Privacy Policy

1. What is this Privacy Policy about?

Hyundai Connected Mobility GmbH (“HCM”, “we”, or “us”) is committed to protecting the privacy and the security of your personal data.

Within this Privacy Policy you will find information on how we use your personal data, for which purposes your personal data is used, with whom it is shared and what rights you have with regard to your personal data processed by us. This Privacy Policy applies to personal data that we collect through our website or other media for the purposes described below. 

You are not obliged to provide your personal data. However, your personal data may be necessary for the provision of certain services and functionalities. Therefore, without your personal data, we may not be able to provide the requested service.

2. Who is responsible for processing my personal data and how can I contact the controller?

Hyundai Connected Mobility GmbH, with registered office in Kaiserleipromenade 5, 63067 Offenbach am Main, Germany is responsible controller for the processing of your personal data.

If you have any questions about or in connection with this Privacy Notice or would like to complain about our handling of your personal data or exercise any of your rights, please contact us by using the above contact details or you may also contact us by email to hcm.dataprotection@hyundai-europe.com

Alternatively, you may also contact the Data Protection Officer of HCM: Hyundai Connected Mobility GmbH, c/o Data Protection Officer of Hyundai Connected Mobility GmbH, Kaiserleipromenade 5, 63067 Offenbach, Germany.

3. What categories of personal data are processed, for what purposes and on what legal basis?

3.1. Informational use of our website

When you visit our website for informational reasons, i.e. without registering for any of our provided services and without providing us with personal data in any other form, we automatically collect your data in order to provide you with our website and to ensure system stability and efficiency and to implement proper safeguards as to the security of our website and services.

Purpose of processing:

• To provide access to the contents on our website;
• To ensure system stability and efficiency;
• To implement proper safeguards as to the security of our website and services.

Scope of personal data processed:

• Access data and server log files (IP address, date and time of your access, which pages on our website you visited, including the notification if access was successful, the volume of transferred data, the referrer URL of your previously visited website and your used browser type and version). The IT systems responsible for the correct operations of the website automatically collect your data.

Legal basis for processing:

• Our legitimate interest (Art. 6 (1) lit. f) GDPR): To enhance our systems, make your usage of the websites more convenient or ensure the security of our websites.

Period of processing:

• Seven days from the collection.

Recipients of your personal data:

• Data processors that provide us with services relating to our IT infrastructure (e.g. hosting or operation and maintenance of our IT systems and platforms).

3.2. Social Media buttons

Our website includes links to social networks. In order to protect your personal data while visiting our website we do not use social plugins. Instead, we embedded HTML-links in our website, enabling easy sharing in social media platforms. Embedding the link prevents a direct connection with various social media network servers when opening a page from our website. When clicking on one of the buttons, a browser window opens and directs the user to the respective website of the social network provider on which (after you have logged in) for example, the “Like” or “Share” button can be used.

Through our social media pages, we collect and process your personal data.

Purpose of processing:

• To communicate with you based on your contact request or feedback and/or for marketing and services.

Scope of personal data processed:

• Contact data (e.g. e-mail, telephone numbers);
• Content data (e.g. entries in online forms);
• Usage data (e.g. websites visited, interest in content, access times);
• Meta/communication data (e.g. device information, IP addresses).

Legal basis for processing:

• The personal data is necessary to provide our social media pages and our legitimate interest in order to interact with you on social media so that we can improve our offer and make it more interesting for you as a user (Art. 6 (1) lit. f) GDPR).

Recipients of your personal data:

• Social network providers;
• Social media agencies;
• Data processors that provide us with services relating to our IT infrastructure (e.g. hosting or operation and maintenance of our IT systems and platforms).

For more information on the purpose and scope of data processing and further use of your personal data by the social network provider and their websites as well as your rights and possible settings to protect your privacy, please refer to the privacy policy of the respective social network provider.

• LinkedIn: Social network, service provider; LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
  Privacy Policy: https://www.linkedin.com/legal/privacy-policy
• Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

3.3. Cookies

What are cookies?

