Privacy Notice – Genesis Flexibility
1. What is this Privacy Notice about?
In this Privacy Notice ("Privacy Notice") we inform you about the collection and processing of your
personal data in connection with the provision of the subscription service Genesis Flexibility to you via our Platform ("Platform")
We take your privacy very seriously and will process your personal data only in accordance with applicable data protection and privacy law.
2. Who is responsible for processing my data?
Genesis Motor Deutschland GmbH, a German legal entity with the official company address in Kaiserleipromenade 5, 63067 Offenbach am Main,
Germany ("Genesis"), acting as data controller, is responsible for the processing of your personal data in connection with the provision
of the Services as explained in this Privacy Notice.
Genesis will be referred to as "we", "our" oder "us" in this Privacy Notice.
3. How can I contact the data controller and the data protection officer?
If you have any questions about or in connection with this Privacy Notice or the exercise of any of your rights, you may contact us by post
via the contact details as stated in section 2. You may also contact Genesis by email to
Alternatively, you may also contact our data protection officer under firstname.lastname@example.org or under postal address Kaiserleipromenade 5, 63067 Offenbach am Main, Germany.
4. What categories of personal data are collected and processed, for what purposes and on what legal basis?
We collect and process your personal data in connection with the Services only insofar as the collection and processing is:
- necessary for the conclusion or the performance of Genesis Flexibility (Art. 6 (1) b) GDPR),
- where required by law (Art. 6 (1) c) GDPR),
- where based on a consent (Art. 6 (1) a) GDPR), or
- where it is necessary for the purposes of legitimate interests of us or third parties (Art. 6 (1) f) GDPR).
For details on individual Services, please look into the respective service description as below.
4.1 Informational use of the Platform
When you visit our Platform only for informational reasons, e.g. without registering for any of our provided Services and without providing us with personal data in any other
form, we automatically collect so-called server log files (your IP address, the type and identification of your device, the type of your browser, the domain trough
which you access the Platform as well as your browsing data and activity on the Platform). We collect and process your personal data in order to provide you
with our Platform and to ensure system stability and efficiency and to implement proper safeguards as to the security of our Platform and Services.
The personal data automatically collected is necessary to provide the Platform (Art. 6 (1) b) GDPR) as far as this is necessary to operate the Platform. In addition the processing of your personal data is basing on our legitimate interest (Art. 6 (1) f) GDPR) with regards to our use of technical information to enhance our systems, make your usage of the Platform more convenient and ensure the security of the Platform. This is based on our legitimate interest as the personal data used for these purposes are stored for a limited period and do not allow us to personally identify a user.
4.2 Contact Form
If you have any questions about our Genesis Flexibility, we offer you the opportunity to contact us using the form provided on the Platform. Your first name, last
name and e-mail address are required in order to process your request and follow up as required. Other information and further contact details can be provided voluntarily.
The data will be processed for the purpose of contacting us and in accordance with Art. 6 (1) f) GDPR as required to follow up on your request in which also our legitimate interest exists which may include the transfer to suppliers that support our customer services.
The personal data collected by us for the use of the contact form will be deleted after your request has been processed.
4.3 Registration and user account
To use our services, you will have to create a user account to register you as a customer and to manage your personal master data. For your user account we collect and
process your first name and last name, your address, your age, your email address and your mobile phone number.
The processing of your personal data is necessary to enter into and to perform a contract with you and to ensure access to Genesis Flexibility (Art. 6 (1) b) GDPR).
4.4 Registration, validation and performance of Genesis Flexibility
We process your personal data that you provide to us in connection with Genesis Flexibility to proceed with you application and to manage all included services during your Genesis Flexibility period.
In this relation, it is required that you provide us with certain personal data. In addition to your personal data from your user account, we collect and process your ID number including a copy of your ID card, your driving license information including a copy of your driving license, your customer history, the plate number of the vehicle, the insurance number and vehicle related data (e.g. VIN, model and conditions of the vehicle) and in individual cases further information that are required to complete your registration and validation.
We collect and process your personal data
- to store your selection of the preferred Genesis Flexibility package (the desired date of your subscription service, the specific vehicle (model, segment, powertrain etc.) you had chosen and your mileage calculation),
- to contact and support you with your application and performance of Genesis Flexibility, if requested,
- to validate your identity and ID card as well as your driving license,
- to check, validate and approve your requested Genesis Flexibility package, including your acceptance of related Terms & Conditions,
- to contact you in order arrange the date, time and location for handover and/or turnover of the vehicle,
- to verify your personal data and identity within the handover of the vehicle at the delivery or pick-up,
- to inspect, maintain, record and proceed with the conditions and potential damages of the vehicle upon the handover and turnover, and
- for administrative proceedings with insurance partners.
