Go to content

Tell Me

1. Introduction

This privacy notice (“Privacy Notice” ) is issued by each of the Kia group entities listed in Annex 1 below (“Kia Europe Group” ). The purpose of this Privacy Notice is to inform you about the Processing of your Personal Data by the relevant Kia Europe Group entity in connection with the handling of reports submitted by Kia Europe Group current or former employees, including managers, board members, temporary workers, expatriate coordinators, trainees, as well as persons working under the supervision and direction of contractors, subcontractors and suppliers of the Kia Europe Group (the “Reporting Persons” ) on the Kia Compliance: Tell Me misconduct reporting platform (the “Tell Me platform” ). Please refer to Annex 2 for local law amendments of this Privacy Notice.

The Tell Me platform provides the Reporting Persons with a dedicated communication channel for reporting violations of external laws and statutes, and breaches of internal regulations (e.g., the Kia EU Compliance & Integrity Code ), each as applicable to the relevant Kia Europe Group entity. For more information about the Tell Me platform and when and how to submit reports, please see the Kia Compliance: Tell Me Policy .

2. Controller(s)

If the reported case or incident relates solely to a Kia Europe GmbH ( “Kia EU” ) matter, Kia EU is the sole and independent Controller of the Personal Data Processed in connection with receiving, analyzing and processing the reports submitted on the Tell Me platform (the “Relevant Personal Data” ).

If the report relates to a matter of another Kia Europe Group entity ( “Relevant Kia Entity” ), Kia EU and the Relevant Kia Entity will work together very closely when assessing and investigating the reported case (the details of the case handling process are provided in the Kia Compliance: Tell Me Policy ). Hence, in such case, Kia EU and the Relevant Kia Entity jointly determine the purposes and means of Processing of the Relevant Personal Data as so-called joint Controllers. For this purpose, they have determined their respective responsibilities for compliance with the obligations under the GDPR as follows:

(a) In the event that you exercise your legal rights in accordance with section 9 of this Privacy Notice, the Relevant Kia Entity will be responsible for giving effect to such rights. However, Kia EU will promptly provide the Relevant Kia Entity with any assistance appropriate and necessary for the Relevant Kia Entity to comply with your request in accordance with the GDPR;

(b) The Relevant Kia Entity and Kia EU will comply with their obligations to provide you with the relevant information about the Processing of the Relevant Personal Data in accordance with Art. 13 and Art. 14 GDPR as follows: (i) each of them will make this Privacy Notice available on their intranet systems; (ii) Kia EU will ensure that this Privacy Notice is provided on the Tell Me platform; and (iii) if and to the extent applicable, the Relevant Kia Entity will provide to you the relevant information in accordance with Art. 14 GDPR.

(c) Irrespective of section 2(a) and (b) above, the Relevant Kia Entity and Kia EU acknowledge that you may exercise your rights under the GDPR against either of them in their capacity as joint Controllers. However, please note that usually the Relevant Kia Entity will respond to your relevant request.

The contact details of each Kia Europe Group entity are provided in Annex 1.

3. Data Protection Officer

If you have any questions about or in connection with this Privacy Notice, you may also contact either the Kia EU data protection officer at dpo@kia-europe.com . or the Relevant Kia Entity’s data protection officer ( “DPO” ). The contact details of each Kia Europe Group entity’s DPO are provided in Annex 1.

4. Categories of Personal Data

The operation of a misconduct reporting platform and the investigation of the cases reported on the platform will inevitably require the Processing of Personal Data. However, in the first place, the Reporting Person is in complete control of what is reported. This is because the Tell Me platform is a free form system which means that no categorization in advance has to be made by the Reporting Person when submitting the report. This also applies to the identity of the Reporting Person, the accused person, a witness, or any other person that is mentioned in the relevant report (together, the “Relevant Data Subjects”, and each a “Relevant Data Subject” ).

As a Reporting Person you should always consider carefully whether to disclose your identity. Whilst the identity of the Reporting Person and any other third party mentioned in the report will be treated with a high level of confidentiality, under certain circumstances, Kia EU or the Relevant Kia Entity could be required to disclose the identity of the Reporting Person or the relevant third party. This is why the Kia Europe Group has implemented the Kia Compliance: Tell Me platform, which is a specific tool that allows Reporting Persons to submit a report on an anonymous basis. Please refer to the Kia Compliance: Tell Me Policy < for other communication channels if you wish to disclose your identity as a reporter.

