Protecting personal data is of utmost importance to Kawano Co., Ltd. (hereinafter referred to as “the Company”). This Personal Data Protection Policy (hereinafter referred to as “the Policy”) explains how Kawano Co., Ltd., as a data controller, collects and processes the personal data provided or disclosed to the Company. The Company also acts as a data controller when processing personal data received or obtained through third parties. The Company processes this personal data in accordance with applicable EU and EU Member States’ data protection regulations, particularly the General Data Protection Regulation No. 2016/679 (hereinafter referred to as “GDPR”).
This GDPR Policy is in addition to our “Privacy Policy” and specifically sets forth our policies regarding the EU’s General Data Protection Regulation.
Please review this policy. Do not provide personal data in cases in which there is a desire for the Company not to use personal data as described in this Policy. Please note that in such cases, the Company may not be able to provide its services, access or use certain website features may be inaccessible, and customer satisfaction level may be impacted.
The Company always processes personal data based on one of the legal grounds stipulated by the GDPR (Articles 6 and 7). Additionally, the Company processes sensitive data, such as labor union membership, religious beliefs, and health status, in compliance with the special criteria provided under the GDPR (Articles 9 and 10).
The Company may collect and process personal data for the purposes detailed below, which are necessary to pursue legitimate interests and to provide appropriate services and products:
Additionally, with prior explicit consent, the Company may collect and process personal data for the following purposes:
Please be aware that users are entitled to withdraw their consent at any time, without affecting the lawfulness of processing based on user consent before withdrawal thereof.
The Company will process your data for the above-specified, explicit and legitimate purposes, and will not further process the data in a manner incompatible with these purposes. If we intend to process personal data originally collected for one purpose in order to attain other purposes, the Company will ensure that users are informed of this. The Company retains personal data as long as it is necessary to comply with its legal obligations, to ensure the proper provision of services, and to maintain its business activities (Article 5 and 25(2) of the GDPR).
For the purposes specified in this Policy, the Company may collect the following categories of personal data:
If users decide to provide personal data to the Company (i.e., by filling out a form displayed on the website), it may obtain the personal data directly from users. Alternatively, the Company may obtain personal data indirectly when it is provided by users’ electronic communication device or internet browser. The Company ensures that the personal data processed is appropriate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
The Company may share users’ personal data with third parties in accordance with the GDPR. When sharing the data with data processors, the Company will establish an appropriate legal framework governing the transfer and processing of the data (Articles 26, 28, and 29 of the GDPR). Furthermore, if the Company shares personal data with organizations outside the EEA, we will ensure an appropriate legal framework is in place for such data transfer and processing, particularly the standard contractual clauses between controllers approved by the European Commission (2004/915/EC) and the standard contractual clauses between controllers and processors (2010/87/EU) (pursuant to Articles 44 and following of the GDPR).
With users’ prior consent, their personal data may be transferred to, stored by, and further processed by strategic partners who work with the Company to provide its products and services or support its marketing efforts to customers. The Company will only share users’ personal data with strategic partners when it is necessary to provide or improve its products, services, and advertisements.
The Company may share users’ personal data with companies that provide various services on its behalf, such as hosting, maintenance, support services, email services, marketing, auditing, order fulfillment, payment processing, data analysis, customer service, and customer surveys, as well as conducting customer satisfaction surveys.
The Company may share users’ personal data with all of its affiliates. In the event of a merger, corporate restructuring, acquisition, joint venture, transfer, spin-off, sale, or disposition of all or any portion of the Company’s business (including in connection with bankruptcy or similar proceedings), the Company may transfer any personal data to the relevant third party.
The Company may be required to disclose users’ personal data by law, legal process, litigation, and/or requests from public or governmental authorities within or outside users’ country of residence. The Company may also disclose the personal data if it determines that it is necessary or appropriate for national security, law enforcement, or other issues of public importance.
The Company may also disclose users’ personal data if it determines in good faith that disclosure is reasonably necessary to protect its rights, seek available remedies, enforce its terms of use, investigate fraud, or protect its operations or users.
The disclosures described above may include transferring users’ personal data from the European Union to the following countries: Japan (a country recognized by the EU as having an adequate level of data protection) and China (with application of appropriate protection measures). The list of countries to which data is transferred may change due to changes in the business environment.
Such transfers may be made for purposes such as personnel evaluation of employees, processing of salaries and reimbursement expenses, and interactions with business partners. For each of these transfers, the Company ensures an adequate level of protection for the data being transferred, particularly by concluding standard contractual clauses as set out in European Commission Decisions 2001/497/EC, 2002/16/EC, 2004/915/EC, and 2010/87/EU.
Whether the Company acts as a data controller or a data processor, it maintains records of all processing activities involving personal data in accordance with the obligations set forth in the GDPR (Article 30). In these records, the Company includes all the information necessary to comply with the GDPR and to cooperate with supervisory authorities as required under the GDPR (Article 31).
The Company processes users’ personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. To achieve this level of protection, the Company implements appropriate technical and organizational measures (as required by Article 25(1) and Article 32 of the GDPR).
Unless a longer retention period is required or permitted by law, the Company will retain users’ personal data only for as long as necessary to fulfill the purposes outlined in this Policy.
In the event of a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data subject to transfer, storage, or other processing, the Company has established mechanisms and guidelines to promptly detect and assess the nature of such breaches. Based on the results of its assessment, the Company will make the necessary notifications to the supervisory authority and inform affected data subjects, including users (in accordance with Articles 33 and 34 of the GDPR).
The Company has established mechanisms and guidelines to detect data processing activities that may result in high risks to users’ rights and freedoms (Article 35 of the GDPR). If such processing activities are detected, the Company will evaluate them internally and either halt the processing or ensure that appropriate technical and organizational measures are implemented to comply with the GDPR and continue the processing if necessary.
In case of doubts, the Company will contact the relevant data protection supervisory authority for advice and recommendations (Article 36 of the GDPR).
Users have the following rights regarding personal data collected and processed by the Company:
Please refer to the contact information section to exercise any of the above rights.
In case of dissatisfaction with the Company’s response to requests or complaints regarding the processing of personal data, users may lodge a complaint with the data protection supervisory authority.
The Company does not intentionally collect or process information about children under the age of 16 without parental permission and consent. If the Company discovers that it has directly collected and processed personal data of children under the age of 16 or below the minimum age required by GDPR in EU member states, the Company will take measures to promptly delete such information. If you become aware that a child under the age of 16 has provided personal information to the Company, please reach out immediately using the contact details provided in this policy.
The Company may provide hypertext links to third-party websites or internet sources from the website where this policy is published. The Company does not manage or have responsibility for the actual handling and content related to third-party personal data protection. Please carefully read the privacy policies of such third parties and review how they collect and process your personal data.
The Company may periodically revise or update this policy. Changes to this policy will become effective as soon as the revised version of the policy is posted. When making significant changes that the Company considers important, we will notify users through the website to the extent possible and, in some cases, may seek users’ consent.