Local Law Amendments
The following local law amendments apply:
Austria
Regarding Section 12.3 (“Marketing”):
Legal Basis: The applicable local marketing law is Section 174(4) Austrian Telecommunications Act 2021.
Data Protection Authority: The contact details of the Austrian data protection authority are as follows: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria, phone: +43 (0) 1 52 152-0, email: dsb[at]dsb.gv.at, website: http://www.dsb.gv.at/
Belgium
Regarding Section 12.3 (“Marketing”): Legal Basis: The applicable local marketing law is Article 1 of the Royal Decree of 4 April 2003.
Data Protection Authority: The contact details of the Belgian data protection authority are as follows: Autorité de protection des données Gegevensbeschermingsautoriteit, Rue de la presse 35, 1000 Brussels, Belgium, phone: +32 (0) 2 274 48 00, fax: +32 (0)2 274 48 35, email:
contact[at]apd-gba.be, websites: https://www.autoriteprotectiondonnees.be / https://www.gegevensbeschermingsautoriteit.be
Bulgaria
Regarding Section 12.3 (“Marketing”): Legal basis: The applicable local marketing law is Art. 261 (2) of the Bulgarian Electronic Communication Act.
Data Protection Authority: The contact details of the Bulgarian data protection authority are as follows: Commission for Personal Data Protection of the Republic of Bulgaria, 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, phone: +359 (0) 2 915 3580, email: kzld[at]cpdp.bg, website: www.cpdp.bg
Cyprus
Data Protection Authority: The contact details of the Cypriot data protection authority are as follows: Office of the Commissioner for Personal Data Protection, Kypranoros 15, 1061 Nicosia, Cyprus, phone: +357 (0) 22 818 456, email: commissioner[at]dataprotection.gov.cy, website: http://www.dataprotection.gov.cy/
Czech Republic
Data Protection Authority:The contact details of the Czech data protection authority are as follows: Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, phone: +420 (0) 234 665 800, email: posta[at]uoou.gov.cz, website: http://www.uoou.cz/
Denmark
Data Protection Authority:The contact details of the Danish data protection authority are as follows: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, phone: +45 (0) 33 1932 00, email: dt[at]datatilsynet.dk, website: http://www.datatilsynet.dk/
Estonia
Data Protection Authority:The contact details of the Estonian data protection authority are as follows: Andmekaitse Inspektsioon, Tatari 39, Tallinn 10134, Estonia, phone: +372 (0) 627 4135, email: info[at]aki.ee, website: http://www.aki.ee/
Finland
Data Protection Authority:The contact details of the Finnish data protection authority are as follows: Tietosuojavaltuutetun toimisto, Lintulahdenkuja 4, 00530 Helsinki, Finland, phone: +358 (0) 29 566 6700, email: tietosuoja[at]om.fi, website: https://tietosuoja.fi
France
Regarding Section 13 (“Your Rights”):Post-mortem privacy: You also have the right to define specific instructions regarding the storage, erasure and communication of your personal data after your death.
Data Protection Authority:The contact details of the French data protection authority are as follows: Commission Nationale de l’Informatique et des Libertés, 3 Place de Fontenoy TSA 80715, 75334 Paris, Cedex 07, France, phone: +33 (0) 1 53 73 22 22, website: https://www.cnil.fr/
Greece
Section 12.3 para.2 (“Marketing”) shall be amended as follows:If you are an existing customer and have provided us with your email address and without prejudice to your right to object under Section
12.6, we may send you marketing communications by email relating to products or services similar to the products or services previously purchased by you without asking you for your prior specific consent. This is because specific consent from you as an existing customer is not required in such cases. This also applies to sending you such information via notifications within the Kia Connect App to the inbox which is provided separately within the app. However, you have the right to opt-out from receiving such electronic mail marketing at any time without incurring any costs (other than the transmission costs according to the basic rates) (e.g. by deactivating the respective buttons in the “Service-related Advertising” list of the Kia Connect App). You may also unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in each promotional email that we send. You also have the right to object to the processing of your personal data for direct marketing purposes (see Section 12.6 for more details).
For this purpose, the following categories of personal data are processed: Name, contact details (e.g. email), technical data (e.g. device information, IP address, User ID, UUID), information about your consent (e.g. date and time of opt-in).
Legal basis: The processing is based on your prior consent (Art. 6 (1) a) GDPR; Article 11, Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) or it is necessary for the purpose of the legitimate interests pursued by us (Art. 6 (1) f) GDPR). Our legitimate interests are: promoting our services and products.