When you visit a website, it may store or retrieve information about your browser, usually in the form of cookies or similar technologies such as web beacons, pixels, etc. (in the following together as “cookies”). This information may relate to you, your preferences, or your device, and is primarily used to make the website work the way you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. You have the right and possibility to choose not to allow some types of cookies.

Types of cookies

In relation to their function and purpose, we classify cookies into different categories.

Depending on the company managing them, we may use the following types of cookies:

· First party cookies: Are those which are sent to the user’s system from a system or domain managed by the editor and from which the service requested by the user is provided.

· Third party cookies: Are those which are sent to the user’s system from a system or domain that is not managed by the editor but by another company processing the data obtained through the cookies.

Depending on the purpose, we may use the following types of cookies:

• Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
• The storing of and gaining access to information on your end device, including the further processing of your personal data, processed by strictly necessary cookies is required to provide you with a service you have expressly requested (Sec 25 (2) No. 2 TTDSG) and for the purposes of our legitimate interests (Art. 6 (1) lit. f) GDPR) in order to provide you with our website as well as to ensure system stability and efficiency and to implement proper safeguards as to the security of our website and services.

We are not using any optional cookies on our website, this means any cookies or similar technologies that are not strictly necessary for the website to function.

4. With whom is my personal data shared?

Within our organization any access to your personal data is restricted to those individuals that have a need to know in order to fulfil their job responsibilities. Your personal data may be transferred for the respective purposes to the recipients to be processed as indicated in Section 3 above:

• Hyundai group – We are part of the Hyundai Motor Group, a globally acting group of companies. In some cases, after careful review, we may transfer your personal data to other entities in the group (e.g. our local entities in your country of residence), each of which will process your personal data as an independent data controller or as a joint controller with us (for example, for internal administrative support etc.).
• Data processors: Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf of us under appropriate instructions as necessary for the respective processing purposes. The data processors will be subject to contractual obligations to ensure the implementation of appropriate technical and organisational security measures to safeguard the personal data, and to process the personal data only as instructed.

The current data processors are involved in particular, but not limited to in the following processes:

• We are using data processors for providing us with services relating to our IT infrastructure (e.g. hosting or operation and maintenance of our IT systems and platforms).
• We engage data processors for the operation and maintenance as well as content creation for our website. · We are using data processors for the support of the operations related to customer relationship management.
• We transmit your personal data to certain third-party service providers (contact centers, market research companies and event management companies etc.).
• Governmental bodies and authorities: If required or permitted by applicable laws, for example if necessary for the establishment, exercise or defence of legal claims, we may also share your personal data with public authorities such as courts or administrative authorities.

5. Is my personal data transferred abroad?

Some of the recipients of your personal data can be located or may have relevant operations outside of your country and the EU/EEA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and for which an adequacy decision by the European Commission does not exist. With regard to data transfers to such recipients outside of the EU/EEA, we provide appropriate safeguards, in particular, by entering into data transfer agreements which include standard clauses adopted by the European Commission with the recipients, or by taking other measures to provide an adequate level of data protection. A copy of the respective measure we have taken is available via the contact information in Section 2.

6. How is my data secured?

We have reasonable state of the art security measures in place to protect against the loss, misuse and alteration of personal data under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal

data. In order to protect your personal data transmitted via our website, we use SSL encryption. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.

Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.

7. How long will my data be stored?

Your personal data is generally stored for as long as necessary in relation to the purposes. Beside we generally store your data to the extent necessary in order to meet our legal obligations and to protect our rights, for example we will store your data in accordance with statutory retention periods.

Insofar more specific retention periods will apply, you can refer to the information on the period of processing of your personal data as indicated in Section 3 above.

8. What rights do I have and how can I exercise them?

You have certain rights in relation to your personal data that you can exercise towards us. In accordance with applicable data protection laws these rights may be restricted under certain conditions. You can always exercise your rights at any time by contacting us via the contact information as stated in section 2.