The types of Personal Data that Kia EU and the Relevant Kia Entity (if applicable) Process in connection with the Tell Me platform and the handling of relevant reports may include any of the following information relating to the Relevant Data Subject (always subject to the content and information that the Reporting Person has provided in the report): name, gender; nationality; address, and city; (mobile) phone number; email address; (function) title; role and position in company; department; administration numbers/employee numbers; characteristics and circumstances of the incident; measures taken; investigation reports; other data relating to the incident (e.g., date, time and location); access code; sound file and IP address and other technical data; consent records (i.e., records of consents given by the Reporting Person).

As set out in the <Kia Compliance: Tell Me Policy <, the Kia Europe Group provides a high level of protection of the anonymity of the Reporting Person in case the Reporting Person decides to stay anonymous to the extent possible and whereas proportional. For this purpose, the Kia Europe Group will not have access to any technical data that could identify an anonymous Reporting Person (e.g., IP-address, recorded voice-files and call-in data).

As a Reporting Person, please refrain from providing any special categories of Personal Data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life not relevant for the case. If such non-relevant data is provided in a report, Kia EU and the Relevant Kia Entity will delete such data from the report and the relevant data sets. The same applies to Personal Data that is not strictly and objectively necessary to verify the allegations made in a report.

5. Purposes and Legal Basis of the Processing

Kia EU and the Relevant Kia Entity Process the Relevant Personal Data for the purposes of the initial reporting, the subsequent review of the relevant report and the investigation of the reported case.

The legal bases applicable to these Processing activities are as follows:

Consent (Art. 6(1)(a) GDPR): For certain Processing of Relevant Personal Data by the relevant Kia Europe Group entity, the legal basis is the Reporting Person’s prior consent (e.g., where a meeting between the relevant Kia Europe Group entity and the Reporting Person - upon the Reporting Person’s request - takes place by means of a videocall).

Compliance with a legal obligation (Art. 6(1)(c) GDPR): The implementation and provision of misconduct reporting systems is mandatory in certain jurisdictions. Where a Kia Europe Group entity is required by law to implement and provide such a misconduct reporting system and to the extent that such implementation and provision requires the Processing of Relevant Personal Data, the legal basis for such Processing is compliance with the applicable legal obligation.

Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR): While the implementation and provision of misconduct reporting systems might be mandatory, in certain jurisdictions, there is no requirement for the relevant Kia Europe Group entity to implement a channel that allows the reporting on an anonymous basis or to review reports that have been submitted on an anonymous basis. In such case, the legal basis for the Processing of the Relevant Personal Data is performance of a task carried out in the public interest.

Legitimate interests (Art. 6(1)(f) GDPR): Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, the relevant Kia Europe Group entity Processes the Relevant Personal Data for the purposes of its legitimate interests. The legitimate interest is the monitoring of compliance with applicable laws and statutes, internal regulations (e.g., the Kia EU Compliance & Integrity Code) and detecting and preventing wrongdoing and misconduct. The relevant Kia Europe Group entity will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.

As mentioned above, special categories of Personal Data that are not relevant for the case shall not be included in reports submitted on the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant for the case, the applicable legal basis for the Processing of such information is either Art. 9(2)(f) GDPR (i.e., the Processing is necessary for the establishment, exercise, or defence of legal claims) or Art. 9(2)(g) GDPR (i.e., the Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law).

6. Disclosure of Personal Data to Third Parties

Kia EU and the Relevant Kia Entity will treat the Relevant Personal Data with a high level of confidentiality. The data will be disclosed solely in connection with the purposes of Processing set out above and always in compliance with applicable laws. The possible recipients of the Relevant Personal Data include the following companies, institutions, or persons:

Service providers: This includes People Intouch B.V. (and its approved sub-processors) as the operator of the Tell Me platform with its registered office at Olympisch Stadion 6, 1076 DE Amsterdam, the Netherlands. People Intouch B.V. will Process the Relevant Personal Data as a Processor of Kia EU and only in accordance with Kia EU’s instructions. Kia EU and People Intouch B.V. have entered into a data processing agreement for this purpose.

Legal advisors: In some cases, Kia EU or the Relevant Kia Entity may disclose the data to its legal advisors for the purpose of protecting their interests or enforcing their rights. The legal advisors will Process such data as independent Controllers.

