Tell Me Privacy
-
Table of Contents
1. Introduction
2. Controller(s)
3. Data Protection Officer
4. Categories of Personal Data
5. Purposes and Legal Basis of the Processing
6. Disclosure of Personal Data to Third Parties
7. International Transfer of Personal Data
8. Data Retention
9. Your Legal Rights
10. Definitions
Annex 1 Details of Controllers
Annex 2 Local Law Amendments
Annex 2A Swedish Channel
1. Controller
2. Categories of Personal Data and Data Subjects
3. Purposes and Legal Basis of the Processing
4. Disclosure of Personal Data to Third Parties
5. International Transfer of Personal Data
6. Data retention
7. Your Legal Rights as a Data Subject
1. Introduction
This privacy notice (“Privacy Notice”
) is issued by each of the Kia group entities listed in Annex 1 below (“Kia Europe Group”
). The purpose of this Privacy Notice is to inform you about the Processing of your Personal Data by the relevant Kia Europe Group entity in connection with the handling of reports submitted by Kia Europe Group current or former employees, including managers, board members, temporary workers, expatriate coordinators, trainees, as well as persons working under the supervision and direction of contractors, subcontractors and suppliers of the Kia Europe Group (the “Reporting Persons”
) on the Kia Compliance: Tell Me misconduct reporting platform (the “Tell Me platform”
). Please refer to Annex 2 for local law amendments of this Privacy Notice.
The Tell Me platform provides the Reporting Persons with a dedicated communication channel for reporting violations of external laws and statutes, and breaches of internal regulations (e.g., the Kia EU Compliance & Integrity Code
), each as applicable to the relevant Kia Europe Group entity. For more information about the Tell Me platform and when and how to submit reports, please see the Kia Compliance: Tell Me Policy
.
2. Controller(s)
If the reported case or incident relates solely to a Kia Europe GmbH ( “Kia EU”
) matter, Kia EU is the sole and independent Controller of the Personal Data Processed in connection with receiving, analyzing and processing the reports submitted on the Tell Me platform (the “Relevant Personal Data”
).
If the report relates to a matter of another Kia Europe Group entity ( “Relevant Kia Entity”
), Kia EU and the Relevant Kia Entity will work together very closely when assessing and investigating the reported case (the details of the case handling process are provided in the Kia Compliance: Tell Me Policy
). Hence, in such case, Kia EU and the Relevant Kia Entity jointly determine the purposes and means of Processing of the Relevant Personal Data as so-called joint Controllers.
For this purpose, they have determined their respective responsibilities for compliance with the obligations under the GDPR as follows:
(a) In the event that you exercise your legal rights in accordance with section 9 of this Privacy Notice, the Relevant Kia Entity will be responsible for giving effect to such rights. However, Kia EU will promptly provide the Relevant Kia Entity with any assistance appropriate and necessary for the Relevant Kia Entity to comply with your request in accordance with the GDPR;
(b) The Relevant Kia Entity and Kia EU will comply with their obligations to provide you with the relevant information about the Processing of the Relevant Personal Data in accordance with Art. 13 and Art. 14 GDPR as follows: (i) each of them will make this Privacy Notice available on their intranet systems; (ii) Kia EU will ensure that this Privacy Notice is provided on the Tell Me platform; and (iii) if and to the extent applicable, the Relevant Kia Entity will provide to you the relevant information in accordance with Art. 14 GDPR.
(c) Irrespective of section 2(a) and (b) above, the Relevant Kia Entity and Kia EU acknowledge that you may exercise your rights under the GDPR against either of them in their capacity as joint Controllers. However, please note that usually the Relevant Kia Entity will respond to your relevant request.
The contact details of each Kia Europe Group entity are provided in Annex 1.
3. Data Protection Officer
If you have any questions about or in connection with this Privacy Notice, you may also contact either the Kia EU data protection officer at dpo@kia-europe.com
. or the Relevant Kia Entity’s data protection officer ( “DPO”
). The contact details of each Kia Europe Group entity’s DPO are provided in Annex 1.
4. Categories of Personal Data
The operation of a misconduct reporting platform and the investigation of the cases reported on the platform will inevitably require the Processing of Personal Data. However, in the first place, the Reporting Person is in complete control of what is reported.
This is because the Tell Me platform is a free form system which means that no categorization in advance has to be made by the Reporting Person when submitting the report. This also applies to the identity
of the Reporting Person,
the accused person, a witness, or any other person that is mentioned in the relevant report
(together, the “Relevant Data Subjects”,
and each a “Relevant Data Subject”
).
