Privacy Policy

Effective Date: [Aug] [17], 2023

Your privacy is important to Hyundai Motor Company, its subsidiaries and affiliates (collectively, “Hyundai” “we,” “us,” or “our”), and we are committed to protecting any Personal Data that we may collect and/or otherwise process as part of our business activities.

This Privacy Policy (“Privacy Policy”) applies to our processing of Personal Data that we may potentially collect when creating videos of public traffic and collecting related sensor data using recording vehicles for the purpose of training, developing, enhancing and operating our advanced driver assistance systems, automated driving functions, and other services. “Personal Data” means any information that relates to an identified or identifiable person (the “Data Subject”), e.g., license plates and video images showing physical characteristics of an individual.

After collecting videos of public traffic and related sensor data, we promptly process the data using software which seeks to remove any information which could identify a person (the “Anonymisation Software”). Further details of this process are provided in Section 2 of this Privacy Policy. However we do still process Personal Data under this Privacy Policy in three situations:

We process personal data prior to using this software, and in applying the Anonymisation Software to the data.
On rare occasions the Anonymisation Software may miss, or fail to fully obscure, a piece of identifying information.
In certain circumstances, a person could still be identified despite details being obscured, for example if they own an exceptionally unique car.

This Privacy Policy describes how we collect, use, and share your Personal Data in these three situations described above, as well as your rights, as applicable, regarding such data.

1. What Personal Data Do We Collect?

We use recording vehicles distinctively marked with stickers (i.e., a camera symbol) and signage and equipped with special recording and sensor technology (e.g., cameras, sensors, measuring equipment) to make video recordings of public traffic and collect related sensor data such as GPS information. The video recordings and other collected information (together the “Recordings”) may include, for example, the following Personal Data:

Faces, other characteristics, behaviour and surroundings of traffic participants and individuals in the vicinity of our recording vehicles;
License plates, lettering, other characteristics and surroundings of vehicles in the vicinity of our recording vehicles;
Numbers, text, other characteristics and surroundings of private houses and buildings in the vicinity of our recording vehicles;
Other information in the vicinity of our recording vehicles that is captured by the technology equipped on the recording vehicles;
GPS location information of the above data; and
Timestamps of the collection of the above data.

2. How Do We Use Your Personal Data?

To minimise the processing of Personal Data and protect Data Subjects, as the first step after creating the Recordings we blur out (i.e., make unrecognisable) faces, license plates and other similar information which clearly identify an individual person using our Anonymisation Software. Such blurring cannot be reversed.

Once this is done, the Recordings modified in this way will still be used for the purposes described below. The unblurred recordings are deleted after this modification and are not shared with any other third parties beyond those necessary for collection and anonymisation of the Recordings.

In the vast majority of cases, this modification renders the collected data anonymous. It provides a strong protection for the Data Subjects, while furthering our aim to minimize as much as possible the amount and intensity of the Personal Data remaining in the Recordings in line with the principles of data minimization and privacy by design prescribed under applicable data protection laws, in particular, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

However, as noted above, we cannot exclude that the Recordings may still contain information which allow an identification. This can be, for example, because certain non-blurred data could still exceptionally be considered personal data under the GDPR due to its unique characteristics (e.g., a unique car), or because of a failure of the blurring process (which should not occur under normal circumstances, but unfortunately, software failures can never be totally excluded). The Recordings, therefore, may potentially still include certain Personal Data.

Following the modifications by our Anonymisation Software, we use the Recordings (including any Personal Data remaining in them) to train, develop, enhance, and operate our advanced driver assistance systems, automated driving functions, and other similar services. These services require video recordings of public traffic and its surroundings, such as cars, streets and the environment of the streets (which may include private houses and buildings), to simulate real traffic and environment conditions. In particular, the data is used to improve the accuracy of these systems and services at identifying traffic participants such as other vehicles and pedestrians, as well as road signs and traffic surroundings. Also, related sensor information such as GPS location is needed during the operation of these systems and services to improve the detection of certain traffic objects such as road signs or traffic surroundings.

