) to unlock. Your biometric data is stored only locally on your smartphone and is not transmitted to us. Therefore, we are not able to access this data. Only the information on whether verification of the biometric data was successful is transmitted to the Kia Connect App by a system function of your smartphone. You can turn off the use of Touch ID or Face ID (iOS) or fingerprint and face recognition (Android) at any time in the respective settings of your smartphone.
For this purpose, the following categories of personal data are processed: Information on whether the verification of the biometric data was successful.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

5.12.

Firebase Crashlytics
To improve the security and stability of the Kia Connect App and the Services, we rely on the analysis of anonymised crash reports. For this purpose, we use “Firebase Crashlytics”, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland.
In order to provide us with anonymised crash reports, in the event of a crash or malfunction of the Kia Connect App, “Firebase Crashlytics” collects the information mentioned below and may transmit such information to Google servers in the USA. Please note that the crash reports that we will be provided with will not contain any information via which we could trace the identity of a user. Any information collected by and stored within “Firebase Crashlytics” will be deleted within 90 days’ upon collection.
For more information about “Firebase Crashlytics” and how Google is processing your personal data, please refer to the following links:
https://firebase.google.com/
https://firebase.google.com/terms/crashlytics/
https://firebase.google.com/support/privacy
For this purpose, the following categories of personal data are processed: State of the app at the time of the crash, installation UUID, crash traces, manufacturer and operating system of the mobile device and last log messages.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring and optimising the security and stability of the Kia Connect App and our Services.

5.13.

Product and Service Improvement
By activating "Product/Service Improvement", data regarding the performance, usage, operation and condition of the vehicle will be processed by us in order to improve product and service quality based on your consent. Your consent is voluntary and can be withdrawn at any time by deactivating the respective button. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. To activate "Product/Service Improvement", it is also necessary to activate the geographic information system ("GIS") for technical reasons.
For this purpose, the following categories of personal data are processed: Status information on the following: air control system; battery; technical and stability-related systems; dashboard usage; air conditioning and heating; engine, brake and powertrain; function; gears and consumption; warning and assistance system; steering and tyres; engine and charging; electric vehicle (EV)-specific usage; multimedia-related usage (e.g. "like" feature) and status as well as location data (GPS data) and speed information.
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).

6.

Head Unit and in-car Services

6.1.

Notification Centre
The Notification Centre enables you to receive messages from Kia on the Head Unit screen. Such messages include inter alia Recall Campaign Notifications regarding your vehicle, Service Reminders and Service Action Notifications.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, reading time, UTC time.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.2.

Kia Connect Live Services
Kia Connect Live Services include the following:
Live Traffic and Online Navigation: This Service provides live traffic information for calculating routes and displaying the traffic situation. Online navigation enables you to navigate to your desired destination based on a combination of real-time and historical traffic data.
EV Route Planner (only for electric vehicles and plug-in hybrid electric vehicles): When setting a navigation destination in the vehicles’ built-in navigation system, this Service evaluates whether reaching the destination will likely require a charging stop. If a charging stop will be required based on the vehicle’s current state of charge and the estimated rate of energy consumption, the Service will automatically add one or more charging points to the proposed route as intermediate stops. The Service will automatically adapt the proposed charging stops if the driver chooses to make an earlier charging stop, to skip a proposed charging stop or if the driving conditions result in a higher energy consumption than expected.
Live Point of Interest (POI) and Online POI Search: This Service provides information on nearby points of interest based on the current position of the vehicle. In addition, this Service also enables you to actively search for nearby POIs by category. On eligible vehicles, this Service will be enhanced by data provided through our partner 4.screen GmbH. Please refer to Section 12.6 for more details.
Weather: This Service provides local weather information based on your current location.
Parking: This Service provides on and off-street parking information based on the current position, nearby destination, nearby scrolled mark or nearby city centre.
EV POI (only for electric vehicles and plug-in hybrid electric vehicles): This Service provides information on nearby charging stations including availability status based on the current position.
Dealer POI: This Service provides location information of nearby Kia dealers based on the current position of the vehicle.
Speed Camera / Danger Zone Alerts (if legally permissible in the country of use): This Service provides alerts in areas where accidents are particularly common and warns you about accident black spots or speed cameras.
Sports League: This Service provides information on past and upcoming events for the selected sports and leagues.
For this purpose, the following categories of personal data are processed: Location data (GPS data), service requests and server search responses (point of interest (POI) data), dealer POI data, fuel-related information, parking-related information, speed camera information, electric vehicle (EV) station information, weather information, traffic information, unit of distance (kilometres, miles, metres), language settings, telecom carrier information, vehicle identification number (VIN), driver ID, service ID, phone number, date and local time, protocol version, navigation device information (hardware version, software version), route information (start point, settings, goal point, estimated time), league match information request, team match information request, league ID , league match version, team code ID, country of interest ID, country code, league version, team version, logo version.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
We will also process the data listed above for the purpose of improving the Kia Connect Live Services.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Kia Connect Live Services.

6.3.

Online Voice Recognition
This Service enables the use of spoken commands to access and control certain functions of your vehicle and to draft and send text messages via a connected mobile device. Online Voice Recognition is operated in an online (cloud) environment. When activating our Services in the Head Unit of your vehicle, Online Voice Recognition is activated as a default setting. This Service requires the transfer of your personal data (i.e. voice samples) to our service provider Cerence B.V. and its sub-processors, which may be located in countries outside the EU/EEA and may not provide for an adequate level of data protection (please refer to Sections 14 and 15 for more details). You can prevent the transfer of your personal data to Cerence B.V. and its sub-processors by deactivating the Online Voice Recognition Service in the respective settings of your Head Unit. If you deactivate the Online Voice Recognition Service, the voice recognition functionality of your vehicle may be limited or disabled.
Cerence B.V. transforms the voice samples into text samples, semantically interpreting them (if necessary), and then sends the result back to the vehicle.
For this purpose, the following categories of personal data are processed: Voice recording, location data (GPS data), point of interest (POI), Cerence user ID. The latter is a unique ID for registering with the server of Cerence B.V. The Cerence user ID and vehicle identification number (VIN) or any other identifiers are not linked to each other. This means that Cerence B.V. cannot identify a natural personal from the data transmitted to it.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
Voice recording and location data (GPS data) will also be collected and stored for the purpose of performing and improving the Online Voice Recognition Service.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving the Online Voice Recognition Service.

6.4.