As a Reporting Person you should always consider carefully whether to disclose your identity. Whilst the identity of the Reporting Person and any other third party mentioned in the report will be treated with a high level of confidentiality, under certain circumstances, Kia EU or the Relevant Kia Entity could be required to disclose the identity of the Reporting Person or the relevant third party. This is why the Kia Europe Group has implemented the Kia Compliance: Tell Me platform, which is a specific tool that allows Reporting Persons to submit a report on an anonymous basis.
Please refer to the Kia Compliance: Tell Me Policy
< for other communication channels if you wish to disclose your identity as a reporter.
The types of Personal Data that Kia EU and the Relevant Kia Entity (if applicable) Process in connection with the Tell Me platform and the handling of relevant reports may include any of the following information relating to the Relevant Data Subject (always subject to the content and information that the Reporting Person has provided in the report): name, gender; nationality; address, and city; (mobile) phone number; email address; (function) title; role and position in company; department; administration numbers/employee numbers; characteristics and circumstances of the incident; measures taken; investigation reports; other data relating to the incident (e.g., date, time and location); access code; sound file and IP address and other technical data; consent records (i.e., records of consents given by the Reporting Person).
As set out in the <Kia Compliance: Tell Me Policy
<, the Kia Europe Group provides a high level of protection of the anonymity of the Reporting Person in case the Reporting Person decides to stay anonymous to the extent possible and whereas proportional. For this purpose, the Kia Europe Group will not have access to any technical data that could identify an anonymous Reporting Person (e.g., IP-address, recorded voice-files and call-in data).
As a Reporting Person, please refrain from providing any special categories of Personal Data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life not relevant for the case. If such non-relevant data is provided in a report, Kia EU and the Relevant Kia Entity will delete such data from the report and the relevant data sets. The same applies to Personal Data that is not strictly and objectively necessary to verify the allegations made in a report.
5. Purposes and Legal Basis of the Processing
Kia EU and the Relevant Kia Entity Process the Relevant Personal Data for the purposes of the initial reporting, the subsequent review of the relevant report and the investigation of the reported case.
The legal bases applicable to these Processing activities are as follows:
• Consent (Art. 6(1)(a) GDPR):
For certain Processing of Relevant Personal Data by the relevant Kia Europe Group entity, the legal basis is the Reporting Person’s prior consent (e.g., where a meeting between the relevant Kia Europe Group entity and the Reporting Person - upon the Reporting Person’s request - takes place by means of a videocall).
• Compliance with a legal obligation (Art. 6(1)(c) GDPR):
The implementation and provision of misconduct reporting systems is mandatory in certain jurisdictions. Where a Kia Europe Group entity is required by law to implement and provide such a misconduct reporting system and to the extent that such implementation and provision requires the Processing of Relevant Personal Data, the legal basis for such Processing is compliance with the applicable legal obligation.
• Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR):
While the implementation and provision of misconduct reporting systems might be mandatory, in certain jurisdictions, there is no requirement for the relevant Kia Europe Group entity to implement a channel that allows the reporting on an anonymous basis or to review reports that have been submitted on an anonymous basis. In such case, the legal basis for the Processing of the Relevant Personal Data is performance of a task carried out in the public interest.
• Legitimate interests (Art. 6(1)(f) GDPR):
Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, the relevant Kia Europe Group entity Processes the Relevant Personal Data for the purposes of its legitimate interests. The legitimate interest is the monitoring of compliance with applicable laws and statutes, internal regulations (e.g., the Kia EU Compliance & Integrity Code) and detecting and preventing wrongdoing and misconduct. The relevant Kia Europe Group entity will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.
As mentioned above, special categories of Personal Data that are not relevant for the case shall not be included in reports submitted on the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant for the case, the applicable legal basis for the Processing of such information is either Art. 9(2)(f) GDPR (i.e., the Processing is necessary for the establishment, exercise, or defence of legal claims) or Art. 9(2)(g) GDPR (i.e., the Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law).
6. Disclosure of Personal Data to Third Parties
Kia EU and the Relevant Kia Entity will treat the Relevant Personal Data with a high level of confidentiality. The data will be disclosed solely in connection with the purposes of Processing set out above and always in compliance with applicable laws. The possible recipients of the Relevant Personal Data include the following companies, institutions, or persons:
• Service providers:
This includes People Intouch B.V. (and its approved sub-processors) as the operator of the Tell Me platform with its registered office at Olympisch Stadion 6, 1076 DE Amsterdam, the Netherlands. People Intouch B.V. will Process the Relevant Personal Data as a Processor of Kia EU and only in accordance with Kia EU’s instructions. Kia EU and People Intouch B.V. have entered into a data processing agreement for this purpose.