Courts and regulatory bodies: Kia EU or the Relevant Kia Entity may disclose the data to courts or regulatory bodies as required by law, or where necessary to comply with judicial proceedings, court orders, requests from regulators or to protect their interests or enforcing their rights. The relevant courts or regulatory bodies will Process such data as independent Controllers.

Others: Kia EU or the Relevant Kia Entity may disclose the data to other third parties (e.g., the accused person; external members of supervisory bodies), but only if required to do so by law. Such third parties will Process the relevant data as independent Controllers.

7. International Transfer of Personal Data

For the purpose of Processing the Relevant Personal Data as set out in this Privacy Notice, Kia EU or the Relevant Kia Entity may need to transfer the Relevant Personal Data to other third parties as noted in section 6 above. However, the Relevant Personal Data will usually not be transferred to a recipient that is not located in a country that is a member of the European Economic Area (EEA) or for which the European Commission has not issued an adequacy decision according to which the relevant country provides an adequate level of data protection. If at any time any of the Relevant Personal Data would ever be transferred to a recipient in a country that does not fall under the abovementioned categories, such transfer would always be subject to appropriate safeguards in accordance with the GDPR.

8. Data Retention

Kia EU and the Relevant Kia Entity will only Process the Relevant Personal Data for as long as it is necessary for the purposes set out in this Privacy Notice or as required by applicable law. When determining the retention period, Kia EU and the Relevant Kia Entity take into account the purposes for which they Process the Relevant Personal Data and whether such purposes can be achieved without the data, the categories of the relevant data, risks in the event of a data breach and legal obligations that require Kia EU or the Relevant Kia Entity to retain the data.

Usually, this means that the Relevant Personal Data will be retained as follows:

• Personal Data that is not relevant for the case will be deleted or anonymized without undue delay.
• Relevant Personal Data that is contained in the documentation relating to the relevant matter will be retained as long as necessary to assess the report, carry out the investigation (if applicable) and be deleted or anonymized within three years of completion of the assessment and/or investigation (as applicable) at the latest, unless legal proceedings or disciplinary measures are initiated for which further retention of the Relevant Personal Data is required or different retention period is required by applicable law, always subject to such retention being necessary and adequate.

9. Your Legal Rights

Where Kia EU or the Relevant Kia Entity Processes your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7(3) GDPR).

If you have any questions about Kia EU’s or the Relevant Kia Entity’s Processing of your Personal Data, Kia EU or the Relevant Kia Entity (as applicable) is of course happy to provide you with the information about the Personal Data concerning you and the related Processing activities (Art. 15 GDPR). Subject to the legal requirements being met, you also have a right to obtain: (a) rectification of your Personal Data (Art. 16 GDPR); (b) erasure of your Personal Data (Art. 17 GDPR); and (c) restriction of Processing of your Personal Data (Art. 18 GDPR). You also have a right to data portability (Art. 20 GDPR) and a right to lodge a complaint with a data protection authority (Art. 77 GDPR).

Your right to object: Where Kia EU or the Relevant Kia Entity Processes your Personal Data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such Processing at any time on grounds relating to your particular situation (Art. 21(1) GDPR).

Where the Relevant Kia Entity and Kia EU Process your Personal Data as joint Controllers, please see section 2(a)-(c) for the determination of which entity will respond to your request.

10. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of personal data.

“GDPR” means (i) with respect to Kia UK LTD as a Controller, UK Data Protection Regulation tailored by the Data Protection Act 2018 (UK GDPR); and (ii) with respect to any of the other Kia Europe Group entities listed in Annex 1, the Regulation (EU) 2016/679 (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person.