Personal Calendar/Navigation synchronisation
This Service enables you to synchronise your Google Calendar or Apple Calendar on your smartphone with the integrated calendar function of the Head Unit. This allows you to see your private calendar on the Head Unit screen and to use it to set a destination. This Service is compatible with Google Calendar and Apple Calendar.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), email address, email account calendar ID, Google token or iCloud password, calendar entries (title of appointment, date and time, address).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.5.

Music Streaming
This Service enables you to enjoy your favourite music and audio (podcasts, audio books) streaming services over the integrated screen and speakers via the vehicle’s infotainment system. Please note that this Service does not include the subscription with the respective streaming service. You need to create an account and set up a subscription with your favourite streaming service provider separately. The Service is not activated on your Head Unit by default but instead needs to be activated via the Kia Connect Store. It will be available for up to three years, starting from when the Service was activated in the Kia Connect Store. Further information about this Service is provided in Section 4.2.2 (d) of the Kia Connect Terms of Use.
For this purpose, the following categories of personal data are processed: User authentication data (email address, user identifier), Service information (tokenised credentials for each content provider), vehicle information (VIN, brand, engine type, country of sale, model name, model year, Head Unit platform, Head Unit model), warranty start date.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.6.

Vehicle-related Notifications

6.6.1.

Recall Campaign Notifications: We will send you notifications about open recall campaign(s) to your vehicle using the Notification Centre referred to above. Recall campaign notifications may also be sent to you by other means (e.g. within the Kia Connect App, via email to your registered email address or by mailed letter).
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, UTC time, odometer, warranty start date.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.6.2.

Service Reminders: We will send you reminders for upcoming regular maintenance dates for your Kia vehicle using the Notification Centre referred to above.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, UTC time, odometer, warranty start date.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.6.3.

Service Action Notifications: We may also inform you about outstanding recommended service actions (such as software updates, part replacements with improved parts or quality checks to be carried out on certain components of your Kia vehicle). Information on recommended service actions may be provided to you via the Notification Centre referred to above and/or within the Kia Connect App or via email to your registered email address.
This processing is subject to your prior consent, which you may give by activating the respective consent button in the consent list of the Kia Connect App. Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, UTC time, odometer, warranty start date.
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).

6.6.4.

Mandatory Vehicle Inspection Reminders (such as TÜV in Germany or MOT in the UK): We will inform you about upcoming mandatory vehicle inspections. For example, reminders about the “Ministry of Transport” test (commonly referred to as “MOT”) for vehicles in the UK. Except for the “MOT” in the UK, use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered. For vehicles registered in the UK, we have been authorised by the Department for Transport (“DfT”) of the Government of the UK to access certain MOT vehicle history data (namely, MOT due dates and vehicle registration numbers) via the DfT’s MOT history API. As we usually do not process vehicle registration numbers, we will work with Kia UK Limited to match the vehicle registration number with the VIN so that we can provide you with this Service.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), sequence ID, read status, UTC time, odometer, warranty start date, last vehicle inspection date, first registration date; for the Services in the UK: MOT due dates, vehicle registration number, vehicle identification number (VIN).
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

6.7.

Like Button for USB Music and Radio
The like button for USB music and radio allows you to mark and add songs to a playlist of your favourite songs. You can like or unlike songs via the like button integrated in the music function of the infotainment system.
For this purpose, the following categories of personal data are processed: The source type (USB music, radio, Bluetooth music), the name of the song, artist and album, the like/unlike information, location data (GPS data), ambient air temperature, vehicle speed, weather (based on your current location) and time information.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

7.

Cyber Security Standards
When you activate the Services in the Head Unit, and depending on the technical equipment of your vehicle, we collect and process security event-related data of your vehicle for the purpose of managing and monitoring appropriate cyber security standards of Kia vehicles and products. However, such data will first be stored in your vehicle. Only if an abnormal signal is detected will the data be sent to our systems for further analysis. There is no continuous transfer of such data out of the vehicle, and your vehicle will periodically store the last 100 generated security events. In case of a new security event, the oldest security event and related data will be deleted.
We will share the relevant data with Kia Corporation, 12 Heolleung-ro, Seocho-gu, Seoul, 06797, Republic of Korea (“Kia HQ”), so that Kia HQ can monitor the appropriate cyber security standards of the relevant Kia vehicles and products on an operational and technical level. This means that the data will be processed and analysed for the purpose of preventing cyber security threats and vulnerabilities, responding to and eliminating detected threats and vulnerabilities from potential cyber security attacks, as well as ensuring the appropriate security of Kia vehicles and products.
Please note that we and Kia HQ will process your personal data for such purposes as joint controllers.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN) and security event-related data (timestamp of the generated security event and information from and about the component / control that captured and detected a security event).
Legal basis: For Kia HQ, the processing is necessary for compliance with a legal obligation (Art. 6 (1) c) GDPR) and for the purpose of the legitimate interests pursued by Kia HQ (Art. 6 (1) f) GDPR). Kia HQ’s legitimate interests are: ensuring and improving the security of Kia vehicles. For us, the processing is necessary for the purpose of the legitimate interests pursued by us and Kia HQ (Art. 6 (1) f) GDPR). Our legitimate interests are: assisting Kia HQ with their efforts to comply with applicable laws, and ensuring and improving the security of Kia vehicles.

8.1.

Maps and Infotainment OTA Update
The “Maps and Infotainment OTA Update” enables:
updates of the maps in the vehicle's navigation system (“Maps Update”); and/or
updates of infotainment software or enhancements of Head Unit software (“Infotainment Update”)
from our servers to the embedded telematics system using the “over-the-air” method.
The Maps and Infotainment OTA Update is part of the Services requested by you and is therefore activated by default.
Further information about the Maps Update and the Infotainment OTA Update is provided in Section 4.2.3. (b) of the Kia Connect Terms of Use.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), vehicle software version, Diagnostics Trouble Codes, vehicle manufacturing date, location data (GPS data), telecommunications provider, language settings, country code or region code, Head Unit identifiers (type, system version, platform, manufacturer), relevant metadata.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).
For the avoidance of doubt, if you receive the Maps Updates and/or Infotainment Updates by accessing the web page https://update.kia.com/EU/E1/Main or at the dealership, these updates are not offered to you via the “over-the-air” method, and we are not the controller of the related processing of personal data.

8.2.

