Processing of Personal Data for Clients
This document (hereinafter, “the Document”) shall apply to Processor’s Processing of Personal Data (defined in Article 1) which General Data Protection Regulation (hereinafter, “GDPR”) shall apply to, based on directions by the Company’s clients, Controller (defined in Article 1). The Document shall be effective within the scope of the Company’s contracts with Controller in regards to the Company’s business (hereinafter, “Contracts”). Contracts are including but not limited to service contracts. Scope of applications in the Document shall supersede those in GDPR.
Article 1 (Definitions)
The following terms in the Document have the meanings as defined below; provided, however, that the terms in Article 4 of GDPR shall apply when these terms are not defined in the Document.
- “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter, “Data Subject”);
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means;
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
- “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Article 2 (Related Parties’ Obligations)
1. The Company shall comply with the provisions and obligations in GDPR when the Company carries out Processing of Personal Data, and categories of Personal Data, categories of Data Subject, and the nature and purpose of Processing described in Attachment 1 shall fall within the scope of these provisions and obligations. The Company will carry out Processing only for the purposes described in Attachment 1.
2. When the Company processes Personal Data, the Company shall comply with obligations stipulated in the following items in accordance with Article 28, Item 3 in GDPR. The contract or the other legal act referred to in Article 2 in the Document shall be in writing, including in electronic form.
- The Company processes the Personal Data only on documented instructions from the Controller including items stipulated in Contracts or the Document, unless required to do so by European Union (hereinafter, “EU”) or EU Member State law to which the Processor is subject; subject; in such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- The Company ensures that the Company’s employees authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- The Company takes all measures (appropriate technical and organizational measures) required pursuant to Article 32 in GDPR;
- The Company shall not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, Processor shall inform Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes. Where Processor engages another processor for carrying out specific processing activities on behalf of Controller under aforesaid authorization, the same data protection obligations as set out in the contract or other legal act between the Controller and the Processor shall be imposed on that other processor by way of a contract or other legal act under EU or EU Member State law;
- The Company takes into account the nature of the processing, assists Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III in GDPR;
- The Company assists Controller in ensuring compliance with the obligations pursuant to Article 32 (Security of processing), Article 33 (Notification of a Personal Data breach to the supervisory authority), Article 34 (Communication of a Personal Data breach to the data subject), Article 35 (Data protection impact assessment), and Article 36 (Prior consultation) in GDPR taking into account the nature of processing and the information available to the Processor;
- At the choice of Controller, the Company deletes or returns all the Personal Data to Controller in accordance with provisions stipulated in Contracts after the end of Contracts;
- The Company makes available to Controller all information necessary within a reasonable period subject to prior written notices by Clients, to demonstrate compliance with the obligations laid down in Article 28 in GDPR and allow for and contribute to audits, including inspections, conducted by Clients or another auditor mandated by Clients.
3. The Company cooperates with supervisory authorities in their activities related to the exercise of their powers under directions by Clients in regards to Processing of Personal Data.
4. In the case of a Personal Data breach, the Company shall without undue delay notify Clients of the matters stipulated in Article 33, Item 3 in GDPR. Also, the Company shall reasonably assist Controller to discharge obligations described in Article 33, Item 5 in GDPR.
Categories of Personal Data:
- Company name
- Company’s address
- Phone numbers
- Work numbers
- Work email addresses
- User accounts in software/system
- Online identifiers regarding IT network (IP Addresses, cookies, etc.）
- Email addresses, electronic files
- Work information or documents (Work files, etc.)
Categories of Data Subject:
- Clients’ shareholders, institutional investors, persons in charge of proxy voting
The nature and purpose of Processing:
- To provide services based on Contracts
Duration of Processing
- Duration stipulated in Contracts