To “Process”/ ”Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

Annex 1 – Details of Controllers

Kia Contact Information

Relevant Kia group entities Contact details Contact details of DPO
Kia Europe GmbH (Kia EU) Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany
Email: info@kia-europe.com
dpo@kia-europe.com
Kia Nederland B.V. De Corridor 25, 3621 ZA Breukelen, Netherlands
Email: info@kia.nl
info@kia.nl
Kia Austria GmbH Sverigestrasse 5, 1220 Wien, Austria
Email: office@kia.at
datenschutz@kia.at
Kia Belgium N.V. Ikaroslaan 33, 1930 Zaventem, Belgium
Email: info@kia.be
privacy@kia.be
Kia France SAS 2 rue des Martinets, Rueil-Malmaison 92560, France
Email: relation.clientele@kia.fr
dpo@kia.fr
Kia Sales Slovakia s.r.o. Einsteinova 19, Bratislava 851 01, Slovakia
Email: info@kmss.sk
dpo@kiasales.sk
Kia Iberia S.L.U. Calle de Anabel Segura, 16 Edificio Vega Norte, Planta 2, 28108 Alcobendas, Madrid, Spain
Email: contacto@kia.es
consultalopd@kia.es
Kia Deutschland GmbH Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany
Email: info@kia.de
datenschutz@kia.de
Kia Sweden AB Kanalvägen 10A, 194 61 Upplands Väsby, Sweden
Email: info@kia.se
d.elander@kia.se
Kia Polska SP. Z.O.O. Pulawska 366, 02-819 Warsaw, Poland
Email: infolinia@kiapolska.pl
iod@kiapolska.com.pl
Kia Czech s.r.o. Jihlavská 1558/21, Michle 140 00, Prague 4, Czech Republic
Email: kia-info@kia.cz
gdpr@kia.cz
Kia Hungary Kft. 1117 Budapest, Budafoki út 56, Hungary
Email: info@kiahungary.hu
adatvedelem@kiahungary.hu
Kia UK LTD Walton Green, Walton-On-Thames, Surrey, KT12 1FJ, UK
Email: dpo@kia.co.uk
dpo@kia.co.uk
Kia Ireland Unit A8 Calmount Park, Calmount Road, Dublin, D12 X266, Ireland
Email: admin@kiaireland.ie
dpo@kia.co.uk
Kia Italia S.r.l Via Gallarate 184, 20151 Milan, Italy
Email: infokia@kia.it
dpo@kia.it
Kia Connect GmbH Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany
Email: info@kia-connect.eu
dpo@kia-connect.eu

The following local law amendments apply:

AUSTRIA

The EU Whistleblower Directive has been implemented into national law in Austria through the Austrian Whistleblower Protection Act (HSchG). In cases where indications of legal violations fall within the scope of the HSchG („covered area“), the processing of this information for the purpose of preventing and inhibiting potential legal violations is based on the fulfilment of a legal obligation (Art 6 para 1 lit c GDPR in conjunction with §§ 2 et seq. HSchG).

BELGIUM

Pursuant to the Belgian Whistleblowing Protection Act of 28 November 2022 transposing Directive (EU) 2019/1937:
The following paragraphs shall be added to Section 8 (Data Retention) as final paragraphs:

Specifically, under the Belgian Whistleblowing Protection Act, the name, function, and contact details of the Reporting Person and of any person to whom the protection and support measures are extended, as well as those of the person concerned, including, where applicable, his or her company number, are stored until the reported violation is prescribed under the applicable law.

Kia Belgium will maintain a register with all the made reports, under the strict respect of the confidentiality obligation as set out in Section 11 of the Kia Compliance: Tell Me policy. Regardless of the paragraph above, when applicable, the reports will be kept for the duration of the contractual relationship between Kia Belgium and the Reporting Persons.
ITALY

Section 4 is replaced with the following:

The operation of a misconduct reporting platform and the investigation of the cases reported on the platform will inevitably require the Processing of Personal Data. However, in the first place, <>bthe Reporting Person is in complete control of what is reported. This is because the Tell Me platform is a free form system which means that no categorization in advance has to be made by the Reporting Person when submitting the report. This also applies to the identity of the Reporting Person, the accused person, a witness, or any other person that is mentioned in the relevant report (together, the “Relevant Data Subjects”, and each a “Relevant Data Subject” ).

As a Reporting Person you should always consider carefully whether to disclose your identity. Whilst the identity of the Reporting Person and any other third party mentioned in the report will be treated with a high level of confidentiality, under certain circumstances, Kia EU or the Relevant Kia Entity could be required to disclose the identity of the Reporting Person or the relevant third party. This is why the Kia Europe Group has implemented the Kia Compliance: Tell Me platform, which is a specific tool that allows Reporting Persons to submit a report on an anonymous basis. Please refer to the Kia Compliance: Tell Me Policy for other communication channels if you wish to disclose your identity as a reporter.

According with the Tell Me platform and the management of the relevant reports, Kia EU and the relevant Kia entity (where applicable) may process any type of personal data. In fact, in addition to identification and contact data (the processing of which is necessary for the processing of the report), all information contained in the report may be processed.