Vehicle System OTA Update
Vehicle System OTA Update enables the updating of embedded software of certain control units of the vehicle with newer versions of the software or with updated parameters (“Vehicle System Update”) from our servers using the “over-the-air” method. We provide you with Vehicle System OTA Updates for various reasons and purposes, in particular to remedy a defect within the warranty period, within the scope of the manufacturer's guarantee or for other security-related reasons. Further information about Vehicle System OTA Updates is provided in Section 4.2.3. (c) of the Kia Connect Terms of Use.
Please note that, in connection with the provision of vehicle system OTA Updates (including for making Vehicles System OTA Updates more efficient and convenient, ensuring that Vehicle System OTA Updates meet technical requirements and standards (in particular with regard to cyber security and system stability) and for steering the deployment and monitoring of the Vehicle System OTA Updates on a global level), we will share your personal data with Kia Europe GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt am Main, Germany (“Kia EU”). Kia EU and we will process your personal data as joint controllers.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), vehicle status information (ignition, climate, battery, front bonnet, transmission lever position, lamp, parking brake), usage history (OTA Update), diagnostics information (error codes, OTA result, software recovery result) and software version information (electronic control unit), source version ID of vehicle, target version ID of vehicle, provision status, package name, update result, TMU’s phone number (MDN or MIN), telecommunications company, device ID, platform manufacturer, platform name, OMADM version.
Legal basis: For us, the processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR), and also for the purpose of the legitimate interests pursued by us and Kia EU (Art. 6 (1) f) GDPR. The legitimate interests are: making Vehicle System OTA Updates more efficient and convenient and ensuring that Vehicle System OTA Updates meet technical requirements and standards, in particular with regard to cyber security and system stability. For Kia EU, the processing is necessary for compliance with a legal obligation (Art. 6 (1) c) GDPR), and for the purpose of the legitimate interests pursued by Kia EU and other members of the Kia group (Art. 6 (1) f) GDPR).
The legitimate interests are: ensuring that Kia EU and other members of the Kia group comply with legal obligations, ensuring that Kia as a member of the Kia group is able to provide good and appropriate Services to its customers, making Vehicle System OTA Updates more efficient and convenient, steering the deployment and monitoring of the Vehicle System OTA Updates on a global level, and ensuring that Vehicle System OTA Updates meet the technical requirements and standards, in particular with regard to cyber security and system stability.
For the avoidance of doubt, if you receive Vehicle System Updates by accessing the web page https://update.kia.com/EU/E1/Main or at the dealership, these Updates are not offered to you via the “over-the-air” method, and we are not the controller of the related processing of personal data.

9.

Upgrades

9.1.

General
As referenced in the Kia Connect Terms of Use, Kia we may offer Upgrades. Upgrades can be purchased in the store section of the Kia Connect App (“Kia Connect Store”). Please refer to Section 5 of the Kia Connect Terms of Use for more details about Upgrades.
The Upgrades themselves will not require the processing of personal data, unless the relevant Upgrade includes or relates to a Service referenced above. In such cases, we will inform you about the processing of personal data in connection with such Service in the relevant Section above. Please note that in some cases, the use of the Service “Vehicle System OTA Update” will be required to install an Upgrade. Please refer to Section 8.2 for more details about the personal data processed in connection with Vehicle System OTA Update and the applicable legal basis for such processing.
Each Upgrade is linked to a specific vehicle as identified by its unique vehicle identification number (VIN). This means that we will process information about the purchased Upgrade, the relevant VIN and information about the electronic control unit of the vehicle. The processing is necessary for the performance of the contract relating to the purchase of the relevant Upgrade (Art. 6 (1) b) GDPR).

9.2.

Informing other Users of Upgrades
It is possible for a vehicle to be linked to the Kia Connect accounts of several users. Where this is the case, we will inform the user who first linked their Kia Connect account to the relevant vehicle (“Main User”) and any further users who have linked the vehicle to their Kia Connect account (“Shared Users”) via email about the purchase of an Upgrade by another Shared User and the activation and deactivation (if applicable) of the respective Upgrade.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), name, email address, technical data (device information, IP address, User ID, UUID), information relating to the relevant Upgrade.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

10.

Kia Connect Store and Purchase Process
You can select Upgrades and purchase and/or activate them in the in the Kia Connect Store (as defined in Section 9.1). Details about the processing of your personal data in connection with the Kia Connect Store and the purchase process are provided in the Kia Connect Store Privacy Notice, which is accessible in the Kia Connect Store and is also made available here: https://connect.kia.com/eu/downloads.

11.

Payment Process
The processing of your payment is subject to a separate privacy notice (“Kia Pay Privacy Notice”), which will be made available to you before you issue the payment for the relevant Upgrade in the Kia Connect Store. The Kia Pay Privacy Notice is also available here: https://connect.kia.com/eu/downloads.

12.

Other Processing Activities
In addition to the processing activities set out above, we process your personal data for the following purposes:

12.1.

Communication: We process your personal data to communicate with you in relation to the Services or the contract that you have entered into with us (e.g. to provide customer support, to inform you about technical issues with the Services, to perform our contractual obligations, to inform you about changes to the Kia Connect Terms of Use or this Privacy Notice) via several communication channels, including the Head Unit of your vehicle (for example, through the Notification Centre or the infotainment system), email, telephone and notifications within the Kia Connect App (for this purpose, the Kia Connect App provides a separate inbox). If you have the Kia Connect App installed on a device and permit push notifications via the device settings, we process your personal data to inform you about matters and updates that are essential for the maintenance of the Kia Connect App functionalities (for example, notification of a necessary security update or a lost vehicle connection). When you contact us via available communication channels (e.g. contact form on our website or in the Kia Connect App, email or telephone), we process your personal data to handle your request and communicate with you accordingly in relation to your request. Certain fields in the contact form in the Kia Connect App will be pre-filled to make using the contact form more convenient for you. For information about communication regarding our marketing activities, please see Section 12.3. For information about our communication with you regarding Upgrades purchased for your vehicle, please see Section 9.2 .
For this purpose, the following categories of personal data are processed: Contact details (e.g. email address, telephone number), data relevant for the use of the Notification Centre (i.e. unique identifiers, including the vehicle identification number (VIN), sequence ID, read status, UTC time), data relevant for the sending of the notifications within the Kia Connect App (User ID, country, language, device ID, system token, platform, UUID, Contact ID), data relevant for pre-filling the contact form in the Kia Connect App (email address, vehicle identification number (VIN), language, UUID), name, information provided by you in relation to the relevant request, contract data.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR), or for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: providing the best possible service to our customers and appropriately answering and processing our customers’ requests.

12.2.

