Genesis Privacy Protection Charter

Preamble

 Genesis Motor France (hereinafter referred to as “Genesis”) respects the privacy of its customers, employees, members of its authorised distributor and repairer network, service providers and any other third parties whose Personal Data is provided to it, and undertakes to protect such data (hereinafter collectively referred to as the “Data Subjects”).

This Charter applies to the processing of Personal Data carried out by Genesis in the context of its own activities as well as in connection with the operation and management of the Genesis brand in France, unless otherwise specified.

In this respect, you may consult our website privacy policy at the following address:

https://www.genesis.com/fr/en/footer/privacy-policy/

In order to ensure the protection of Personal Data, it is essential to establish uniform standards and procedures to guarantee the efficient and lawful handling of requests from Data Subjects seeking to exercise their rights.

The rights granted to Data Subjects enable them to control the use of their Personal Data and to prevent misuse of such data, including data breaches.

This privacy charter (hereinafter the “Charter”) describes the handling by GENESIS of requests from Data Subjects in compliance with applicable data protection laws, in particular Regulation (EU) 2016/679 (GDPR).

 

1. Scope

 

This Charter shall be complied with by all GENESIS employees, service providers and employees of service providers acting on behalf of GENESIS (collectively referred to as the “Staff”) who process Personal Data when responding to requests from internal or external individuals exercising their rights under the GDPR as Data Subjects.

This Charter describes the fundamental principles and methods applicable to the handling by GENESIS of Data Subject requests in order to comply with applicable personal data protection laws.

 

Definitions

 

“Personal Data” Means any data relating to an identifiable natural person, whether directly or indirectly identifiable from such data (alone or combined with other information in our possession). Personal Data may be factual (such as a name, address or date of birth) or subjective (such as a performance assessment).

“Data Subject Rights” Means all rights relating to Data Subjects and their Personal Data, including all rights provided under Chapter III of the GDPR, notably: the right to information (Articles 12 et seq. GDPR); the right of access (Article 15 GDPR); the right to rectification (Article 16 GDPR); the right to erasure or “right to be forgotten” (Article 17 GDPR); the right to restriction of processing (Article 18 GDPR); the right to data portability (Article 20 GDPR); the right to object (Article 21 GDPR); and the right not to be subject to automated decision-making (Article 22 GDPR).

Data Subject rights are detailed in Appendix 1.

“Data Subjects” Within the meaning of this Charter, means all natural persons whose Personal Data is held by GENESIS, including our employees and members of their families.

“Processing” Means any activity involving the use of Personal Data. This includes obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on such information, including organisation, modification, retrieval, use, disclosure, erasure or destruction. Processing also includes the transfer of Personal Data to third parties.

“Data Breach” Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

 

2. Handling of Data Subject requests and associated responsibilities

 

Each Staff member is responsible for identifying Data Subject requests and handling them in accordance with the procedures defined below.

 

3. Identification of Data Subject requests

 

3.1 The Staff member receiving the request must examine each request made by a Data Subject, regardless of whether or not the request expressly refers to a Data Subject right.

Appendix 1 to this Charter provides an overview of Data Subject rights under the GDPR in order to facilitate their identification and the appropriate handling of related requests.

 

4. Analysis and handling of Data Subject requests

 

4.1 Any request from a Data Subject received by a Staff member must immediately be forwarded to the following email addresses (hereinafter the “Addresses”):

 

- if you are a customer, prospect or any other third party, you may write to: [email protected]

 

- if you are a Staff member, you may write to: [email protected]

 

- in the event of a data breach, you may write to: [email protected]

 

GENESIS employees must copy their line manager when forwarding a Data Subject request.

 

4.2 If the request was made orally, the information relating to the subject matter of the request must be included in an email and immediately sent to one of the Addresses.

 

4.3 If the request was received by post, it may either be scanned and sent by email to one of the GENESIS Addresses or delivered directly to the same department.

 

4.4 Requests from Data Subjects seeking to exercise their rights, received by GENESIS partner service providers or their employees, must also be forwarded to one of the Addresses by the Staff.

 

4.5 Any request transmitted to one of the GENESIS Addresses - in whatever form - must include:

 

- the date and time of receipt of the request;

- the original recipient of the request (if different from the sender);

- the contact person in the event of questions from GENESIS (if different from the sender);

- any action already taken (if applicable);

- any other useful information.

 

5. Handling of Data Subject requests / Priority of such requests

 

5.1 GENESIS shall process the request and respond to the Data Subject in accordance with applicable law. GENESIS may consult all relevant departments and/or request information from them in order to ensure compliance with the request.

 

5.2 Due to the statutory deadlines applicable to such requests, the departments concerned must treat these requests as a priority and forward them immediately, and no later than noon on the following day, to one of the GENESIS Addresses.

 

GENESIS shall process requests without undue delay and, in any event, within one month of receipt of the request. Where necessary, this period may be extended by two additional months taking into account the complexity and number of requests. In such cases, GENESIS shall inform the Data Subject of the extension and the reasons for the delay within one month of receipt of the request.

If GENESIS decides not to take action on a request made by a Data Subject, it shall inform the Data Subject without undue delay and no later than one month from receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

6. Processing of Data Subject requests by GENESIS

 

GENESIS shall assess any reported request in order to determine the appropriate response to be provided to the Data Subject and to ensure compliance with applicable data protection laws.