In this relation, we process your personal data
- since it is necessary to enter into and to perform Genesis Flexibility with you basing on your request and application (Art. 6 (1) b) GDPR),
- so far as this is necessary for the purposes of our legitimate interests or those of a third party (Art. 6 (1) f) GDPR). Processing your personal data is required in our legitimate interest to process your request and application to deliver Genesis Flexibility and to ensure the functionality of our Platform, and
- insofar as the processing is subject to your freely given consent (Art. 6 (1) a) GDPR). If processing for subject to your consent takes place, we will provide you with additional information.
4.5 Payment service providers
We transmit your personal data to external payment service providers who support us in payment transactions and in fraud detection and prevention.
Depending on your chosen payment method, usually the following categories of personal data are processed for transactions: Your credit card details (CVC, expiry month, expiry year, cardholder name, card number and issue number) and bank transfer information (bank account number, BIC, bank name, bank location ID, country code).
We process your personal data as it is necessary to perform Genesis Flexibility with you (Art. 6 (1) b) GDPR) and basing on our legitimate interests (Art. 6 (1) f) GDPR) to offer you effective and secure payment methods as well as to detect and prevent us from frauds.
4.6 Credit rating and scoring
In order to reduce the risk of payment defaults, we check your creditworthiness before concluding Genesis Flexibility. For this reason, we transmit the necessary personal
data to credit agencies (for detailed information please see our section “With whom is my data shared?”). We transmit your first and last name, your
date of birth and your postal address.
Please note: Under certain conditions, we may request additional personal data from you (e.g. your income, your employment status and the type of your employment contract) in relation to the before mentioned purposes that we transmit to the credit agencies.
We will use the obtained information about the statistical probability of payment defaults to decide whether and under what payment terms we will make a vehicle available. The exchange of personal data with credit agencies also serves to fulfil legal obligations to carry out credit ratings and identity checks of customers.
Such credit rating information contains probability values (score values), which are calculated based on scientifically recognized mathematical-statistical methods. The data are incorporated into the score value calculation with different weightings.
You have the right not to be subject to a decision based solely on automated processing. Any rating of your creditworthiness is reviewed by one of our employees and within this framework and at your request, you may also express your point of view or contest the decision.
We process your personal data as it is necessary to enter into and to perform Genesis Flexibility with you (Art. 6 (1) b) GDPR) and basing on our legitimate interests (Art. 6 (1) f) GDPR). Processing your personal data based on Art. 6 (1) f) GDPR may only take place if this is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data. Our legitimate interest in processing your personal data for credit checks is to protect ourselves against payment defaults, the detection and prevention of fraud and the investigation of criminal offences.
4.7 Direct Marketing and Newsletter
On our Platform we may process your personal data for direct marketing purposes, as far as we are entitled to send you the offers tailored to your
preferences, e.g. if you agree to receive newsletters or promotional information to keep you informed with our news, products or services,
or offers and promotions that are of your interest.
We process your personal data for direct marketing purposes only, if you have previously specifically consented to the respective processing (Art. 6 (1) a) GDPR).
You can withdraw your consent for direct marketing purposes at any time without giving a reason, e.g. by using a link at the end of each newsletter. We delete your contact data in this relation after you withdraw your consent.
4.8 Other purposes
In case of traffic warrants, fines and penalties as well as civil law claims that are directed to us, we will forward your personal data to the corresponding sender.
We are processing your personal data as required or permitted by applicable law (Art. 6 (1) c) GDPR) and basing on our legitimate interests or those of a
third party (Art. 6 (1) f) GDPR) of a proper handling of the aforementioned issues.
In case of any damages of and to the vehicle (e.g. in case of a traffic accident) you are obliged to inform us within 24 hours. We will collect and process your personal data as required or permitted by applicable law (Art. 6 (1) c) GDPR) and basing on our legitimate interests or those of a third party (Art. 6 (1) f) GDPR) of a proper handling of the aforementioned issues.
For other purposes we process your personal data only if we are obligated to do so on the basis of legal requirements (e.g., transfer to courts or criminal prosecution authorities), if you have consented to the respective processing or if the processing is otherwise lawful under applicable law. In such cases we will provide you with additional information about the processing of your personal data.