Kia EU and the competent Kia entity (where applicable), independently of their own will, may process personal data falling under special categories of data pursuant to Article 9 GDPR or personal data relating to criminal convictions, offences, or related security measures pursuant to Article 10 GDPR that may be contained in the report and/or in the acts and documents attached to it. Such data will be used solely for the purpose of processing the report, in full compliance with the principles of proportionality and necessity; should irrelevant data or data not strictly and objectively necessary to verify the allegations made in a report be reported, Kia EU and the relevant Kia entity will delete it from the report and the relevant datasets.

As set out in the Kia Compliance: Tell Me Policy, the Kia Europe Group provides a high level of protection of the anonymity of the Reporting Person in case the Reporting Person decides to stay anonymous to the extent possible and whereas proportional. For this purpose, the Kia Europe Group will not have access to any technical data that could identify an anonymous Reporting Person (e.g., IP-address, recorded voice-files and call-in data).

Section 5 is amended as the following:

• The legal basis “Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR)” does not apply to Italy.

Legitimate interests (Art. 6(1)(f) GDPR): Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, the relevant Kia Europe Group entity Processes the Relevant Personal Data for the purposes of its legitimate interests, consisting in the protection of one's contractual and pre-contractual rights or, in any case, arising from existing relations. The relevant Kia Europe Group entity will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.

As mentioned above, special categories of personal data (ex Article 9 GDPR) that are not relevant to the case should not be included in the reports made via the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant to the case, the legal basis for the processing of such information is Art. 9(2)(b) GDPR (processing is necessary to fulfil the obligations and exercise the specific rights of the data controller or the data subject in the field of labour and social security law and social protection, insofar as it is authorised by Union or Member State law or by a collective agreement under the law of the Member States, subject to appropriate safeguards for the fundamental rights and interests of the data subject), Art. 9(2)(f) of the GDPR (i.e. the processing is necessary for the establishment, exercise or defence of legal claims).

Section 6 is amended as the following:

Others: Kia EU or the relevant Kia entity may disclose the data to other third parties, such as, external members of supervisory bodies, reporting support entities, consultants or advisory firms, professional firms, as well as other entities that cooperate with Kia in any capacity whatsoever, but only if it is required by law or if it is necessary to achieve the purposes set forth in this privacy policy.

Section 9 is amended as the following:

If you have any questions about Kia EU’s or the Relevant Kia Entity’s Processing of your Personal Data, Kia EU or the Relevant Kia Entity (as applicable) is of course happy to provide you with the information about the Personal Data concerning you and the related Processing activities (Art. 15 GDPR). Subject to the legal requirements being met, you also have a right to obtain: (a) rectification of your Personal Data (Art. 16 GDPR); (b) erasure of your Personal Data (Art. 17 GDPR); and (c) restriction of Processing of your Personal Data (Art. 18 GDPR). You also have the right to lodge a complaint with a data protection authority (Art. 77 GDPR).

Section 10 is amended as the following:

“Responsible” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Additional section:

Pursuant to Article 14 (2)(f) GDPR: Personal data are collected either directly from the data subjects or from third parties, depending on whether they are: • data relating to the whistleblower, in which case the data are collected directly from the data subject who communicates his or her data by sending the report;
• data relating to other data subjects (such as the person accused, witnesses or any other person mentioned in the report), in which case the data are collected from third parties, i.e. from the person making the report.

SPAIN

Kia Iberia S.L.U. (KES) will carry out the necessary processing activities for the management of internal complaints that you wish to submit through the local channel that has been implemented by KES (KES Channel) in its capacity as Data Controller. You can find the Privacy Policy of this local internal complaints channel in Annex 2B.

Section 8 (Data Retention) shall incorporate the following addendum:

For communications originating in Spain, as required by law, after three months have passed since the receipt of the communication without any investigation having been initiated, the communication must be deleted, unless the purpose of the conservation is to leave evidence of the operation of the system. Communications that have not been followed up may only be recorded in anonymized form.

SWEDEN

The following paragraph shall be added to Section 1 (Introduction) as a final paragraph:

In addition to the Processing of Relevant Personal Data described in this Privacy Notice, Kia Sweden AB (”Kia Sweden” ) Processes Personal Data in connection with the management of the reporting channel set up locally by Kia Sweden (the ”Swedish Channel” ). Information about Kia Sweden’s Processing of Personal Data in the Swedish Channel can be found in Annex 2A.

Section 5 (Purposes and Legal Basis of the Processing) shall be replaced with the following:

Kia EU and Kia Sweden Process the Relevant Personal Data for the purposes of the initial reporting, the subsequent review of the relevant report and the investigation of the reported case.