Data Protection Authority:The contact details of the Hellenic Data Protection Authority are as follows: Hellenic Data Protection Authority, Kifissias 1-3, 11523, Athens, Greece, phone: +30 (0) 210 6475 600, email: contact[at]dpa.gr, website: http://www.dpa.gr/
Hungary
Data Protection Authority: The contact details of the Hungarian data protection authority are as follows: Nemzeti Adatvédelmi és Információszabadság Hatóság, Falk Miksa utca 9-11, 1055 Budapest, Hungary, phone: +36 (0)1 391 1400, fax: +36 (0)1 391 1410,
email: ügyfelszolgalat[at]naih.hu, website: http://naih.hu/
Ireland
Section 6.6.4 para 1 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows:Mandatory Vehicle Inspection Reminders (such as NCT in Ireland): We will inform you about upcoming mandatory vehicle inspections, e.g reminders about the National Car Testing Service (commonly referred to as “NCT”) for vehicles in Ireland. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.
Data Protection Authority:The contact details of the Irish data protection authority are as follows: Data Protection Commission, 21 Fitzwilliam Square, D02 RD28 Dublin 2, Ireland, phone: +353 (0) 1 7650100, email: info[at]dataprotection.ie, website: http://www.dataprotection.ie/
Italy
In no event will Kia process your personal data for profiling purposes without your consent.
Data Protection Authority: The contact details of the Italian data protection authority are as follows: Garante per la Protezione dei Dati Personali, Piazza Venezia n. 11, 00187 Rome, Italy, email: garante[at]gpdp.it, phone: +39 (0) 06 69677 1, fax: +39 (0) 06 69677 785, websites: https://www.gpdp.it, https://www.garanteprivacy.it/
Latvia
Data Protection Authority:The contact details of the Latvian data protection authority are as follows: Datu valsts inspekcija (Data State Inspectorate), Elijas Street 17, LV-1050 Riga, Latvia, phone: +371 (0) 6722 3131, email: pasts[at]dvi.gov.lv, website: https://www.dvi.gov.lv/
Lithuania
Data Protection Authority:The contact details of the Lithuanian data protection authority are as follows: Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate), L. Sapiegos str. 17, 10312 Vilnius, Lithuania, phone: +370 (0) 5 271 2804 / +370 (0) 5 279 1445, email: ada[at]ada.lt, website: https://vdai.lrv.lt/lt/
The Netherlands
Data Protection Authority: The contact details of the Dutch data protection authority are as follows: Autoriteit Persoonsgegevens, Hoge Nieuwstraat 8, 2514 EL Den Haag, The Netherlands, phone: +31 (0) 70 888 8500, website: https://autoriteitpersoonsgegevens.nl/
Norway
Section 4 para 2 (“Third-party use of the vehicle or Services”) will be amended as follows: Section 10.2 of the Kia Connect Terms of Use requests you to inform any other user/driver of the vehicle about: (i) the activation of the Services; (ii) the data processing activities described in this Privacy Notice; and (iii) the fact that the Services may require the collection and processing of location data (GPS data).
Data Protection Authority: The contact details of the Norwegian data protection authority are as follows: Datatilsynet, P.O. Box 458 Sentrum, 0105 Oslo, Norway, phone: +47 (0) 22 39 69 00, email: postkasse[at]datatilsynet.no, website: https://www.datatilsynet.no
Poland
Regarding Section 12.3 (“Marketing”): Consent for electronic and telephone marketing results also in addition from Art. 172 of the Polish Telecommunication Law and Art. 10 of the Act on Provision of Electronic Services.
Data Protection Authority: The contact details of the Polish data protection authority are as follows: Prezes Urzędu Ochrony Danych Osobowych, Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00 -193 Warszawa, Poland, phone: +48 (0) 22 531 03 00, email: kancelaria[at]uodo.gov.pl,
website: https://uodo.gov.pl/
Portugal
Section 6.6.4 para 1 (“Mandatory Vehicle Inspection Reminders”) shall be amended as follows: Mandatory Vehicle Inspection Reminders (such as “Inspeção Automóvel” in Portugal): We will inform you about upcoming mandatory vehicle inspections, e.g. reminders about the “Periodic Inspections” for vehicles in Portugal. Use of this Service requires that you provide Kia with the correct date of the last mandatory vehicle inspection and the date the vehicle was first registered.
Regarding Section 12.3 (“Marketing”): Legal basis: The applicable local marketing law is Article 13.º-A of the Law no. 41/2004 of 18 August.
Data Protection Authority: The contact details of the Portuguese data protection authority are as follows: Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal, phone: +351 (0) 21 392 84 00, email: geral[at]cnpd.pt, website: www.cnpd.pt
Romania
Data Protection Authority: The contact details of the Romanian data protection authority are as follows: The National Supervisory Authority for Personal Data Processing, 28-30 G-ral Gheorghe Magheru Bld, District 1, 010336 Bucharest, Romania, phone: +40 (0) 318 059 211, fax +40 (0) 318 059 602, email: anspdcp[at]dataprotection.ro, website: https://www.dataprotection.ro/
Slovakia
Regarding Section 12.3 (“Marketing”): Legal basis: Regarding consent, the legal basis is Art. 6 (1) a) GDPR in conjunction with Sec. 116 (3) of the Slovak Act on Electronic Communications (“AEC”). Regarding the necessity for the purpose of the legitimate interest pursued by us, the legal basis is Art. 6 (1) f) GDPR in conjunction with Sec. 116 (15) AEC. Our legitimate interests are: promoting our services and products.