• Legal advisors:
In some cases, Kia EU or the Relevant Kia Entity may disclose the data to its legal advisors for the purpose of protecting their interests or enforcing their rights. The legal advisors will Process such data as independent Controllers.
• Courts and regulatory bodies:
Kia EU or the Relevant Kia Entity may disclose the data to courts or regulatory bodies as required by law, or where necessary to comply with judicial proceedings, court orders, requests from regulators or to protect their interests or enforcing their rights. The relevant courts or regulatory bodies will Process such data as independent Controllers.
• Others:
Kia EU or the Relevant Kia Entity may disclose the data to other third parties (e.g., the accused person; external members of supervisory bodies), but only if required to do so by law. Such third parties will Process the relevant data as independent Controllers.
7. International Transfer of Personal Data
For the purpose of Processing the Relevant Personal Data as set out in this Privacy Notice, Kia EU or the Relevant Kia Entity may need to transfer the Relevant Personal Data to other third parties as noted in section 6 above. However, the Relevant Personal Data will usually not be transferred to a recipient that is not located in a country that is a member of the European Economic Area (EEA) or for which the European Commission has not issued an adequacy decision according to which the relevant country provides an adequate level of data protection. If at any time any of the Relevant Personal Data would ever be transferred to a recipient in a country that does not fall under the abovementioned categories, such transfer would always be subject to appropriate safeguards in accordance with the GDPR.
8. Data Retention
Kia EU and the Relevant Kia Entity will only Process the Relevant Personal Data for as long as it is necessary for the purposes set out in this Privacy Notice or as required by applicable law. When determining the retention period, Kia EU and the Relevant Kia Entity take into account the purposes for which they Process the Relevant Personal Data and whether such purposes can be achieved without the data, the categories of the relevant data, risks in the event of a data breach and legal obligations that require Kia EU or the Relevant Kia Entity to retain the data.
Usually, this means that the Relevant Personal Data will be retained as follows:
• Personal Data that is not relevant for the case will be deleted or anonymized without undue delay.
• Relevant Personal Data that is contained in the documentation relating to the relevant matter will be retained as long as necessary to assess the report, carry out the investigation (if applicable) and be deleted or anonymized within three years of completion of the assessment and/or investigation (as applicable) at the latest, unless legal proceedings or disciplinary measures are initiated for which further retention of the Relevant Personal Data is required or different retention period is required by applicable law, always subject to such retention being necessary and adequate.
9. Your Legal Rights
Where Kia EU or the Relevant Kia Entity Processes your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time (Art. 7(3) GDPR).
If you have any questions about Kia EU’s or the Relevant Kia Entity’s Processing of your Personal Data, Kia EU or the Relevant Kia Entity (as applicable) is of course happy to provide you with the information about the Personal Data concerning you and the related Processing activities (Art. 15 GDPR). Subject to the legal requirements being met, you also have a right to obtain: (a) rectification of your Personal Data (Art. 16 GDPR); (b) erasure of your Personal Data (Art. 17 GDPR); and (c) restriction of Processing of your Personal Data (Art. 18 GDPR). You also have a right to data portability (Art. 20 GDPR) and a right to lodge a complaint with a data protection authority (Art. 77 GDPR).
Your right to object: Where Kia EU or the Relevant Kia Entity Processes your Personal Data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such Processing at any time on grounds relating to your particular situation (Art. 21(1) GDPR).
Where the Relevant Kia Entity and Kia EU Process your Personal Data as joint Controllers, please see section 2(a)-(c) for the determination of which entity will respond to your request.
10. Definitions
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of personal data.
“GDPR” means (i) with respect to Kia UK LTD as a Controller, UK Data Protection Regulation tailored by the Data Protection Act 2018 (UK GDPR); and (ii) with respect to any of the other Kia Europe Group entities listed in Annex 1, the Regulation (EU) 2016/679 (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person.
