GDPR – PRIVACY POLICY

1. Statement on Personal Data Protection

Protecting personal data is of utmost importance to Kawano Co., Ltd. (hereinafter referred to as “the Company”). This Personal Data Protection Policy (hereinafter referred to as “the Policy”) explains how Kawano Co., Ltd., as a data controller, collects and processes the personal data provided or disclosed to the Company. The Company also acts as a data controller when processing personal data received or obtained through third parties. The Company processes this personal data in accordance with applicable EU and EU Member States’ data protection regulations, particularly the General Data Protection Regulation No. 2016/679 (hereinafter referred to as “GDPR”).

This GDPR Policy is in addition to our “Privacy Policy” and specifically sets forth our policies regarding the EU’s General Data Protection Regulation.

Please review this policy. Do not provide personal data in cases in which there is a desire for the Company not to use personal data as described in this Policy. Please note that in such cases, the Company may not be able to provide its services, access or use certain website features may be inaccessible, and customer satisfaction level may be impacted.

2. Use of Personal Data

The Company always processes personal data based on one of the legal grounds stipulated by the GDPR (Articles 6 and 7). Additionally, the Company processes sensitive data, such as labor union membership, religious beliefs, and health status, in compliance with the special criteria provided under the GDPR (Articles 9 and 10).

The Company may collect and process personal data for the purposes detailed below, which are necessary to pursue legitimate interests and to provide appropriate services and products:

  • To ensure that site content is presented in the most effective manner.
  • To notify users about changes to our services.
  • To manage user accounts.
  • To provide products and services.
  • To notify users about our policies and terms.
  • To improve safety and security by monitoring fraud, investigating suspicious or potentially illegal activities, or violations of company policies and terms.
  • To provide, improve, and create products, services, and advertisements.
  • To use personal data for purposes such as data analysis, research, and audits.
  • To ensure business continuity.

Additionally, with prior explicit consent, the Company may collect and process personal data for the following purposes:

  • To provide information that may be of interest to you.
  • To enable participation in the interactive features of company services (if opted in by users).
  • To manage user subscriptions to newsletters.
  • To share personal data jointly with third parties (partner companies) that may provide information about their products or services.
  • To conduct business analysis.

Please be aware that users are entitled to withdraw their consent at any time, without affecting the lawfulness of processing based on user consent before withdrawal thereof.

The Company will process your data for the above-specified, explicit and legitimate purposes, and will not further process the data in a manner incompatible with these purposes. If we intend to process personal data originally collected for one purpose in order to attain other purposes, the Company will ensure that users are informed of this. The Company retains personal data as long as it is necessary to comply with its legal obligations, to ensure the proper provision of services, and to maintain its business activities (Article 5 and 25(2) of the GDPR).

3. Types of Personal Data in use

For the purposes specified in this Policy, the Company may collect the following categories of personal data:

  • Company Name
  • Name, Surname
  • Department
  • Phone Number (Personal/Business)
  • Email Address (Personal/Business)
  • Address (Personal/Business)

If users decide to provide personal data to the Company (i.e., by filling out a form displayed on the website), it may obtain the personal data directly from users. Alternatively, the Company may obtain personal data indirectly when it is provided by users’ electronic communication device or internet browser. The Company ensures that the personal data processed is appropriate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

4. Sharing of Personal Data

The Company may share users’ personal data with third parties in accordance with the GDPR. When sharing the data with data processors, the Company will establish an appropriate legal framework governing the transfer and processing of the data (Articles 26, 28, and 29 of the GDPR). Furthermore, if the Company shares personal data with organizations outside the EEA, we will ensure an appropriate legal framework is in place for such data transfer and processing, particularly the standard contractual clauses between controllers approved by the European Commission (2004/915/EC) and the standard contractual clauses between controllers and processors (2010/87/EU) (pursuant to Articles 44 and following of the GDPR).

Strategic Partners

With users’ prior consent, their personal data may be transferred to, stored by, and further processed by strategic partners who work with the Company to provide its products and services or support its marketing efforts to customers. The Company will only share users’ personal data with strategic partners when it is necessary to provide or improve its products, services, and advertisements.

Service Providers

The Company may share users’ personal data with companies that provide various services on its behalf, such as hosting, maintenance, support services, email services, marketing, auditing, order fulfillment, payment processing, data analysis, customer service, and customer surveys, as well as conducting customer satisfaction surveys.

Corporate Affiliates and Corporate Business Transactions

The Company may share users’ personal data with all of its affiliates. In the event of a merger, corporate restructuring, acquisition, joint venture, transfer, spin-off, sale, or disposition of all or any portion of the Company’s business (including in connection with bankruptcy or similar proceedings), the Company may transfer any personal data to the relevant third party.

Legal Compliance and Security

The Company may be required to disclose users’ personal data by law, legal process, litigation, and/or requests from public or governmental authorities within or outside users’ country of residence. The Company may also disclose the personal data if it determines that it is necessary or appropriate for national security, law enforcement, or other issues of public importance.