Data Protection Authority: The contact details of the Slovak data protection authority are as follows: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, Slovak Republic, phone: + 421 (0) 2 32 31 32 14, email: statny.dozor[at]pdp.gov.sk,
website: http://www.dataprotection.gov.sk/
Spain
Section 13.1 para. 2 (“Right of access”) shall be amended as follows: You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you within six months, unless there is legitimate cause to do so, we may charge a reasonable fee based on administrative costs.
Data Protection Authority: The contact details of the Spanish data protection authority are as follows: Agencia Española de Protección de Datos (AEPD), C/Jorge Juan, 6, 28001 Madrid, Spain, phone: +34 (0) 91 266 3517, email: internacional[at]aepd.es, website: https://www.aepd.es/
Sweden
Section 13.5 (“Right to data portability”) shall be amended as follows: Under certain circumstances, for example if Art. 6 (1) a or Art. 6 (1) b GDPR constitutes a legal basis for the processing, you may have the right to receive the personal data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit this data to another controller without hindrance by us.
Data Protection Authority: The contact details of the Swedish data protection authority are as follows: Integritetsskyddsmyndigheten, Drottninggatan 29, Box 8114, 104 20 Stockholm, Sweden, phone: +46 (0) 8 657 6100, email: imy[at]imy.se, website: http://www.imy.se/
Switzerland
Data Protection Authority: The contact details of the Swiss data protection authority are as follows: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Feldeggweg 1,3003 Bern, Switzerland, phone: +41 (0) 58 462 43 95, website: https://www.edoeb.admin.ch
Section
15 shall be complemented with the following information: Your personal data is stored in the following countries/jurisdictions: [WORLDWIDE].
Regarding references to the GDPR, to the extent that Swiss data protection laws and related laws apply, references to Articles of the GDPR shall be read as references to the respective Articles of the Swiss Federal Act on Data Protection as from 1st September 2023 (“FADP”), and references to sections of the UWG shall be read as references to the respective Articles of the Swiss Federal Act against Unfair Competition (“Swiss UWG”), namely:
Art. 6(1) b) GDPR shall be read as Art. 6 FADP when referenced for the execution purposes of a contract;
Art. 6 (1) f) GDPR shall be read as Art. 31 para. 1 FADP;
Art. 6(1) c) GDPR shall be read as Art. 31 FADP;
Art. 6(1) a) GDPR shall be read as Art. 31 FADP;
Sec. 7 (2) No. 2 of the UWG shall be read as Art. 3 para. 1 lit o of the Swiss UWG;
References to Art. 7(3) GDPR shall be read as a reference to similar principles under the FADP;
Art. 15 GDPR shall be read as Art. 25 FADP;
Art. 16 GDPR shall be read as Art. 32 FADP;
Art. 17 GDPR shall be read as Art. 32 FADP;
Art. 18 GDPR shall be read as Art. 32 FADP;
Art. 20 GDPR shall be read as Art. 28 FADP;
Art. 21(1) and (2) GDPR shall be read as Art. 30 para 2 lit b FADP;
Art. 77 GDPR shall be read as Art. 49 FADP;
Art. 28(3) GDPR shall be read as Art. 9 FADP.
United Kingdom
Section 15 (“Cross-border data transfer”) shall be supplemented as follows: Similarly to “Adequate Jurisdictions” determined by the European Commission, the government in the United Kingdom has decided that particular countries (see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#adequacy) ensure an adequate level of protection of personal data in accordance with Article 45, UK GDPR (“
Adequacy Regulation”). Where we transfer personal data to a recipient that is located in a Third Country which has not been determined an Adequate Jurisdiction or compliant with the Adequacy Regulation, we (or our processors in the UK/EU/EEA that transfer personal data to sub-processors in such Third Countries, as applicable) provide appropriate safeguards by way of entering into data transfer agreements adopted by the European Commission (standard contractual clauses) or the United Kingdom (if applicable) with the recipients or by taking other effective measures to provide an adequate level of data protection. A copy of the respective safeguards may be requested from us or our data protection officer (see Section
2 and Section
3).
Data Protection Authority: The contact details of the UK data protection authority are as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, phone: +44 (0) 303 123 1113, website: https://ico.org.uk/
This document is an information asset of Kia and is protected by relevant laws and regulations.