To “Process”/ ”Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
Annex 1 – Details of Controllers
| Relevant Kia group entities | Contact details | Contact details of DPO |
|---|---|---|
| Kia Europe GmbH (Kia EU) | Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany Email: info@kia-europe.com |
dpo@kia-europe.com |
| Kia Nederland B.V. | De Corridor 25, 3621 ZA Breukelen, Netherlands Email: info@kia.nl |
info@kia.nl |
| Kia Austria GmbH | Sverigestrasse 5, 1220 Wien, Austria Email: office@kia.at |
datenschutz@kia.at |
| Kia Belgium N.V. | Ikaroslaan 33, 1930 Zaventem, Belgium Email: info@kia.be |
privacy@kia.be |
| Kia France SAS | 2 rue des Martinets, Rueil-Malmaison 92560, France Email: relation.clientele@kia.fr |
dpo@kia.fr |
| Kia Sales Slovakia s.r.o. | Einsteinova 19, Bratislava 851 01, Slovakia Email: info@kmss.sk |
dpo@kiasales.sk |
| Kia Iberia S.L.U. | Calle de Anabel Segura, 16 Edificio Vega Norte, Planta 2, 28108 Alcobendas, Madrid, Spain Email: contacto@kia.es |
consultalopd@kia.es |
| Kia Deutschland GmbH | Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany Email: info@kia.de |
datenschutz@kia.de |
| Kia Sweden AB | Kanalvägen 10A, 194 61 Upplands Väsby, Sweden Email: info@kia.se |
d.elander@kia.se |
| Kia Polska SP. Z.O.O. | Pulawska 366, 02-819 Warsaw, Poland Email: infolinia@kiapolska.pl |
iod@kiapolska.com.pl |
| Kia Czech s.r.o. | Jihlavská 1558/21, Michle 140 00, Prague 4, Czech Republic Email: kia-info@kia.cz |
gdpr@kia.cz |
| Kia Hungary Kft. | 1117 Budapest, Budafoki út 56, Hungary Email: info@kiahungary.hu |
adatvedelem@kiahungary.hu |
| Kia UK LTD | Walton Green, Walton-On-Thames, Surrey, KT12 1FJ, UK Email: dpo@kia.co.uk |
dpo@kia.co.uk |
| Kia Ireland | Unit A8 Calmount Park, Calmount Road, Dublin, D12 X266, Ireland Email: admin@kiaireland.ie |
dpo@kia.co.uk |
| Kia Italia S.r.l | Via Gallarate 184, 20151 Milan, Italy Email: infokia@kia.it |
dpo@kia.it |
| Kia Connect GmbH | Theodor-Heuss-Allee 11, 60486 Frankfurt, Germany Email: info@kia-connect.eu |
dpo@kia-connect.eu |
The following local law amendments apply:
AUSTRIA
The EU Whistleblower Directive has been implemented into national law in Austria through the Austrian Whistleblower Protection Act (HSchG). In cases where indications of legal violations fall within the scope of the HSchG („covered area“), the processing of this information for the purpose of preventing and inhibiting potential legal violations is based on the fulfilment of a legal obligation (Art 6 para 1 lit c GDPR in conjunction with §§ 2 et seq. HSchG).
BELGIUM
Pursuant to the Belgian Whistleblowing Protection Act of 28 November 2022 transposing Directive (EU) 2019/1937:
The following paragraphs shall be added to Section 8 (Data Retention) as final paragraphs:
Specifically, under the Belgian Whistleblowing Protection Act, the name, function, and contact details of the Reporting Person and of any person to whom the protection and support measures are extended, as well as those of the person concerned, including, where applicable, his or her company number, are stored until the reported violation is prescribed under the applicable law.
Kia Belgium will maintain a register with all the made reports, under the strict respect of the confidentiality obligation as set out in Section 11 of the Kia Compliance: Tell Me policy. Regardless of the paragraph above, when applicable, the reports will be kept for the duration of the contractual relationship between Kia Belgium and the Reporting Persons.
ITALY
Section 4 is replaced with the following:
The operation of a misconduct reporting platform and the investigation of the cases reported on the platform will inevitably require the Processing of Personal Data. However, in the first place, <>bthe Reporting Person is in complete control of what is reported. This is because the Tell Me platform is a free form system which means that no categorization in advance has to be made by the Reporting Person when submitting the report. This also applies to the identity
of the Reporting Person,
the accused person,
a witness,
or any other person that is mentioned in the relevant report
(together, the “Relevant Data Subjects”,
and each a “Relevant Data Subject”
).
As a Reporting Person you should always consider carefully whether to disclose your identity. Whilst the identity of the Reporting Person and any other third party mentioned in the report will be treated with a high level of confidentiality, under certain circumstances, Kia EU or the Relevant Kia Entity could be required to disclose the identity of the Reporting Person or the relevant third party. This is why the Kia Europe Group has implemented the Kia Compliance: Tell Me platform, which is a specific tool that allows Reporting Persons to submit a report on an anonymous basis. Please refer to the Kia Compliance: Tell Me Policy for other communication channels if you wish to disclose your identity as a reporter.