We use the Recordings only for the above stated purposes. We do not process any Personal Data to identify you or other individuals that the data might relate to, and we minimise the collection and processing of Personal Data as much as possible (see Section 5 for further details). We do not process your Personal Data for the purpose of automated decision making or profiling.

3. How Do We Share Your Personal Data?

Prior to processing with our Anonymisation Software, your Personal Data may be shared with:

Service providers and suppliers: Personal Data may be shared with a service provider (i.e., a company serving as a processor) whom we engage for driving the recording vehicles and creating the Recordings, and a service provider who will apply the anonymisation process. Both of these are performed on our behalf and under our instructions. We may also share Personal Data with our hosting service providers who provide us with infrastructure and platform services, computing capacity, disk space, and database services. These entities are contractually required to use the Personal Data we disclose exclusively to provide their respective services and not for their own independent purposes.

Following anonymisation, we share the Recordings with the following further entities, with this sharing falling under this Privacy Policy if the Recordings still contain any Personal Data:

Our corporate group: Your Personal Data may be shared with Hyundai subsidiaries and affiliates located in your country or region for operational purposes.
Service providers and suppliers: Your Personal Data may be shared with a broader range of vendors, service providers, suppliers, contractors, or agents who use such data in order to perform certain functions on our behalf.
Business Partners: We may share the Recordings, which may contain Personal Data, with our business partners to cooperate in research and development efforts in the field of highly and fully automated driving.
Business transfers: We may disclose and transfer the Recordings, which may contain Personal Data, as part of any merger, acquisition, financing, sale of company assets or interests in the company, or in the case of insolvency, bankruptcy, or receivership, including during negotiations related to such business transfers.
Protecting rights and interests: We may disclose your Personal Data to protect or defend the safety, rights, property, or security of Hyundai, third parties, or the general public, including to detect, prevent, or otherwise address security or technical issues or other activity which we, in our sole discretion, consider to be, or to pose a risk of being, illegal, unethical, or legally actionable activity.
Courts, government authorities or entities: We may disclose your Personal Data contained in (parts of) the Recordings in accordance with applicable law to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding, in response to a subpoena, warrant, court order, or other legal process, or to cooperate with investigations or lawful requests, whether formal or informal, from courts, government authorities or entities (such disclosures would be based on Article 6, paragraph 1, lit. c GDPR).

4. What Are Our Legal Bases For Processing Your Personal Data?

Our processing of your Personal Data as described under this Privacy Policy is based on our legitimate interests to develop, train, and operate our advanced driver assistance systems, automated driving functions, and other services; provided these interests are not outweighed by your interests or fundamental rights and freedoms (Article 6, paragraph 1, lit. f GDPR).

We protect your interest as a Data Subject by not processing your Personal Data for identification purposes and by implementing technical and organisational measures that ensure that all relevant processing operations are compliant with applicable data protection law.

5. How Do We Protect Your Personal Data?

We take the protection of your Personal Data very seriously and maintain security policies, procedures, tools, and other technical and organisational measures to ensure an adequate level of protection.

In particular, we implement various measures to comply with the GDPR principles of data minimisation and privacy by design. This includes, among other measures:

Blurring faces and license plates with our state-of-the-art Anonymisation Software;
Narrowing the camera angle of our recording vehicles as far as possible for the purposes we are pursuing; and
Ensuring that no recordings are made outside of traffic, for example when the recording vehicle is only parked.

6. How Long Do We Keep Your Personal Data?

Unblurred recordings are immediately deleted after our Anonymisation Software has blurred faces, license plates and other similar information which clearly identify an individual person.

After processing with the Anonymisation Software, Recordings will only be retained for as long as it is necessary to achieve the purposes stated in this Privacy Policy, unless longer retention is required or allowed by applicable law. In some cases, legal provisions under applicable law (e.g., product liability law) may lead to longer retention periods where we are legally obligated or it is our legitimate interest (e.g., if we need to hold on to the Recordings to defend ourselves against potential product liability claims) to retain the Personal Data for a longer period.