What are cookies?
The main purpose of cookies is to make it quicker for users to access the selected services. In addition, cookies make it possible to tailor the services
offered by the website, allowing information of interest or potentially of interest to be provided to users depending on their use of the services.
A cookie is any kind of file or device that is downloaded to a user’s system for the purpose of storing data that may be updated or retrieved by the
company responsible for its installation.
Types of Cookies
Depending on the company managing them:
- Own cookies: Are those which are sent to the user’s system from a system or domain managed by the editor and from which the service requested by the user is provided.
- Third party cookies: Are those which are sent to the user’s system from a system or domain that is not managed by the editor but by another company processing the data obtained through the cookies.
Depending on the period of time that they remain active:
- Session cookies: Are those cookies designed for gathering and storing data while the user is using a web page. They are usually used to store information that is only intended for providing the service requested by the user on one single occasion (e.g. a list of purchased products).
- Persistent cookies: In this type of cookie the data continues to be stored on the system and may be accessed and processed during a specific period of time by the manager of the cookie, which may range between several minutes and several years.
Depending on their purpose:
- Technical cookies: Are those which allow the user to browse a website, platform or application and use the different options or services offered, such as, for example, controlling data traffic and communication, identifying the session, accessing restricted areas, recalling the parts of an order, carrying out the process for purchase of an order, making a request to register for or participate in an event, using security elements during browsing, storing contents for the transmission of videos or sound or sharing contents through social networks.
- Analytical cookies: Are those which enable the manager to monitor and analyse the behaviour of the users of the websites to which they are linked. The information collected by means of this type of cookie is used to measure the activity of the websites, applications or platforms and to draw up browsing profiles of the users of such websites, applications and platforms in order to introduce upgrades on the basis of the analysis of the data on the use of the service by users.
- Advertising cookies: Are those which enable the most efficient management possible of the advertising space that the editor has included in a website, application or platform from which the requested service is provided on the basis of criteria such as the edited content or the frequency with which the advertisements are shown.
- Behavioural advertising cookies: Are those which enable the most efficient management possible of the advertising space that the editor has included in a website, application or platform from which the requested service is provided. These cookies store behavioural information about users obtained through the ongoing observance of their browsing habits, which allows a specific profile to be defined in order to show advertising on the basis of such profile.
The data processed by technical cookies is required for the aforementioned purposes in order to protect our legitimate interests and those of third parties pursuant to Art. 6 (1) f) GDPR in order to provide you with our Platform and to ensure system stability and efficiency and to implement proper safeguards as to the security of our Platform and services.
The data processed by analytical, advertising and/or behavioural advertising cookies are not strictly necessary for visiting our Platform. We will only process data by analytical, advertising and/or behavioural advertising cookies if you gave us your prior consent pursuant to Art. 6 (1) a) GDPR.
You may choose which cookies you want on the Platform by setting your browser. For further information on your opt-out choices, please see below.
5. With whom is my data shared?
Any access to your personal data at Hyundai is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.
Your personal data may be transferred for the respective purposes to the recipients and categories of recipients listed below and processed by those recipients for the respective purposes:
- Third parties - We receive and transmit your personal data from or to certain third parties, whether affiliated or unaffiliated, that are authorized to process your personal data under their own responsibility as far as necessary to provide Genesis Flexibility.
- Genesis Motor Europe - We will transmit certain personal data to our affiliated company Genesis Motor Europe GmbH, Kaiserleipromenade 5, 63067 Offenbach am Main, Germany (e.g. for service development and improvement purposes).
- Other private third parties - We disclose your personal data to certain private entities that help us offering the Services. For instance, we rely on the following partners
- The partner for the delivery, inspection and return of vehicles areDEKRA Event & Logistic Services GmbH,Handwerkstraße 15, 70565 Stuttgart, Germany and BLG LOGISTICS GROUP, Präsident-Kennedy-Platz 1, 28203 Bremen, Germany.
- The partner for insurance services is Helvetia Versicherungen, Berliner Str. 56-58, 60311 Frankfurt am Main, Germany.
Data processors - We grant access to your personal data to certain third parties, whether affiliated or unaffiliated, that process your data on behalf of Hyundai under appropriate instructions as necessary for the respective processing purposes. The data processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process your personal data only as instructed.