According with the Tell Me platform and the management of the relevant reports, Kia EU and the relevant Kia entity (where applicable) may process any type of personal data. In fact, in addition to identification and contact data (the processing of which is necessary for the processing of the report), all information contained in the report may be processed.
Kia EU and the competent Kia entity (where applicable), independently of their own will, may process personal data falling under special categories of data pursuant to Article 9 GDPR or personal data relating to criminal convictions, offences, or related security measures pursuant to Article 10 GDPR that may be contained in the report and/or in the acts and documents attached to it. Such data will be used solely for the purpose of processing the report, in full compliance with the principles of proportionality and necessity; should irrelevant data or data not strictly and objectively necessary to verify the allegations made in a report be reported, Kia EU and the relevant Kia entity will delete it from the report and the relevant datasets.
As set out in the Kia Compliance: Tell Me Policy, the Kia Europe Group provides a high level of protection of the anonymity of the Reporting Person in case the Reporting Person decides to stay anonymous to the extent possible and whereas proportional. For this purpose, the Kia Europe Group will not have access to any technical data that could identify an anonymous Reporting Person (e.g., IP-address, recorded voice-files and call-in data).
Section 5 is amended as the following:
• The legal basis “Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR)”
does not apply to Italy.
• Legitimate interests (Art. 6(1)(f) GDPR):
Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, the relevant Kia Europe Group entity Processes the Relevant Personal Data for the purposes of its legitimate interests, consisting in the protection of one's contractual and pre-contractual rights or, in any case, arising from existing relations. The relevant Kia Europe Group entity will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.
As mentioned above, special categories of personal data (ex Article 9 GDPR) that are not relevant to the case should not be included in the reports made via the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant to the case, the legal basis for the processing of such information is Art. 9(2)(b) GDPR (processing is necessary to fulfil the obligations and exercise the specific rights of the data controller or the data subject in the field of labour and social security law and social protection, insofar as it is authorised by Union or Member State law or by a collective agreement under the law of the Member States, subject to appropriate safeguards for the fundamental rights and interests of the data subject), Art. 9(2)(f) of the GDPR (i.e. the processing is necessary for the establishment, exercise or defence of legal claims).
Section 6 is amended as the following:
• Others:
Kia EU or the relevant Kia entity may disclose the data to other third parties, such as, external members of supervisory bodies, reporting support entities, consultants or advisory firms, professional firms, as well as other entities that cooperate with Kia in any capacity whatsoever, but only if it is required by law or if it is necessary to achieve the purposes set forth in this privacy policy.
Section 9 is amended as the following:
If you have any questions about Kia EU’s or the Relevant Kia Entity’s Processing of your Personal Data, Kia EU or the Relevant Kia Entity (as applicable) is of course happy to provide you with the information about the Personal Data concerning you and the related Processing activities (Art. 15 GDPR). Subject to the legal requirements being met, you also have a right to obtain: (a) rectification of your Personal Data (Art. 16 GDPR); (b) erasure of your Personal Data (Art. 17 GDPR); and (c) restriction of Processing of your Personal Data (Art. 18 GDPR). You also have the right to lodge a complaint with a data protection authority (Art. 77 GDPR).
Section 10 is amended as the following:
“Responsible” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Additional section:
Pursuant to Article 14 (2)(f) GDPR: Personal data are collected either directly from the data subjects or from third parties, depending on whether they are:
• data relating to the whistleblower, in which case the data are collected directly from the data subject who communicates his or her data by sending the report;
• data relating to other data subjects (such as the person accused, witnesses or any other person mentioned in the report), in which case the data are collected from third parties, i.e. from the person making the report.
SPAIN
Kia Iberia S.L.U. (KES) will carry out the necessary processing activities for the management of internal complaints that you wish to submit through the local channel that has been implemented by KES (KES Channel) in its capacity as Data Controller. You can find the Privacy Policy of this local internal complaints channel in Annex 2B.
Section 8 (Data Retention) shall incorporate the following addendum:
For communications originating in Spain, as required by law, after three months have passed since the receipt of the communication without any investigation having been initiated, the communication must be deleted, unless the purpose of the conservation is to leave evidence of the operation of the system. Communications that have not been followed up may only be recorded in anonymized form.
SWEDEN
The following paragraph shall be added to Section 1 (Introduction) as a final paragraph:
In addition to the Processing of Relevant Personal Data described in this Privacy Notice, Kia Sweden AB (”Kia Sweden”
) Processes Personal Data in connection with the management of the reporting channel set up locally by Kia Sweden (the ”Swedish Channel”
). Information about Kia Sweden’s Processing of Personal Data in the Swedish Channel can be found in Annex 2A.