Generally, you have the following rights:

• Right of access: You have the right to obtain from us confirmation as to whether or not we process your personal data, and where that is the case, to request access to your personal data. You also have the right to obtain a copy of your personal data which we process.
• Right to rectification: You have the right to the rectification of any inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data updated, including by means of providing a supplementary statement.
• Right to erasure (“right to be forgotten”): Under certain circumstances, you have the right to the erasure of your personal data and we may be obliged to erase your personal data.
• Right to restriction of processing: Under certain circumstances, you have the right to ask that the processing of your personal data will be restricted in certain aspect. This means that your personal data may be made unavailable to certain recipients or that the data will not be processed beside mere storage, etc.
• Right to data portability: Under certain circumstances, you have the right to receive the personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right, without hindrance from us, to transfer this data or have it transferred directly by us to another entity.
• Right to object: You have the right to object to processing of personal data for the purposes of direct marketing. Based on your objection, we will be required to no longer process your personal data for that purpose. Under certain circumstances, you also have the right to object to the processing of your personal data processed also for other purposes.
• Right to complain: You also have the right to make a complaint with the competent data protection supervisory authority in your country. The data protection authority competent for us is: The Hessian Commissioner for Data Protection and Freedom of Information, Gustav-Stresemann-Ring 1, 65189 Wiesbaden.
• Right to withdraw consent: If you have given your consent to the processing of your personal data, you can withdraw your consent at any time. The withdrawal of the consent does not affect the legality of the processing which took place prior to the withdrawal of the consent.

9. Changes to the Privacy Policy

This Privacy Policy may require an update from time to time – e.g. due to the implementation of new technologies or the introduction of new services. We reserve the right to change or supplement this Policy at any time. We will publish the changes to the Privacy Policy.

10. Data Processing for other Hyundai Services:

This Privacy Policy only sets out the information for the processing of your personal data when visiting our website. In case we collected your information otherwise (for example when registering with other Hyundai services), information on the processing of your personal data for such services will be provided separately. In any case your above rights as set forth under Section 8 will apply accordingly.

If you have any questions in regard to the processing of your personal data related to other services by us, please contact hcm.dataprotection@hyundai-europe.com

 

Appendix: Social Media Accounts and Profiles

We operate publicly accessible accounts and profiles on various social network platforms. We present our brand, products, and company in form of videos, memes and many other contents. We also use the functions of social network platforms to interact with its users and our visitors, e.g. by actively interacting with them through liking or commenting on content.

We operate our accounts and profiles with the following social network platforms:

• LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

1. Who is responsible for processing my personal data and how can I contact the controller?

Hyundai Connected Mobility GmbH, with registered office in Kaiserleipromenade 5, 63067 Offenbach am Main, Germany is responsible controller for the processing of your personal data insofar we are processing your personal data by ourselves.

If you have any questions about or in connection with this Privacy Notice or would like to complain about our handling of your personal data or exercise any of your rights, please contact us by using the above contact details or you may also contact us by email to hcm.dataprotection@hyundai-europe.com

Alternatively, you may also contact the Data Protection Officer of HCM: Hyundai Connected Moblity GmbH, c/o Data Protection Officer of Hyundai Connected Mobility GmbH, Kaiserleipromenade 5, 63067 Offenbach, Germany.

2. What categories of personal data are processed, for what purposes and on what legal basis?

Your visit to our profiles in social networks will trigger a variety of data processing activities about which we want to give you an overview in the following.

You are neither legally nor contractually obligated to provide your personal data. Nevertheless, a processing of your personal data by the provider of the social network is inevitable if you want to visit our profile and may be necessary for individual functionalities of our profiles in the social network.

2.1. Data Processing under our responsibility

As the operator of our social media accounts and profiles, we can only see the information stored in your public profile, and only if you have such a profile and are logged into it while you visit our profile.

Purpose of processing:

• To stay in contact with and to ensure an effective information and communication with you as user of our social media profiles.

Scope of personal data processed:

• Personal data if you contact us via our profile (such as your name and the content of your messages, inquiries to us);
• Data on your interaction with our online presence and the posts and content distributed via it (e.g. likes, shares or comments to our contents).