For this assessment, GENESIS shall proceed as follows:

  • verify that the Data Subject making the request is authorised to exercise the relevant rights vis-à-vis GENESIS (for example, the right to receive certain information relating to Personal Data held by GENESIS). GENESIS must implement appropriate mechanisms to verify the identity of the requester in order to ensure that only authorised Data Subjects may exercise the rights granted under the GDPR;
  • determine the right exercised by the Data Subject on the basis of the facts presented in the request addressed to GENESIS (for example, determine whether a Data Subject is exercising the right of access or the right to data portability);
  • before processing the request, verify that the request is legitimate and well-founded (legal basis or assessment of the relationship with GENESIS);
  • assess whether the circumstances of the request addressed to GENESIS require additional measures, notably in the event of a data breach within the meaning of the GDPR which may trigger additional obligations such as notification to competent authorities or other supplementary measures relating, for example, to the security of data processing within GENESIS;
  • archive all exchanges with the departments involved within GENESIS, as well as with the requesting Data Subjects, including any decision to grant (or reject) the request, together with any other useful information (for example relating to the content of the response provided to a Data Subject);
  • contact GENESIS in the event of any doubt regarding the proper handling of a request in compliance with the provisions of the GDPR.

7. Post-mortem rights

In accordance with Article 48 of French Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms (the “French Data Protection Act”), you have the right to define instructions regarding the retention, deletion and communication of your data after your death.

These instructions may be general or specific and may be amended or revoked at any time.

In the absence of such instructions or unless otherwise specified therein, the rights relating to your data after your death may be exercised under the conditions set out in Article 85 of the French Data Protection Act.

 

8. Other questions

 

For any questions relating to the handling of Data Subject requests seeking to exercise their rights, please contact:

- if you are a customer, prospect or any other third party, you may write to: [email protected]

- if you are a Staff member, you may write to: [email protected]

- in the event of a data breach, you may write to: [email protected]

 

Appendix 1 - Data Subject Rights

 

1. Right of access (Article 15 GDPR)

Data Subjects have the right to obtain:

  • confirmation as to whether their data is being processed;
  • access to their Personal Data;
  • and additional information relating to such processing.

2. Right to rectification (Article 16 GDPR)

Data Subjects have the right to obtain the rectification of inaccurate or incomplete Personal Data.

Where the relevant information has been disclosed to a third party, GENESIS shall inform such third party of the rectification request where possible.

The Data Subject also has the right to be informed of the third parties to whom the data has been disclosed, where applicable.

 

3. Right to erasure or “right to be forgotten” (Article 17 GDPR)

Data Subjects may request the deletion of their Personal Data where GENESIS no longer has a compelling reason to continue processing it.

The right to erasure applies in the following cases:

- the Personal Data is no longer necessary for the purposes for which it was originally collected;

- the Data Subject withdraws the consent on which the processing is based;

- the Data Subject objects to specific processing activities and GENESIS has no overriding legitimate grounds;

- the data has been unlawfully processed;

- the data must be erased in order to comply with a legal obligation.

Personal Data may naturally be retained for longer periods where required by legal retention obligations or for judicial purposes. In such specific cases, a careful assessment must be carried out in order to justify the extended retention of Personal Data.

 

4. Right to restriction of processing (Article 18 GDPR)

Data Subjects have the right to obtain restriction of the processing of their data.

Where this right is exercised, GENESIS is authorised to retain the Personal Data but not to continue processing it. Limited information relating to the Data Subject may be retained in order to ensure that the restriction is respected in the future.

The right to restriction of processing applies in the following cases:

- where a Data Subject contests the accuracy of their Personal Data, processing must be restricted to storage only while the accuracy of the Personal Data is verified;

- where a Data Subject objects to processing necessary for the performance of a task carried out in the public interest or for the legitimate interests pursued by GENESIS,

- GENESIS must restrict processing to storage only while verifying whether its legitimate grounds override the rights and freedoms of the Data Subject;

- where processing is unlawful and the Data Subject opposes erasure and instead requests restriction of processing to storage only;

- where GENESIS no longer requires the Personal Data but the data is still required by the Data Subject for the establishment, exercise or defence of legal claims.

 

5. Right to data portability (Article 20 GDPR)

Data Subjects may obtain their Personal Data and reuse it for their own purposes and across different services.

The right to data portability enables the Data Subject to move, copy or transfer their Personal Data easily from one IT environment to another in a safe and secure manner and in a commonly used format.

The right to data portability applies in the following cases:

- where the Personal Data has been provided directly by the Data Subject to the controller;

- where the processing is based on consent or on the performance of a contract;

- where the processing is carried out by automated means.

It may sometimes be difficult to determine whether, and to what extent, data must be disclosed under the right to data portability. Unless a specific process exists within GENESIS for handling such requests, these cases must be escalated to GENESIS, which shall carefully assess them in order to ensure compliance with applicable law.

 

6. Right to object (Article 21 GDPR)

Data Subjects have the right to object to:

- processing based on legitimate interests or the performance of a task carried out in the public interest or in the exercise of official authority (including profiling), taking into account the particular situation of the Data Subject;

- direct marketing activities (including profiling);

- processing for statistical purposes or scientific or historical research purposes.

 

7. Rights relating to automated decision-making and profiling (Article 22 GDPR)

Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling. This right provides safeguards against the risk that a potentially harmful decision may be taken without human intervention.

The right not to be subject to automated decision-making applies where:

- the decision is based solely on automated processing;

- the decision produces legal effects concerning the Data Subject or similarly significantly affects them.

This right does not apply to decisions necessary for entering into or performing a contract, decisions authorised by law, or decisions based on the Data Subject’s consent.