Section 5 (Purposes and Legal Basis of the Processing) shall be replaced with the following:
Kia EU and Kia Sweden Process the Relevant Personal Data for the purposes of the initial reporting, the subsequent review of the relevant report and the investigation of the reported case.
The legal bases applicable to the Processing activities are as follows for Kia EU:
• Consent (Art. 6(1)(a) GDPR):
For certain Processing of Relevant Personal Data by Kia EU, the legal basis is the Reporting Person’s prior consent (e.g., where a meeting between Kia EU and the Reporting Person – upon the Reporting Person’s request – takes place by means of a videocall).
• Compliance with a legal obligation (Art. 6(1)(c) GDPR):
The implementation and provision of misconduct reporting systems is mandatory in certain jurisdictions. Where Kia EU is required by law to implement and provide such a misconduct reporting system and to the extent that such implementation and provision requires the Processing of Relevant Personal Data, the legal basis for such Processing is compliance with the applicable legal obligation.
• Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR):
While the implementation and provision of misconduct reporting systems might be mandatory, in certain jurisdictions, there is no requirement for Kia EU to implement a channel that allows the reporting on an anonymous basis or to review reports that have been submitted on an anonymous basis. In such case, the legal basis for the Processing of the Relevant Personal Data is performance of a task carried out in the public interest.
• Legitimate interests (Art. 6(1)(f) GDPR):
Where the Processing of the Relevant Personal Data is not necessary to comply with a legal obligation, Kia EU Processes the Relevant Personal Data for the purposes of its legitimate interests. The legitimate interest is the monitoring of compliance with applicable laws and statutes, internal regulations (e.g., the Kia EU Compliance & Integrity Code) and detecting and preventing wrongdoing and misconduct. Kia EU will always determine on a case-by-case basis whether its interests are overridden by the interests or fundamental rights and freedoms of the relevant person to which the information relates.
As mentioned above, special categories of Personal Data that are not relevant for the case shall not be included in reports submitted on the Tell Me platform and will be deleted accordingly. However, if and to the extent that such data is relevant for the case, the applicable legal basis for the Processing of such information is either Art. 9(2)(f) GDPR (i.e., the Processing is necessary for the establishment, exercise, or defence of legal claims) or Art. 9(2)(g) GDPR (i.e., the Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law).
The legal bases applicable to the Processing activities are as follows for Kia Sweden:
• Legitimate interests (Art. 6(1)(f) GDPR):
The legal basis under the GDPR for Kia Sweden’s Processing of the Relevant Personal Data is that the Processing is necessary for Kia Sweden’s legitimate interest to monitor compliance with applicable laws, statutes and internal regulations (e.g., the Kia EU Compliance & Integrity Code), and to detect and prevent wrongdoing and misconduct. When sharing such Relevant Personal Data with other parties, Kia Sweden relies on its legitimate interest to investigate the reported misconduct or to take action in relation to the outcome of an investigation.
• The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of in the field of employment (Art. 9(2)(b) GDPR):
If and to the extent Kia Sweden Processes special categories of Relevant Personal Data that are relevant for the case for the purposes of receiving and investigating a report, the legal basis under the GDPR for Kia Sweden’s Processing is that the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of in the field of employment law.
• The Processing is necessary for the establishment, exercise, or defence of legal claims (Art. 9(2)(f) GDPR:
If and to the extent Kia Sweden is sharing special categories of Relevant Personal Data for the purposes of taking action in relation to the outcome of an investigation, the legal basis under the GDPR for Kia Sweden’s sharing of the Relevant Personal Data is that it is necessary for the establishment, exercise, or defence of legal claims.
• The processing is necessary to investigate whether a person who is in a leading position or considered key personnel within the Kia Europe Group has been involved in serious irregularities or for the establishment, exercise, or defence of legal claims (Section 5(2) of the Swedish Supplementary Regulation (2018:219) to the GDPR (Sw. Förordning med kompletterande bestämmelser till EU:s dataskyddsförordning) and Section 2(4) of Integritetsskyddsmyndigheten’s Regulation DIFS 2018:2 (Sw. Föreskrifter om behandling av personuppgifter som rör lagöverträdelser):
If and to the extent Kia Sweden Processes Relevant Personal Data relating to (suspected) criminal convictions and offences of a person who is in a leading position or considered key personnel within the Kia Europe Group, the legal basis for Kia Sweden’s Processing is that the Processing is necessary for the purposes of investigating whether such person has been involved in serious irregularities. If and to the extent Kia Sweden is sharing Relevant Personal Data relating to (suspected) criminal convictions and offences of a person who is in a leading position or considered key personnel within the Kia Europe Group for the purposes of taking action in relation to the outcome of an investigation, the legal basis for Kia Sweden’s sharing of the Relevant Personal Data is that it is necessary for the establishment, exercise, or defence of legal claims.