Legal basis for processing:

• The personal data is necessary to provide our social media pages and our legitimate interest in order to stay in contact with and to ensure an effective information and communication with users (Art. 6 (1) lit. f) GDPR).

Recipients of your personal data:

• Social network providers
• Social media agencies
• Data processors that provide us with services relating to our IT infrastructure (e.g. hosting or operation and maintenance of our IT systems and platforms)

2.2. Data processing under joint controllership / controller to controller data transfer

The respective provider of the social network also provide us with Page Insights/Analytics data. This relates to aggregated and anonymous statistics that we can use to evaluate the quality of our profile and our content. These statistics are generated on the basis of usage data that the provider collects in particular in relation to information on your interaction with our profile and demographic information. We do not have access to such usage data.

The collection and processing of such statistics is subject to joint controllership or a controller-to-controller data transfers with the provider of the social network as stated in Section 1.. The respective provider of the social network has warranted to us that it will assume responsibility for compliance with the applicable obligations regarding the Page Insights/Analytics data and the fulfilment of your rights under the GDPR and to provide you with the main points of the applicable agreement to this effect.

For more information on joint controllership or controller to controller data transfers, the nature and scope of these statistics, and how to contact the social network, please see the Section 2.4..

Purpose of processing:

• To identify user preferences (such as the number of followers, number of interactions with individual page areas, user statistics by age, geography and language) and to tailor and improve the content on our profiles for our target audience as far as possible.

Scope of personal data processed:

• Technical data such as IP address and device information;
• Data on your interaction with our online presence and the posts and content distributed via it (e.g. likes, shares, viewing of images and videos);
• Demographic information (such as age, gender, region, country).

Legal basis for processing:

• The personal data is necessary to provide our social media pages and our legitimate interest in order to identify user preferences and to tailor and improve the content on our profiles for our target audience as far as possible. (Art. 6 (1) lit. f) GDPR).

Recipients of your personal data:

• Social network providers;
• Social media agencies;
• Data processors that provide us with services relating to our IT infrastructure (e.g. hosting or operation and maintenance of our IT systems and platforms).

2.3. Data Processing under responsibility of the social network provider

When you visit our profiles, your personal data is collected and processed not only by us, but also by the provider of the respective social network. Such processing also takes place even if you do not have a profile

in the respective social network yourself or are not logged on to your profile. The individual data processing activities and their scope differ depending on the provider of the respective social network and they are not necessarily comprehensible to us. We have no control over the personal data that the provider of the respective social network processes on its own controllership in accordance with its Terms of Use.

For details on the collection and processing of your personal data as well as the type, scope and purpose of their use by the provider of the respective social network, please refer to the Privacy Policies of the respective provider.

For more information on the collection and processing of your personal data by the provider of the social network, please see the Section 2.4..

2.4. Further information

For details on the collection and processing of your personal data as well as the type, scope and purpose of their use by the provider of the respective social network, please refer to the Privacy Policies of the respective provider.

• LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland Privacy Policy: https://www.linkedin.com/legal/privacy-policy
• LinkedIn Page Insights Joint Controller Addendum, with information about the roles and          responsibilities of us and LinkedIn as well as the data subject rights: https://legal.linkedin.com/pages-joint-controller-addendum https://www.linkedin.com/help/linkedin/answer/a1338708/joint-controllership?lang=en

3. Is my personal data transferred abroad?

If you visit our social media profiles or interact with our content, your personal data may also be processed by sub-companies of the respective provider of the social network in countries outside the European Economic Area (EEA) where the level of data protection is lower than in the European Union (e.g. in the US or China). If personal data is transferred to a third country, the respective provide of the social network ensures compliance with the GDPR requirements for such data transfers.

4. What rights do I have and how can I exercise them?

Please refer to Section 8 of our Privacy Policy. To exercise your rights as a data subject, you can contact us or the provider of the social network. If one party is not responsible for answering the question or needs to receive the information from the other party, we or the provider will forward your request to the respective partner.

If you have any questions about profiling or the processing of your personal data when using the social network, please contact the provider of the social network directly.

If you have any questions about the processing of your interaction with us on our profile, contact us via the contact details in Section 1.