- The service provider data processor for operating and maintenance of the Platform is FAAREN GmbH with its registered seat in Ostring 2-4, 97228 Rottendorf, Germany. Faaren GmbH provides us with a partner network of service providers that are either data processor of Faaren GmbH or that are a cooperating private third party.
- For hosting of the platform Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.
- For identity checks and fraud prevention Onfido, 3 Finsbury Ave, London EC2M 2PA, United Kingdom.
- For credit rating and scoring CRIF BÜRGEL GMBH, Leopoldstr. 244, 80807 München, Germany; SCHUFA Holding AG Kormoranweg 5, 65201 Wiesbaden, Germany, and Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss, Germany.
- For handling payment transactions Stripe, Inc., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Irland.
- The data processor for mobility emergency service and roadside assistance is ARC Europe S.A., Avenue des Olympiades 2, 1140 Brussels, Belgium.
- These data processors may also use sub-processors for the provision of the respective services.
- Governmental authorities, courts, external advisors, and similar third parties that are public bodies, as required or permitted by applicable law. E.g. in the event of traffic offences or a criminal offence, we may transmit your personal data to the relevant authorities or to the aggrieved party.
6. Is my data transferred abroad?
Some of the recipients of your personal data may be located or may have relevant operations outside of your country and the EU/EEA, where the data protection laws may provide a
different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Commission does not exist.
With regard to data transfers to such recipients outside of the EU/EEA we provide appropriate safeguards, in particular, by way of entering into data transfer agreements which include standard clauses adopted by the European Commission (e.g. Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC)) with the recipients or taking other measures to provide an adequate level of data protection. A copy of the respective measure we have taken is available via Genesis’s data protection officer (see Section 3 above).
7. How long will my data be stored?
Your personal data is stored by Genesis and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly, for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws. When Genesis no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from the data (unless we need to keep your information to comply with legal or regulatory obligations to which Genesis is subject; e.g., personal data contained in contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 10 years).
There are specific storage periods for the following items:
- Termination of account: If you choose to terminate your account all personal data related to your account will be deleted, unless you are subject to ongoing Genesis Flexibility or statutory retention periods apply (see above).
- Payment transactions: All encrypted transaction data processed by Stripe is stored for a period of up to 7 years in accordance with applicable PCI DSS requirements.
- Invoices: Invoices will be stored for as long as the contractual relationship is in force and for a period of 10 years in order for Genesis to be able to comply with its legal obligations.
- Information on declined applications will be stored for 12 months, for the purpose of facilitating the process in case you consider applying again with new additional information.
8. What rights do I have and how can I exercise them?
If you have given your consent to the processing of your personal data, you can withdraw your consent at any time for future processing. Such a withdrawal will
not affect the lawfulness of the processing prior to your withdrawal of consent.
Pursuant to applicable data protection law, you have the following rights with respect to the processing of your personal data. Please note that these rights might be limited under the applicable national data protection law.
8.1 Right of access
You have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to your personal data.
This information includes – inter alia – the purposes of the processing, the categories of your personal data, and the recipients or categories of recipients to whom your personal
data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You also have the right to obtain a copy of the personal data about you undergoing processing. For any further copies you might request, we may charge a reasonable fee based on administrative costs.
8.2 Right to rectification
You have the right to the rectification of any inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data updated, including by means of providing a supplementary statement.
8.3 Right to erasure ("right to be forgotten")
Under certain circumstances, you have the right to the erasure of your personal data and we may be obliged to erase your personal data.
8.4 Right to restriction of processing
Under certain circumstances, you have the right to have a restriction placed on the processing of your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
8.5 Right to data portability
Under certain circumstances, you may have the right to obtain from us a copy of your personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right, without hindrance from us, to transfer this data or have it transferred directly by us to another entity.
8.6 Right to object
Under certain circumstances, you have the right to object, on grounds relating to your particular situation, at any time to processing your personal data, and we can be required to no longer process your personal data. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.
8.7 Right to complain
You also have the right to make a complaint with the competent data protection supervisory authority, in your country of origin.
9. Am I obliged to provide my data?
You are not obliged by any statutory or contractual obligation to provide us with your personal data. As well, you do not need to provide your personal data for the conclusion of a contract. But if you do not provide your personal data, it is possible that the usability of our Services is limited for you.
10. How can this Privacy Notice be changed?
We may change and/or supplement this Privacy Notice from time to time in the future. Such changes and/or supplements may be necessary in particular due to the implementation of new technologies or the introduction of new services. We will publish the changes on our Platform.