The legal bases applicable to the Processing activities are as follows for Kia EU:
Consent (Art. 6(1)(a) GDPR): For certain Processing of Relevant Personal Data by Kia EU, the legal basis is the Reporting Person’s prior consent (e.g., where a meeting between Kia EU and the Reporting Person – upon the Reporting Person’s request – takes place by means of a videocall).

Compliance with a legal obligation (Art. 6(1)(c) GDPR): The implementation and provision of misconduct reporting systems is mandatory in certain jurisdictions. Where Kia EU is required by law to implement and provide such a misconduct reporting system and to the extent that such implementation and provision requires the Processing of Relevant Personal Data, the legal basis for such Processing is compliance with the applicable legal obligation.

Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR): While the implementation and provision of misconduct reporting systems might be mandatory, in certain jurisdictions, there is no requirement for Kia EU to implement a channel that allows the reporting on an anonymous basis or to review reports that have been submitted on an anonymous basis. In such case, the legal basis for the Processing of the Relevant Personal Data is performance of a task carried out in the public interest.

Legitimate interests (Art. 6(1)(f) GDPR): Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, Kia EU Processes the Relevant Personal Data for the purposes of its legitimate interests. The legitimate interest is the monitoring of compliance with applicable laws and statutes, internal regulations (e.g., the Kia EU Compliance & Integrity Code) and detecting and preventing wrongdoing and misconduct. Kia EU will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.

As mentioned above, special categories of Personal Data that are not relevant for the case shall not be included in reports submitted on the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant for the case, the applicable legal basis for the Processing of such information is either Art. 9(2)(f) GDPR (i.e., the Processing is necessary for the establishment, exercise, or defence of legal claims) or Art. 9(2)(g) GDPR (i.e., the Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law).

The legal bases applicable to the Processing activities are as follows for Kia Sweden:
Legitimate interests (Art. 6(1)(f) GDPR): The legal basis under the GDPR for Kia Sweden’s Processing of the Relevant Personal Data is that the Processing is necessary for Kia Sweden’s legitimate interest to monitor compliance with applicable laws, statutes and internal regulations (e.g., the Kia EU Compliance & Integrity Code), and to detect and prevent wrongdoing and misconduct. When sharing such Relevant Personal Data with other parties, Kia Sweden relies on its legitimate interest to investigate the reported misconduct or to take action in relation to the outcome of an investigation.

The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of in the field of employment (Art. 9(2)(b) GDPR): If and to the extent Kia Sweden Processes special categories of Relevant Personal Data that are relevant for the case for the purposes of receiving and investigating a report, the legal basis under the GDPR for Kia Sweden’s Processing is that the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of in the field of employment law.

The Processing is necessary for the establishment, exercise, or defence of legal claims (Art. 9(2)(f) GDPR: If and to the extent Kia Sweden is sharing special categories of Relevant Personal Data for the purposes of taking action in relation to the outcome of an investigation, the legal basis under the GDPR for Kia Sweden’s sharing of the Relevant Personal Data is that it is necessary for the establishment, exercise, or defence of legal claims.

The processing is necessary to investigate whether a person who is in a leading position or considered key personnel within the Kia Europe Group has been involved in serious irregularities or for the establishment, exercise, or defence of legal claims (Section 5(2) of the Swedish Supplementary Regulation (2018:219) to the GDPR (Sw. Förordning med kompletterande bestämmelser till EU:s dataskyddsförordning) and Section 2(4) of Integritetsskyddsmyndigheten’s Regulation DIFS 2018:2 (Sw. Föreskrifter om behandling av personuppgifter som rör lagöverträdelser): If and to the extent Kia Sweden Processes Relevant Personal Data relating to (suspected) criminal convictions and offences of a person who is in a leading position or considered key personnel within the Kia Europe Group, the legal basis for Kia Sweden’s Processing is that the Processing is necessary for the purposes of investigating whether such person has been involved in serious irregularities. If and to the extent Kia Sweden is sharing Relevant Personal Data relating to (suspected) criminal convictions and offences of a person who is in a leading position or considered key personnel within the Kia Europe Group for the purposes of taking action in relation to the outcome of an investigation, the legal basis for Kia Sweden’s sharing of the Relevant Personal Data is that it is necessary for the establishment, exercise, or defence of legal claims.

Version 15 December 2023