Technical Support: Where a technical issue has been detected in relation to your vehicle and the Services, we might be required to read out information from your vehicle for the purpose of analysing such information and to resolve the detected issue. Subject to your prior consent, we will collect and process what is known as a log file of the Head Unit from your vehicle, which contains certain categories of personal data. Your consent is voluntary and can be withdrawn at any time (e.g. by using our contact form available in the “Customer Support” section under “Contact Us” on our website (https://connect.kia.com/eu/customer-support/contact-form/)). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. However, please note that the refusal to grant or the withdrawal of your consent might prevent us from offering or completing an analysis of the detected issue of your vehicle and the Services.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), time stamps, location data (GPS data; i.e. your previous destinations) as well as vehicle diagnostics information regarding the performance, usage, operation and condition of the vehicle.
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR).

12.3.

Marketing: We may contact you via the Head Unit of your vehicle, email and/or notifications within the Kia Connect App (the Kia Connect App provides a separate inbox) to provide you with promotional information regarding our products and/or services, to ask you to participate in surveys or to provide your feedback.
In relation to emails and notifications within the Kia Connect App, this is usually subject to your prior consent and to the scope of such consent. You may give your consent by activating the respective consent button in the consent list of the Kia Connect App or by other relevant means (if applicable). Your consent is voluntary and can be withdrawn at any time (e.g. by deactivating the respective consent button in the consent list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 13.6 for more details).
If you provide us with your email address as part of signing up to the Services and unless you have objected, we may send you information about similar Kia Connect services or products to the relevant email address without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within the app. However, you have the right to opt out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 13.6 for more details).
For this purpose, the following categories of personal data are processed: Name, contact details (e.g. email), technical data (e.g. device information, IP address, User ID, UUID), information about your consent (e.g. date and time of opt-in).
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR in conjunction with applicable local marketing laws (e.g. in Germany Section 7 (2) No. 2 of the German Act against Unfair Competition (“UWG”)); or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR in conjunction with the applicable local marketing laws (e.g., in Germany Sec. 7 (3) UWG)). Our legitimate interests are: promoting our services and products.

12.4.

Feedback and Surveys: From time to time, we may invite you to provide your feedback and/or participate in surveys relating to us and our services, including support services (see Section 12.1 for details about our communication with you). If you provide your feedback or participate in our surveys, we may process relevant personal data for the purpose of processing and evaluating the feedback or conducting, processing and evaluating the survey. This is in order to improve our services and adapt them to our customers’ needs.
In some cases, we may conduct surveys using the Salesforce Marketing Cloud platform provided by salesforce.com Germany GmbH or the online survey tool Surveymonkey provided by Momentive Europe UC (“Momentive”) (see Section 14 for more details about these providers). To participate in surveys conducted on Surveymonkey, you may have to click a link which will be included in the survey invitation. When you click on the link, you will be referred to a website of Momentive on which the survey will be conducted. Momentive will process the survey related information on our behalf and for our purposes. Furthermore, Momentive may: (i) collect and process information about your device and other technical data to avoid multiple participations; and (ii) use cookies to recognise whether the participant has already visited the survey and to reassign responses that the relevant participant has already given. More information about Momentive’s processing of personal data is available at https://www.surveymonkey.com/mp/legal/privacy/.
For this purpose, the following categories of personal data are processed: Name (if relevant and provided), content data (e.g. your feedback and/or responses), technical data (IP address, UUID, operating system version, device type, device ID/MAC address, system and performance information and browser type).
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our services.

12.5.

Route Satisfaction: From time to time, we may ask you via the Head Unit of your vehicle (through the infotainment system) to submit your feedback in order to measure your satisfaction with our route guidance and location information.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), location data (GPS data) (e.g. GPS coordinates for live traffic information), the Integrated Circuit Card Identifier of your vehicle’s SIM card (ICCID), a unique request ID for any transaction, your satisfaction score.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: improving our services.

12.6.

Location-based Advertising: On eligible vehicles, the Service “Live Point of Interest (POI) and Online POI Search” (see Section 6.2) will be enhanced by data provided through our partner 4.screen GmbH, Sailerstraße 17, 80809 Munich, Germany (“4.screen”) (see https://www.4screen.com/). This means that the live POIs may contain advertising content from third parties. You can deactivate this in the settings. You will receive information on stores or restaurants (such as their location) via branded pins on the map or via the search function of the map. You will also receive special deals and offers from stores and restaurants in the proximity of your vehicle.
To be able to provide you with this feature and the relevant information, it may be necessary to transfer the following data to 4.screen: Approximate search area, search term, search (POI) category, device ID, approximate location of the device, Head Unit language and generation, car brand, engine type (e.g. EV or petrol), vehicle class (e.g. small, SUV), vehicle production year and vehicle country. Furthermore, if relevant information and offers are provided to you, a unique offer ID is created. This offer ID is also transferred to 4.screen together with the event type (e.g. shown, clicked, navigation started), screen type (e.g. Head Unit, app) and the timestamp of when the offer was interacted with in order to validate the invoicing process. If offers and information from the vehicle are sent directly to the Kia Connect App as push notifications, we also process your user profile ID.
For this purpose, the following categories of personal data are processed: Vehicle identification number (VIN), location data (GPS data), service request, user profile ID, user ID, approximate search area, search term, search (POI) category, device ID, approximate location of the device, Head Unit language and generation, car brand, engine type (e.g. EV or petrol), vehicle class (e.g. small, SUV), vehicle production year, vehicle country, unique offer ID, event type (e.g. shown, clicked, navigation started), screen type (e.g. Head Unit, app) and timestamp.
Legal basis: The processing is necessary for the performance of the contract that you have entered into with us (Art. 6 (1) b) GDPR).

12.7.

Data Sharing: Details about our sharing of your personal data with third parties are provided in Section 14.

12.8.

Operation of Business: We process certain categories of the personal data referred to above for internal management and administration purposes, including record management or maintaining other internal protocols.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring the appropriate and efficient operation of our business.

12.9.

Legal Compliance: We process certain categories of the personal data referred to above (e.g. records of any consents that you have given, together with the date and time, as well as content and means of consent) to comply with applicable laws, directives, recommendations or requests from regulatory bodies (e.g. requests to disclose personal data to courts or regulatory bodies, including the police).
Legal basis: Such processing is necessary: (i) for compliance with a legal obligation to which we are subject (Art. 6 (1) c) GDPR); or (ii) for the purpose of our legitimate interests (Art. 6 (1) f) GDPR). Our legitimate interests are: ensuring our compliance with applicable legal obligations.

12.10.

Legal Proceedings and Investigations: We process personal data referred to above in order to assess, enforce and defend our rights and interests.
Legal basis: The processing is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: protecting our interests and enforcing our rights.

