DATA PROTECTION POLICY OF ZEON CORPORATION
GDPR Version
Zeon Corporation
Zeon Corporation (the “Company”) and certain of its wholly or majority-owned entities
below (collectively, the “Group”),
Zeon Asia Pte. Ltd. (Singapore)
Zeon Chemicals Singapore Pte. Ltd.Singapore
ZS Elastomers Co., Ltd.(Japan)
Tokyo Zairyo Co., Ltd. (Japan)
RIMTEC Corporation (Japan)
Zeon Specialty Materials lnc. (USA)
Zeon Chemicals (Thailand) Co., Ltd (Thailand)
Other ZEON Group Company (necessary for the performance of a contract) (Japan,
Singapore, Thailand, India, USA)
have firm commitment to respect your privacy and the right to Personal Data under EU General
Data Protection Regulation (“GDPR”):
(i) if you are in the European Economic Area (“EEA”), or
(ii) if the processing of Personal Data is related to the activities of the Company’s subsidiaries
in the EEA
Thus, the Company publishes this Policy. A number of technical terms are defined in Annex
2 to this Policy. This Policy covers those issues of data protection for those other than the
current employees of the Group.
1. Your rights of Data Protection
The Group respect your rights to Personal Data (defined in the Annex 2) as follows:
a. Access:
You have the right to request information on your Personal Data that we have
Processed and hold and information related to your rights, and to obtain a copy of
your stored Personal Data.
b. Accuracy and Rectification:
The Group seek to ensure that Personal Data are accurate, complete and kept up-
to-date to the extent reasonably necessary for the applicable Purposes. If the
Personal Data are incorrect, incomplete or not Processed in compliance with GDPR,
you have the right to have your Personal Data rectified, deleted or blocked (as
appropriate) by contacting Company. (The contact details are specified in Paragraph
2 a.).
c. Right to be forgotten:
You have the right to obtain from the Group the erasure of your Personal Data
without undue delay unless the Group have legal obligation or find public interests or
other clear compelling or legitimate interest to maintain the Personal Data.
d. Right to restrict the Processing (GDPR§18/21)
Under certain conditions, you have the right to request that processing be limited.
The requirements are:
The accuracy of your Personal Data is contested by you and the Group must
verify the accuracy of the Personal Data;
The processing is unlawful, but you oppose the erasure of the Personal Data and
request the restriction of their use instead;
The Group no longer need the Personal Data for the purposes of processing, but
you require the Personal Data to establish, exercise or defend your legal claims;
You have objected to processing pending the verification of whether the
legitimate grounds of the Group override your legitimate interests;
e. Right to object to ProcessingGDPR§21):
You have the right to object to the processing your Personal Data on grounds
relating to your particular situation if the Group process your Personal Data on
grounds of legitimate interests or in the public interest. Insofar as the Group base
the processing of your Personal Data on a balancing of interests, the Group generally
assume that the Group can demonstrate compelling legitimate ground but will, of
course, examine in each individual case. In the event of an objection, the Group will
no longer process your Personal Data, unless the Group can demonstrate compelling
legitimate grounds for the processing of these Personal Data that override your
interests, rights and freedoms, or your Personal Data serves the establishment,
exercise or defense of legal claims. In addition, you have an unrestricted right to
object if the Group process your Personal Data for the Group’s direct marketing
purposes.
f. Right to object to automated individual decision-making, including profiling
(GDPR§22)
You have the right not to be subject to a decision based solely on automated
Processing, including profiling, which produces legal effects on you or similarly
significantly affects you unless the decision is:
necessary for entering into, or performance of, a contract between you and the
Group;
authorized by European Union or Member State law to which the Group are
subject and which also lays down suitable measures to safeguard your rights and
freedoms and legitimate interests; or
based on your explicit Consent.
g. Right to data portability (GDPR§20)
You have the right to receive your Personal Data, which you have provided to the
Group, in a structured, commonly used and machine-readable format and have the
right to transmit those Personal Data to another company without hindrance from the
Group to which you have provided, where:
the Processing is based on Consent or on a contract; and
the Processing is carried out by automated means.
h. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority.
2. Details of the Processing of Your Personal Data
a. Controller:
ZEON CORPORATION
1-6-2 Marunouchi, Chiyoda-ku, Tokyo 100-8246, Japan
The contact address for GDPR in respect of all of the Group companies in the above
box is as follows;
The Controller’s representative: (See the web-site of the Company)
Phone number: +81-3-3216-1772 (Monday to Friday, (except public holidays) 9am-
5pm in Japanese time)
FAX: +81-3-3216-0501
E-mail address: kojinj[email protected]
b. Data Protection Officer:
Not applicable (except for Zeon Europe GmbH; see their web-site)
c. Unless otherwise notified, the Purposes for which Processing of the Personal Data
are intended as well as the legal basis for the Processing are as follows:
i. If you are a customer, or a potential customer;
Purposes: The Purposes are conventional marketing and electronic dissemination
of the Group’s products, technology, events and other business opportunities,
customer services and those listed in Annex 1(a).