1. Controller
Kia Sweden AB, Kanalvägen 10A, 194 61 Upplands Väsby, with e-mail address info@kia.se
, is Controller for the Personal Data Processed in connection with the receipt, investigation and handling of reports submitted in the Swedish Channel.
If you have questions about how Kia Sweden Processes your Personal Data, you can contact Kia Sweden's Data Protection Officer at d.elander@kia.se
or Kia EU's Data Protection Officer at dpo@kia-europe.com.
2. Categories of Personal Data and Data Subjects
Reports submitted in the Swedish Channel may contain different types of Personal Data, i.e. data relating directly or indirectly to a natural person. The Personal Data may relate to the person who submitted the report, a person to whom the report relates, witnesses or any other persons mentioned in the report ("Relevant Data Subjects"
).
Personal Data of Relevant Data Subjects that Kia Sweden may Process in connection with the management of the Swedish Channel are: name; address; city; gender; function/title; nationality; administration numbers/employee numbers; (mobile) phone number; e-mail address; characteristics of the incident; measures taken; investigation reports; other data relating to the incident, such as during interviews but also via phone logs, data files, access codes, audio files, IP addresses and other technical data. To ensure the anonymity of the reporting person, Kia Sweden will never access technical data that can be used to identify an anonymous reporting person (e.g. IP address, recorded voice files and login data).
Depending on the nature of the case, Kia Sweden may also Process special categories of Personal Data of Relevant Data Subjects, such as data concerning ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health or sex life. Personal Data relating to (suspected) criminal convictions and offences may also be Processed.
Personal Data that are clearly not relevant to investigate a report and that are not strictly and objectively required to verify the allegations in a report will be deleted as soon as possible.
3. Purposes and Legal Basis of the Processing
The Personal Data is Processed primarily for the purpose of managing and investigating a report and for the purpose of taking action in response to what has been revealed in a case. Personal Data Processed for this purpose may also be processed for the purpose of fulfilling a disclosure that: (i) is necessary to take action in relation to the findings of a case; (ii) is necessary for reports to be used as evidence in legal proceedings; or (iv) in accordance with applicable law and regulation.
The legal basis under the GDPR for Kia Sweden’s Processing of Personal Data for the purpose of managing and investigating a report and of taking action in response to what has been revealed in a case is that the Processing is necessary to fulfil Kia Sweden’s legal obligation to provide a reporting channel under the Act (2021:890) on the Protection of Persons Reporting Misconduct (the ”Swedish Whistleblower Act”
) (Sw. lagen om skydd för personer som rapporterar om missförhållanden
).
To the extent that the Processing of Personal Data for above mentioned purposes include special categories of Personal Data, Kia Sweden’s legal basis under the GDPR is that the Processing is necessary for reasons of substantial public interest, based on Union or Member State law. In some cases, special categories of Personal Data may also be Processed where it is necessary for Kia Sweden to comply with its obligations and exercise its specific rights in the field of employment law. To the extent that the Processing of Personal Data relates to (suspected) criminal convictions and offences, the legal basis under the GDPR is that the Processing is necessary for compliance with Kia Sweden’s legal obligation to provide a reporting channel under the Swedish Whistleblower Act.
When Kia Sweden Processes Personal Data for the purpose of taking action in relation to the outcome of an investigation, Kia Sweden’s legal basis under the GDPR is Kia Sweden’s legitimate interest to ensure compliance with applicable laws, the Kia Compliance & Integrity Code and other internal policies and to detect and prevent misconduct and irregularities. To the extent such Processing involves special categories of Personal Data or Personal Data relating to (suspected) criminal convictions and offences, the legal basis under the GDPR and Swedish supplementary laws and regulations is that the Processing is necessary for the establishment, exercise or defence of legal claims.
4. Disclosure of Personal Data to Third Parties
Kia Sweden will treat the Personal Data with a high level of confidentiality. The data will be disclosed solely in connection with the purposes of Processing set out above and always in compliance with applicable laws. The possible recipients of the Personal Data include the following companies, institutions, or persons.
• Service Providers:
This includes People Intouch B.V. (and its approved sub-processors) as the operator of the Swedish Channel. People Intouch B.V. will Process the Personal Data as a Processor of Kia Sweden and only in accordance with Kia Sweden’s instructions. People Intouch B.V. has its registered office at Olympisch Stadion 6, 1076 DE Amsterdam, the Netherlands.