13.

Your Rights
Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7 (3) GDPR). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.
Subject to applicable law, you may have the following rights regarding the processing of your personal data: The right to obtain access to your personal data (Art. 15 GDPR), the right to have your personal data rectified (Art. 16 GDPR), the right to have your personal data erased (Art. 17 GDPR), the right to have the processing of your personal data restricted (Art. 18 GDPR), the right to data portability (Art. 20 GDPR) and the right to object to the processing of your personal data (Art. 21 (1) and (2) GDPR).
You also have the right to lodge a complaint with the competent data protection authority (Art. 77 GDPR).
Please note that these rights could be subject to certain limitations under applicable local data protection laws. The contact details of the Hesse data protection authority (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit) are as follows: Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, phone: +49 (0) 611 / 1408-0, https://datenschutz.hessen.de/
For more information on each of these rights, including the circumstances in which they apply, please see details in this Section 13 or contact us. If you would like to exercise any of those rights, please contact us (see Section 2 for our contact information details).

13.1.

Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data and certain additional information. Such information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data has been or will be disclosed. However, please note that the interests of other individuals may restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

13.2.

Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Subject to the relevant purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

13.3.

Right to erasure ("right to be forgotten"): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may have the obligation to erase such personal data.
For example, you may request erasure if the personal data is no longer necessary for the purposes for which they were collected or is otherwise processed. In some cases, we may however deny your request to erasure. For example, if the processing is necessary for us to exercise or defend legal claims.

13.4.

Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. For example, if you contest the accuracy of your personal data, you may request the restriction of the processing of this personal data while we verify its accuracy. In this case, the respective data will be flagged accordingly and may only be processed by us for certain purposes.

13.5.

Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit this data to another controller without hindrance from us.

13.6.

RIGHT TO OBJECT: UNDER CERTAIN CIRCUMSTANCES AND WHERE THE PROCESSING IS BASED ON LEGITIMATE INTERESTS (ART. 6 (1) F) GDPR), YOU MAY HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA BY US AND WE MAY BE REQUIRED TO NO LONGER PROCESS YOUR PERSONAL DATA.
FURTHERMORE, WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IN THIS CASE YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES BY US.

14.

Recipients and Categories of Recipients
Any access to your personal data at Kia is restricted to those individuals that have a need to know in order to fulfil their job responsibilities.
We disclose your personal data for the respective purposes and in compliance with applicable data protection laws to the recipients and categories of recipients listed below:
Kia group companies – We may disclose your personal data to other companies that are members of the Kia group, including our affiliated companies in Europe and Kia Corporation in the Republic of Korea.
To the extent that we disclose such data to other members of the Kia group for internal administrative purposes, such disclosure is necessary for our operational and business interests (Art. 6 (1) f) GDPR). We may also disclose such data because it is necessary for the performance of our contract with you (Art. 6 (1) b) GDPR).
Furthermore, in some cases, the disclosure may be based on your consent (Art. 6 (1) a) GDPR). For example, you may agree to the sharing of certain vehicle data with the relevant Kia national sales company or distributor in your country in Europe for various purposes by activating the respective consent buttons in the consent list of the Kia Connect App. Please refer to the consent list of the Kia Connect App for more details. Where you give such consent, your consent is voluntary and can be withdrawn at any time (e.g. by de-activating the respective consent button in the consent list of the Kia Connect App). The withdrawal of your consent will not affect the lawfulness of processing based on such consent before its withdrawal.
We will inform the Kia national sales company or distributor in your country about the vehicle-related notifications (see Section 6.6) we have sent to you to avoid you receiving the same message via multiple channels from different Kia group companies. This is necessary for the purpose of legitimate interests pursued by us and the relevant recipient of the information (Art. 6 (1) f) GDPR). The relevant recipient’s and our legitimate interests are: providing the best possible service for our customers, as sharing this information will avoid customer frustration caused by receiving the same message via multiple channels and from different Kia group companies.
We share personal data with Kia Corporation, 12 Heolleung-ro, Seocho-gu, Seoul, 06797, Republic of Korea as joint controller for the purpose of ensuring the appropriate cyber security standards for Kia vehicles and products (please refer to Sections 2.3 and 7 for more details).
We share personal data with Kia Europe GmbH, Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany as joint controller in connection with the provision of Vehicle System OTA Updates (please refer to Sections 2.4 and 8.2 for more details).
Telecommunications providers – For the purpose of providing our Services to you (Art. 6 (1) b) GDPR), we may disclose your personal data to Vodafone GmbH, Ferdinand-Braun-Platz 1, 40549 Düsseldorf, Germany, which provides the relevant telecommunications services. Vodafone GmbH will process your personal data as an independent controller.
Service providers – We may disclose your personal data to certain third parties, whether affiliated or unaffiliated, that process such data as our service providers on our behalf under appropriate instructions as processors and as necessary for the respective processing purposes (Art. 28 (3) GDPR). These processors are subject to contractual obligations, which require them to implement appropriate technical and organisational security measures, to safeguard the personal data and to process the personal data only in accordance with our instructions. Our service providers include:
The service provider for the technical infrastructure and maintenance services relevant to the Services, which is Hyundai AutoEver Europe GmbH, Kaiserleistraße 8a, 63067 Offenbach am Main, Germany.
The service providers for our customer data management platforms and connected car data management platforms, which are salesforce.com Germany GmbH, Erika-Mann-Strasse 31-37, 80636 Munich, Germany, and Amazon Web Services EMEA SARL, 38 avenue, John. F. Kennedy, L-1855, Luxembourg, with their servers located within the EU/EEA.
The service provider Hyundai AutoEver Corp., 510, Teheran-ro, Gangnam-gu, Seoul, Republic of Korea, which provides assistance with analysing and handling security events as referenced in Section 7.
The service provider Momentive Europe UC, Second Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin 4, Ireland, which provides the online survey tool Surveymonkey and related services for the purpose of conducting and evaluating surveys.
The service provider Cerence B.V., CBS Weg 11, 6412EX Heerlen, Netherlands, which provides services in connection with the Online Voice Recognition Service.
Our affiliated entities in the EU/EEA, which provide services relating to customer support, including call centre services.
The service providers TomTom Global Content B.V. and HERE Europe B.V., which provide map-related services.
Other service providers engaged in connection with specific Services as referenced in the Sections above.
Governmental authorities, courts and similar third parties that are public bodies – We may disclose your personal data to governmental authorities, courts and similar third parties that are public bodies where we have a legal obligation to do so (Art. 6 (1) c) GDPR) or for the purpose of protecting our interests or enforcing our rights (Art. 6 (1) f) GDPR). These recipients will process the relevant personal data as independent controllers.
Outside professional advisors – We may disclose your personal data to our tax consultants, auditors, accountants, legal advisors and other outside professional advisors for the purpose of operating our business (Art. 6 (1) f) GDPR). In some cases, we may also disclose the data for the purpose of protecting our interests or enforcing our rights (Art. 6 (1) f) GDPR). These recipients will usually process the relevant personal data as independent controllers.
Third-party acquirers – In the event that we sell or transfer all or any relevant portion of our assets or business (including reorganisation or liquidation), we may disclose your personal data to third-party acquirers (Art. 6 (1) f) GDPR). These recipients will process the relevant personal data as independent controllers.
Others – We may also disclose your personal data to other third parties (insurance companies, leasing companies, financial service providers, fleet companies, data aggregators); however, we will only share your personal data with such third parties where: (i) you have given your prior consent for such disclosure (Art. 6 (1) a) GDPR); (ii) such disclosure is necessary for the performance of our contract or the relevant third party’s contract with you (Art. 6 (1) b) GDPR); or (iii) the sharing is necessary for the purpose of the legitimate interest pursued by the relevant third party to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Art. 6 (1) f) GDPR). These recipients will process the relevant personal data as independent controllers.
On or around the production date of a vehicle and before the vehicle is placed on the market and sold for the first time, we share certain information about the Advanced Driver Assist System (“ADAS”) (namely, the vehicle build information (VBI), which includes the vehicle identification number (VIN), model, trim, model year, price, colour, fuel type, voltage system, emissions, class, power and fitted equipment including ADAS safety systems) applicable to that vehicle with pre-selected data aggregators. At the time of sharing, the relevant data does not relate to an individual and therefore does not constitute personal data. The data is shared by us and then processed by the data aggregators for the purpose of protecting against possible fraudulent practices and simplifying the insurance process for Kia vehicle drivers or owners. In addition, please note that we also process such data for our own purposes of analysing, improving and developing our products. Where we process such data for our own purposes after the vehicle has been placed on the market and been sold for the first time, we anonymise the relevant data before carrying out any such processing activities to ensure that you are not identifiable from the relevant data.