7. Your Rights and Choices

As a resident in EEA, the UK, or Switzerland, you may have certain rights with respect to Your Personal Data under the GDPR and/or other applicable data protection laws, such as the following:

You can request access to or erasure of your Personal Data; and
You can object to, or obtain a restriction of, the processing of your Personal Data under certain circumstances.

These rights only apply if we currently hold a copy of your Personal Data at the time of the request (i.e. for as long as it has not been successfully anonymised).

Further, because the nature of our processing does not require the identification of individuals, we are not obligated to maintain identification information, and thus we may be unable to retrieve images of recorded persons without additional information. Your data subject rights may only apply if you are able to provide us with additional information, such as location and time of recording, that would sufficiently enable us to clearly identify you in the Recordings.

Please note that these rights are subject to certain limitations where we may continue to retain and use your Personal Data to the extent necessary to comply with our legal obligations or based on applicable legal bases.

The right to data portability and right to rectification are not applicable due to the nature of the Personal Data that we process.

You can exercise your data subject right by contacting us using the details stated in Section 11. We will endeavor to respond to your requests in the time periods required by applicable laws. We may request certain information from you to verify your identity before responding to a request.

If you are a European Union resident, you also have the right to lodge a complaint with a supervisory authority of the European Member state in which you reside. If you are a resident of the United Kingdom, you can submit a complaint to the Information Commissioner Office (see https://ico.org.uk/make-a-complaint/). However, we encourage you to first contact us with any questions or concerns.

8. International Data Transfers

We do not transfer to South Korea the Recordings prior to processing with the Anonymisation Software. Therefore, the majority of the Personal Data we process is not transferred outside the EU/UK.

Following processing with the Anonymisation Software, we transfer the Recordings to our headquarters in South Korea to process the data for the purposes set out in this Privacy Policy. To the extent that these Recordings contain Personal Data, the applicable data protection laws in South Korea ensure a level of data protection equivalent to that under the GDPR, and its adequacy has been recognized by the European Commission and the UK Government in adequacy decisions pursuant to Article 45 GDPR.

We may also share the Recordings with entities as described in Section 3, which may be located outside your country of residence. To the extent such Recordings contain Personal Data and the data is transferred to a country outside of the EEA, the UK, or Switzerland, we ensure that this occurs only if the adequacy of the level of data protection in that country has been confirmed by the European Commission and the UK and Swiss Governments in accordance with Article 45 GDPR (or local equivalent), based on the applicable standard contractual clauses, or if it has otherwise been ensured that the level of protection afforded to data at the recipient’s end is adequate.

9. Do We Collect Personal Data of Children?

We do not intentionally or knowingly collect Personal Data of children under the age of sixteen (16). However, the recording technology that we use does not have the capabilities to distinguish between persons who are under or above the age of sixteen (16). Therefore, Recordings may include Personal Data of children, i.e., faces, and unfortunately, this cannot be avoided. However, as detailed in Section 2, we make every effort to ensure faces and similar information which clearly identify individual persons are irrevocably blurred before any further processing of the Recordings takes place.

10. Changes to this Privacy Policy

Hyundai reserves the right to change this Privacy Policy at any time to reflect changes in our business activities with respect to the Recordings or changes in the applicable data protection laws. Hyundai will use, share, and disclose all Personal Data in accordance with the Privacy Policy in effect at the time the data is collected.

11. Contact Us

The controller (having both UK & EU establishments) of your Personal Data is Hyundai Motor Company [Address: 12, Heolleung-ro, Seocho-gu, Seoul, South Korea].

Please contact us at [h-privacy@hyundai.com] if you wish to exercise your data subject right or have any questions about this Privacy Policy. You may also contact our data protection officer: [Sanghong Lee].

When you contact us, we will store Personal Data that you provide to us (e.g., your e-mail address, name and telephone number, if applicable) to answer your questions or process your request. We delete the data collected in this context after the storage is no longer necessary, unless we are prohibited from doing so pursuant to legal retention obligations.