• Legal advisors:
Kia Sweden may disclose the Personal Data to its legal advisors for the purpose of protecting its interests or enforcing its rights. The legal advisors will Process the Personal Data as independent Controllers.
• Courts and regulatory bodies:
Kia Sweden may disclose the Personal Data to courts or regulatory bodies as required by law, or where necessary to comply with judicial proceedings, court orders, requests from regulators or to protect its interests or enforcing its rights. The relevant courts or regulatory bodies will Process such data as independent Controllers.
• Others:
Kia Sweden may disclose the Personal Data to other third parties if required to do so by law. Such third parties will Process the Personal Data as independent Controllers.
5. International Transfer of Personal Data
As a general rule, Personal Data will not be transferred to a recipient that is not located in a country that is a member of the European Economic Area (EEA). Should Personal Data nevertheless be transferred to a recipient in a country outside the EEA, the transfer will take place to a country for which the European Commission has issued an adequacy decision, or otherwise be subject to appropriate safeguards in accordance with the GDPR, for example by entering into Standard Contractual Clauses approved by the European Commission with the recipient. You may contact Kia Sweden if you wish to obtain further information on any international transfer of your Personal Data or if you wish to obtain any supporting documents for such transfer (adequacy decision or Standard Contractual Clauses).
6. Data retention
Kia Sweden will only Process the Relevant Personal Data for as long as it is necessary for the purposes set out in this Annex 2A or as required by applicable law. The Personal Data will be retained as follows.
• Personal Data that is not relevant for the case will be deleted or anonymized without undue delay.
• Within two weeks of receiving a report, an assessment will be made as to whether to open an investigation. If it is decided not to open an investigation, the Personal Data will be deleted or anonymized without undue delay.
• If it is decided to open an investigation, Personal Data will be retained for as long as necessary to investigate the report and to take relevant measures in relation to the outcome of such an investigation. Personal Data will be deleted or anonymized no later than 24 months after the end of the investigation.
• If the Personal Data is Processed to establish, exercise or defend a legal claim, the Personal Data will be retained until the conclusion of the legal proceedings and during the subsequent limitation period.
7. Your Legal Rights as a Data Subject
You have several rights when Kia Sweden Processes Personal Data about you. If you wish to exercise any of the rights listed below or if you have questions regarding Kia Sweden’s Processing of your Personal Data, you can contact Kia Sweden's Data Protection Officer at d.elander@kia.se
. If you are dissatisfied with the Processing of your Personal Data, you have the right to lodge a complaint with the Swedish Data Protection Authority (IMY).
Right to information
If we receive a report in the Swedish Channel that contains Personal Data about you or if Personal Data about you are collected in the context of an investigation, we will, if possible, inform you of this. If such provision of information may prevent or hinder the investigation, you will instead be informed as soon as the investigation has reached a point where such a risk no longer exists.
Right of access
You may request to be informed whether we are Processing Personal Data relating to you and, if so, to receive a copy of it, together with further information on the purposes of the Processing, the categories of Personal Data concerned, the recipients to whom the Personal Data have been or will be disclosed, the storage period and the existence of the right to request rectification and erasure, to request restriction and to object to Processing. You also have the right to be informed of the right to lodge a complaint with IMY and of the source of the Personal Data, as well as of the existence of automated decision-making together with certain additional information.
Right to rectification
If you consider the Personal Data about you to be inaccurate or incomplete, you may request that the Personal Data be rectified or completed.
Right to object
When we Process Personal Data based on our legitimate interest, you have the right to object to the Processing at any time. If we cannot demonstrate that there are compelling legitimate grounds to continue Processing the Personal Data, we must cease Processing.
Right to restriction
In certain cases, for example if you have objected to our Processing of your Personal Data, contested the accuracy of the Personal Data or if the Processing of Personal Data is unlawful, you have the possibility to request the restriction of the Processing of your Personal Data. By requesting restriction, you have the possibility, at least for a certain period of time, to stop us from using the Personal Data other than to, for example, defend legal claims. You can also prevent us from erasing the Personal Data, for example if you need the Personal Data to claim damages.
Right to erasure
You have the right to have your Personal Data erased if we no longer need the Personal Data for the purposes for which it was collected or Processed, if you withdraw your consent, object to the Processing and there are no legitimate grounds for further Processing, your Personal Data has been Processed unlawfully or if we are required by law to erase your Personal Data.
Right to data portability
You have the right to obtain your Personal Data in a structured, commonly used and machine-readable format and to transmit it to another Controller (data portability).
Version 15 December 2023