15.

Cross-Border Data Transfer
We are a member of an international group of companies. Therefore, we may transfer personal data within the Kia group and to other third parties as noted in Section 14.
Some of these recipients may be located or have relevant operations outside of your country and the EU/EEA (e.g. in the Republic of Korea, the United Kingdom or the USA) (“Third Country”).
For some Third Countries, the European Commission has determined that they provide an adequate level of protection for personal data (e.g., the Republic of Korea, the United Kingdom), which also includes the USA to the extent that the receiving company in the USA participates in the EU-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov) (“Adequate Jurisdictions”).
Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction, we (or our processors in the EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) with the recipients or taking other effective measures to provide an adequate level of data protection.
A copy of the respective safeguards may be requested from us or our data protection officer (see Section 2 and Section 3).

16.

Data Retention

16.1.

General: Your personal data is stored by us and/or our service providers for no longer than is necessary for the purposes for which the personal data is collected, and which are set out above.
When we no longer require your personal data for such purposes, we will erase it from our systems and/or records and/or take steps to properly anonymise it so that you can no longer be identified from the data (unless we are required to retain the relevant personal data to comply with legal or regulatory obligations to which we are subject; e.g. personal data contained in contracts, communications and business letters may be subject to statutory retention requirements).
The retention period may be extended in accordance with national laws when processing is necessary for the establishment, exercise or defence of legal claims, and we or third parties have a corresponding legitimate interest (e.g. for the period of impending legal (administrative and/or judicial) procedures and for the duration of such legal proceedings, including the expiration periods of any recourse).

16.2.

Manual Deletion of Data in the Head Unit and in the Kia Connect App: You can manually delete your personal data stored in the Head Unit by deactivating the Services in the Head Unit. To do so, please (1) click the "Kia Connect" icon on the vehicle's Head Unit, (2) select "Kia Connect settings", (3) scroll down in the menu on the left to select the "Deactivate Kia Connect" entry, (4) click the "Deactivate" button. The system will then guide you through the deactivation process and offer to delete the data.
Attention: Please note that resetting the Head Unit to factory default settings does not lead to the deactivation of the Services. You must follow the deactivation process described above.
After the deactivation as described above, the Services for the respective vehicle are deactivated, the data in the Head Unit is deleted and the vehicle is disconnected from your account on the Kia Connect App. The data that was transmitted to us via the Head Unit will also be deleted, unless retention periods apply (see Section 16.1).
Please note that the vehicle-related data will also be deleted in your account on the Kia Connect App. However, any other data in your account will remain unaffected. If you also wish to delete your account on the Kia Connect App, please follow the account deletion process in the Kia Connect App.
deactivate your Kia Connect App Account, the Head Unit Services in the vehicle’s Head Unit will still be operating.
reset the Head Unit, your vehicle is disconnected from the Kia Connect App; however, this does not affect the Kia Connect App.

17.

Data Security
We have implemented appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful forms of processing.
However, as the internet is an open system, the transmission of data via the internet is not completely secure. While we constantly improve our security measures in line with technical developments and in order to ensure an appropriate level of security for any of your personal data that we process, we cannot guarantee the security of your data transmitted to us using the internet.

18.

Offline Mode (Modem Off)
You may choose to activate offline mode in the Head Unit by setting the respective preference. If offline mode is turned on, all Service functions are disabled and no personal data, in particular no location data (GPS data), is collected. An offline mode icon is displayed at the top of the Head Unit screen in the vehicle.

19.

Updates
This Privacy Notice may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data, or changes in applicable law. We encourage you to read this Privacy Notice carefully, and to regularly review any changes we might make in accordance with the terms of this Privacy Notice.
We will publish the updated Privacy Notice on our websites, in the Kia Connect App and the Head Unit. The date of the last update is mentioned at the top of this Privacy Notice.

20.

Definitions
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“GDPR” means: (i) Regulation (EU) 2016/679 (General Data Protection Regulation); or (ii) with regard to the United Kingdom, Regulation (EU) 2016/679 as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended from time to time (also known as the UK GDPR).
“personal data” means any information relating to an identified or identifiable natural person.
“process”/ ”processing” means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

21.