The Company may also disclose users’ personal data if it determines in good faith that disclosure is reasonably necessary to protect its rights, seek available remedies, enforce its terms of use, investigate fraud, or protect its operations or users.

Data Transfers

The disclosures described above may include transferring users’ personal data from the European Union to the following countries: Japan (a country recognized by the EU as having an adequate level of data protection) and China (with application of appropriate protection measures). The list of countries to which data is transferred may change due to changes in the business environment.

Such transfers may be made for purposes such as personnel evaluation of employees, processing of salaries and reimbursement expenses, and interactions with business partners. For each of these transfers, the Company ensures an adequate level of protection for the data being transferred, particularly by concluding standard contractual clauses as set out in European Commission Decisions 2001/497/EC, 2002/16/EC, 2004/915/EC, and 2010/87/EU.

5. Records of Data Processing

Whether the Company acts as a data controller or a data processor, it maintains records of all processing activities involving personal data in accordance with the obligations set forth in the GDPR (Article 30). In these records, the Company includes all the information necessary to comply with the GDPR and to cooperate with supervisory authorities as required under the GDPR (Article 31).

6. Security Measures

The Company processes users’ personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. To achieve this level of protection, the Company implements appropriate technical and organizational measures (as required by Article 25(1) and Article 32 of the GDPR).

Unless a longer retention period is required or permitted by law, the Company will retain users’ personal data only for as long as necessary to fulfill the purposes outlined in this Policy.

7. Notification of Data Breaches to the Competent Supervisory Authority

In the event of a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data subject to transfer, storage, or other processing, the Company has established mechanisms and guidelines to promptly detect and assess the nature of such breaches. Based on the results of its assessment, the Company will make the necessary notifications to the supervisory authority and inform affected data subjects, including users (in accordance with Articles 33 and 34 of the GDPR).

8. Processing that May Result in High Risks to users’ Rights and Freedoms

The Company has established mechanisms and guidelines to detect data processing activities that may result in high risks to users’ rights and freedoms (Article 35 of the GDPR). If such processing activities are detected, the Company will evaluate them internally and either halt the processing or ensure that appropriate technical and organizational measures are implemented to comply with the GDPR and continue the processing if necessary.

In case of doubts, the Company will contact the relevant data protection supervisory authority for advice and recommendations (Article 36 of the GDPR).

9. User Rights

Users have the following rights regarding personal data collected and processed by the Company:

  • Information about Data Processing: Users have the right to obtain all necessary information from the Company about the data processing activities concerning them (Articles 13 and 14 of the GDPR).
  • Access to Personal Data: Users can verify whether their personal data is being processed and, if so, access said personal data and related information (Article 15 of the GDPR).
  • Correction or Erasure of Personal Data: Users have the right to request the correction of inaccurate personal data without undue delay and to complete any incomplete personal data (Article 16 of the GDPR). Additionally, users may request the erasure of their personal data without undue delay if the requirements set forth by the GDPR are met (Article 17 of the GDPR).
  • Restriction of Data Processing: If the requirements of the GDPR are met, users have the right to request the restriction of the processing of their personal data (Article 18 of the GDPR).
  • Objection to Data Processing: If the requirements of the GDPR are met, users may object to the processing of their personal data at any time on grounds related to their particular situation (Article 21 of the GDPR).
  • Data Portability: If the requirements set forth by the GDPR are met, users have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer such data to another data controller without hindrance from the Company (Article 20 of the GDPR).
  • Non-Subject to Automated Decision-Making: If the requirements set forth by the GDPR are met, users may have the right not to be subject to automated decision-making, including profiling, which has legal effects or significantly affects them (Article 22 of the GDPR).

Please refer to the contact information section to exercise any of the above rights.
In case of dissatisfaction with the Company’s response to requests or complaints regarding the processing of personal data, users may lodge a complaint with the data protection supervisory authority.

10. Children

The Company does not intentionally collect or process information about children under the age of 16 without parental permission and consent. If the Company discovers that it has directly collected and processed personal data of children under the age of 16 or below the minimum age required by GDPR in EU member states, the Company will take measures to promptly delete such information. If you become aware that a child under the age of 16 has provided personal information to the Company, please reach out immediately using the contact details provided in this policy.

11. Links to Other Sites

The Company may provide hypertext links to third-party websites or internet sources from the website where this policy is published. The Company does not manage or have responsibility for the actual handling and content related to third-party personal data protection. Please carefully read the privacy policies of such third parties and review how they collect and process your personal data.

12. Updates to This Policy

The Company may periodically revise or update this policy. Changes to this policy will become effective as soon as the revised version of the policy is posted. When making significant changes that the Company considers important, we will notify users through the website to the extent possible and, in some cases, may seek users’ consent.