Local Law Amendments
The following local law amendments apply:
Austria
Regarding Section 12.3 (“Marketing”):
Legal Basis: The applicable local marketing law is Section 174(4) Austrian Telecommunications Act 2021.
Data Protection Authority:
The contact details of the Austrian data protection authority are as follows: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria, phone: +43 (0) 1 52 152-0, email: dsb[at]dsb.gv.at, website: http://www.dsb.gv.at/
Belgium
Regarding Section 12.3 (“Marketing”):
Legal Basis: The applicable local marketing law is Article 1 of the Royal Decree of 4 April 2003.
Data Protection Authority: The contact details of the Belgian data protection authority are as follows: Autorité de protection des données Gegevensbeschermingsautoriteit, Rue de la presse 35, 1000 Brussels, Belgium, phone: +32 (0) 2 274 48 00, fax: +32 (0)2 274 48 35, email:
contact[at]apd-gba.be, websites: https://www.autoriteprotectiondonnees.be / https://www.gegevensbeschermingsautoriteit.be
Bulgaria
Regarding Section 12.3 (“Marketing”):
Legal basis: The applicable local marketing law is Art. 261 (2) of the Bulgarian Electronic Communication Act.
Data Protection Authority:
The contact details of the Bulgarian data protection authority are as follows: Commission for Personal Data Protection of the Republic of Bulgaria, 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, phone: +359 (0) 2 915 3580, email: kzld[at]cpdp.bg, website: www.cpdp.bg
Cyprus
Data Protection Authority:
The contact details of the Cypriot data protection authority are as follows: Office of the Commissioner for Personal Data Protection, Kypranoros 15, 1061 Nicosia, Cyprus, phone: +357 (0) 22 818 456, email: commissioner[at]dataprotection.gov.cy, website: http://www.dataprotection.gov.cy/
Czech Republic
Data Protection Authority:
The contact details of the Czech data protection authority are as follows: Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, phone: +420 (0) 234 665 800, email: posta[at]uoou.gov.cz, website: http://www.uoou.cz/
Denmark
Data Protection Authority:
The contact details of the Danish data protection authority are as follows: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, phone: +45 (0) 33 1932 00, email: dt[at]datatilsynet.dk, website: http://www.datatilsynet.dk/
Estonia
Data Protection Authority:
The contact details of the Estonian data protection authority are as follows: Andmekaitse Inspektsioon, Tatari 39, Tallinn 10134, Estonia, phone: +372 (0) 627 4135, email: info[at]aki.ee, website: http://www.aki.ee/
Finland
Data Protection Authority:
The contact details of the Finnish data protection authority are as follows: Tietosuojavaltuutetun toimisto, Lintulahdenkuja 4, 00530 Helsinki, Finland, phone: +358 (0) 29 566 6700, email: tietosuoja[at]om.fi, website: https://tietosuoja.fi
France
Regarding Section 13 (“Your Rights”):
Post-mortem privacy: You also have the right to define specific instructions regarding the storage, erasure and communication of your personal data after your death.
Data Protection Authority:
The contact details of the French data protection authority are as follows: Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy TSA 80715, 75334 Paris, Cedex 07, France, phone: +33 (0) 1 53 73 22 22, website: https://www.cnil.fr/
Greece
Section 12.3 para.2 (“Marketing”) shall be amended as follows:
If you are an existing customer and have provided us with your email address and without prejudice to your right to object under Section 12.6, we may send you marketing communications by email relating to products or services similar to the products or services previously purchased by you without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within the app. However, you have the right to opt-out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 12.6 for more details).
For this purpose, the following categories of personal data are processed:
Name, contact details (e.g. email), technical data (e.g. device information, IP address, User ID, UUID), information about your consent (e.g. date and time of opt-in).
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR; Article 11, Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: promoting our services and products.
Data Protection Authority:
The contact details of the Hellenic Data Protection Authority are as follows: Hellenic Data Protection Authority, Kifissias 1-3, 11523, Athens, Greece, phone: +30 (0) 210 6475 600, email: contact[at]dpa.gr, website: http://www.dpa.gr/
Hungary
Data Protection Authority:
The contact details of the Hungarian data protection authority are as follows: Nemzeti Adatvédelmi és Információszabadság Hatóság, Falk Miksa utca 9-11, 1055 Budapest, Hungary, phone: +36 (0)1 391 1400, fax: +36 (0)1 391 1410,
email: ügyfelszolgalat[at]naih.hu, website: http://naih.hu/
Ireland
Section 6.6.4 para 1 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows:
Mandatory Vehicle Inspection Reminders (such as NCT in Ireland): We will inform you about upcoming mandatory vehicle inspections, e.g reminders about the National Car Testing Service (commonly referred to as “NCT”) for vehicles in Ireland. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.
Data Protection Authority:
The contact details of the Irish data protection authority are as follows: Data Protection Commission, 21 Fitzwilliam Square, D02 RD28 Dublin 2, Ireland, phone: +353 (0) 1 7650100, email: info[at]dataprotection.ie, website: http://www.dataprotection.ie/
Italy
In no event will Kia process your personal data for profiling purposes without your consent.
Data Protection Authority:
The contact details of the Italian data protection authority are as follows: Garante per la Protezione dei Dati Personali, Piazza Venezia n. 11, 00187 Rome, Italy, email: garante[at]gpdp.it, phone: +39 (0) 06 69677 1, fax: +39 (0) 06 69677 785, websites: https://www.gpdp.it, https://www.garanteprivacy.it/
Latvia
Data Protection Authority:
The contact details of the Latvian data protection authority are as follows: Datu valsts inspekcija (Data State Inspectorate), Elijas Street 17, LV-1050 Riga, Latvia, phone: +371 (0) 6722 3131, email: pasts[at]dvi.gov.lv, website: https://www.dvi.gov.lv/
Lithuania
Data Protection Authority:
The contact details of the Lithuanian data protection authority are as follows: Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate), L. Sapiegos str. 17, 10312 Vilnius, Lithuania, phone: +370 (0) 5 271 2804 / +370 (0) 5 279 1445, email: ada[at]ada.lt, website: https://vdai.lrv.lt/lt/
The Netherlands
Data Protection Authority:
The contact details of the Dutch data protection authority are as follows: Autoriteit Persoonsgegevens, Hoge Nieuwstraat 8, 2514 EL Den Haag, The Netherlands, phone: +31 (0) 70 888 8500, website: https://autoriteitpersoonsgegevens.nl/
Norway
Section 4 para 2 (“Third-party use of the vehicle or Services”) will be amended as follows:
Section 10.2 of the Kia Connect Terms of Use requests you to inform any other user/driver of the vehicle about: (i) the activation of the Services; (ii) the data processing activities described in this Privacy Notice; and (iii) the fact that the Services may require the collection and processing of location data (GPS data).
Data Protection Authority:
The contact details of the Norwegian data protection authority are as follows: Datatilsynet, P.O. Box 458 Sentrum, 0105 Oslo, Norway, phone: +47 (0) 22 39 69 00, email: postkasse[at]datatilsynet.no, website: https://www.datatilsynet.no
Poland
Regarding Section 12.3 (“Marketing”):
Consent for electronic and telephone marketing results also in addition from Art. 172 of the Polish Telecommunication Law and Art. 10 of the Act on Provision of Electronic Services.
Data Protection Authority:
The contact details of the Polish data protection authority are as follows: Prezes Urzędu Ochrony Danych Osobowych, Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00 -193 Warszawa, Poland, phone: +48 (0) 22 531 03 00, email: kancelaria[at]uodo.gov.pl,
website: https://uodo.gov.pl/
Portugal
Section 6.6.4 para 1 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows:
Mandatory Vehicle Inspection Reminders (such as “Inspeção Automóvel” in Portugal): We will inform you about upcoming mandatory vehicle inspections, e.g. reminders about the “Periodic Inspections” for vehicles in Portugal. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.
Regarding Section 12.3 (“Marketing”):
Legal basis: The applicable local marketing law is Article 13.º-A of the Law no. 41/2004 of 18 August.
Data Protection Authority:
The contact details of the Portuguese data protection authority are as follows: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal, phone: +351 (0) 21 392 84 00, email: geral[at]cnpd.pt, website: www.cnpd.pt
Romania
Data Protection Authority:
The contact details of the Romanian data protection authority are as follows: The National Supervisory Authority for Personal Data Processing, 28-30 G-ral Gheorghe Magheru Bld, District 1, 010336 Bucharest, Romania, phone: +40 (0) 318 059 211, fax +40 (0) 318 059 602, email: anspdcp[at]dataprotection.ro, website: https://www.dataprotection.ro/
Slovakia
Regarding Section 12.3 (“Marketing”):
Legal basis: Regarding consent, the legal basis is Art. 6 (1) a) GDPR in conjunction with Sec. 116 (3) of the Slovak Act on Electronic Communications (“AEC”). Regarding the necessity for the purpose of the legitimate interest pursued by us, the legal basis is Art. 6 (1) f) GDPR in conjunction with Sec. 116 (15) AEC. Our legitimate interests are: promoting our services and products.
Data Protection Authority:
The contact details of the Slovak data protection authority are as follows: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, Slovak Republic, phone: + 421 (0) 2 32 31 32 14, email: statny.dozor[at]pdp.gov.sk,
website: http://www.dataprotection.gov.sk/
Spain
Section 13.1 para. 2 (“Right of access”) shall be amended as follows:
You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you within six months, unless there is legitimate cause to do so, we may charge a reasonable fee based on administrative costs.
Data Protection Authority:
The contact details of the Spanish data protection authority are as follows: Agencia Española de Protección de Datos (AEPD), C/Jorge Juan, 6, 28001 Madrid, Spain, phone: +34 (0) 91 266 3517, email: internacional[at]aepd.es, website: https://www.aepd.es/
Sweden
Section 13.5 (“Right to data portability”) shall be amended as follows:
Under certain circumstances, for example if Art. 6 (1) a or Art. 6 (1) b GDPR constitutes a legal basis for the processing, you may have the right to receive the personal data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit this data to another controller without hindrance by us.
Data Protection Authority:
The contact details of the Swedish data protection authority are as follows: Integritetsskyddsmyndigheten, Drottninggatan 29, Box 8114, 104 20 Stockholm, Sweden, phone: +46 (0) 8 657 6100, email: imy[at]imy.se, website: http://www.imy.se/
Switzerland
Data Protection Authority:
The contact details of the Swiss data protection authority are as follows: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Feldeggweg 1,3003 Bern, Switzerland, phone: +41 (0) 58 462 43 95, website: https://www.edoeb.admin.ch
Section 15 shall be complemented with the following information: Your personal data is stored in the following countries/jurisdictions: [WORLDWIDE].
Regarding references to the GDPR, to the extent that Swiss data protection laws and related laws apply, references to Articles of the GDPR shall be read as references to the respective Articles of the Swiss Federal Act on Data Protection as from 1st September 2023 (“FADP”), and references to sections of the UWG shall be read as references to the respective Articles of the Swiss Federal Act against Unfair Competition (“Swiss UWG”), namely:
Art. 6(1) b) GDPR shall be read as Art. 6 FADP when referenced for the execution purposes of a contract;
Art. 6 (1) f) GDPR shall be read as Art. 31 para. 1 FADP;
Art. 6(1) c) GDPR shall be read as Art. 31 FADP;
Art. 6(1) a) GDPR shall be read as Art. 31 FADP;
Sec. 7 (2) No. 2 of the UWG shall be read as Art. 3 para. 1 lit o of the Swiss UWG;
References to Art. 7(3) GDPR shall be read as a reference to similar principles under the FADP;
Art. 15 GDPR shall be read as Art. 25 FADP;
Art. 16 GDPR shall be read as Art. 32 FADP;
Art. 17 GDPR shall be read as Art. 32 FADP;
Art. 18 GDPR shall be read as Art. 32 FADP;
Art. 20 GDPR shall be read as Art. 28 FADP;
Art. 21(1) and (2) GDPR shall be read as Art. 30 para 2 lit b FADP;
Art. 77 GDPR shall be read as Art. 49 FADP;
Art. 28(3) GDPR shall be read as Art. 9 FADP.
United Kingdom
Section 15 (“Cross-border data transfer”) shall be supplemented as follows:
Similarly to “Adequate Jurisdictions” determined by the European Commission, the government in the United Kingdom has decided that particular countries (see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#adequacy) ensure an adequate level of protection of personal data in accordance with Article 45, UK GDPR (“Adequacy Regulation”). Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction or compliant with the Adequacy Regulation, we (or our processors in the UK/EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) or the United Kingdom (if applicable) with the recipients or by taking other effective measures to provide an adequate level of data protection. A copy of the respective safeguards may be requested from us or our data protection officer (see Section 2 and Section 3).
Data Protection Authority:
The contact details of the UK data protection authority are as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, phone: +44 (0) 303 123 1113, website: https://ico.org.uk/
This document is an information asset of Kia and is protected by relevant laws and regulations.