Legal basis: The legal basis is as follows:
1 Legitimate interests”. The Group will make best efforts to maintain good
balance between the legitimate interests and the right to privacy; or
2
performance of contract to which a customer or a potential customer is party
or in order to take steps at the request of the customer or the potential
customer before entering into the contract.
ii. If you are a supplier or a potential supplier
Purposes: The Purposes are to assess quality and the fitness of your products
and services in relation to our Company business
Legal basis: The legal basis is as follows:
1 Legitimate interests”. The Group will make best efforts to maintain good
balance between the legitimate interests and the right to privacy; or
2
performance of contract to which a supplier or a potential supplier is party
or in order to take steps at the request of the supplier or the potential
supplier before entering into the contract.
iii. If you are an applicant for employment at our Group company:
Purposes: The Purposes are to evaluate your talent, fitness to the job and
potential disadvantages and to compare them with other candidates.
Legal basis: The legal basis is as follows:
1 it is necessary for the hiring decision; or
2 Consent. See the web-site of Zeon Europe GmbH or each of other Group
Companies concerned in respect of the applicants for employment at Zeon
Europe GmbH or each of other Group Companies concerned.
d. The categories of Personal Data:
The categories of Personal Data to be Processed are as follows:
i. If you are a customer, a potential customer, a supplier, or a potential supplier,
the information on your business card and the information contained in your e-
mails as well as such information as listed in Annex 1.a.
ii. In case of the applicants for employment, the information in Annex 1.b. or a part
of it.
e. The recipients or categories of recipients of Personal Data, if any are as follows:
i. If you are a customer, or a potential customer, the recipients will be our sales
representatives, their supervisors (including directors) and assistants as well as
our distributors (including trading companies and agents).
ii. If you are a supplier or a potential supplier, the recipients will be our employees,
their supervisors (including directors) and assistants in the purchasing
departments and any administrative departments as well as our distributors
(including trading companies and agents).
iii. If you are an applicant for employment: the recipients will be our employees and
their supervisors (including directors) in the HR departments and any
administrative departments as well as the departments to which the applicant
may be assigned.
f. The fact that the Group intends to transfer Personal Data to a third country outside
the EEA:
The Personal Data collected may be transferred to the following recipients or
categories of recipients. The transfer is justified by the Data Transfer Agreement in
the Standard Contractual Clause (so called “SCC”) published by the European
Commission. You can obtain a copy of the Clause agreed upon or applicable from the
contact described in 2.a., in order to be sure that you have adequate level of
protection.
The purposes of the transfer:
i. If you are a customer, or a potential customer, for marketing and advertisement,
the transfer is necessary to know the needs of the customers, to develop,
manufacture the products they would like and to make various practical
arrangements for transactions and promotion.
ii. If you are a supplier or a potential supplier, such transfer may be necessary to
out-source goods or services.
iii. If you are an applicant for employment, such transfer may be necessary for hiring
decision, globalized talent management and cost-and-productivity analysis.
The countries and the territories of the following recipient have not been decided
by the Commission that the country, a territory or organization in question ensures
an adequate level of protection. The justification for such transfer is the Standard
Contractual Clauses (SCC) that the European Commission published in its Official
Journal. Further, the Group make best efforts to ensure that the following
recipients should Process Personal Data at the comparable or similar level to that
under GDPR:
Zeon Asia Pte. Ltd. (Singapore)
Zeon Chemicals Singapore Pte. Ltd.Singapore
ZS Elastomers Co., Ltd.(Japan)
Tokyo Zairyo Co., Ltd. (Japan)
RIMTEC Corporation (Japan)
Zeon Specialty Materials lnc. (USA)
Zeon Chemicals (Thailand) Co., Ltd (Thailand)
Other Zeon group company (necessary for the performance of a contract that
are located in Japan, Singapore, Thailand, India and USA)
Carrier and transport and logistic companies (including postal and courier
service providers) and insurance companies related to the exportation of goods
The Group’s distributors (including trading companies) and agents.
Government (Japan)
g. The period for which Personal Data will be stored:
Following the requirement that the Processing of Personal Data shall be adequate,
relevant and limited to what is necessary for achieving the purpose. (Art. 5(1) (c)
GDPR, Preamble (78)), the Group will retain Personal Data for the period required to
serve the applicable Purpose and for the period:
required by law, courts or authorities including applicable legal hold and litigation
document preservation requirements, or by contracts and agreements;
as advisable in light of an applicable requirement to acquire or preserve
intellectual property rights or other rights or privilege of the Data Subject, our
Group or a third party;
as necessary to acquire or preserve legitimate interests of the Data Subject, the
Group or a third party;
as advisable in light of an applicable statute of limitations;
regarding employees, the period of the employment and 3 years afterwards, and
regarding candidates who were not hired, 6 months after the decision concerning
the decision on the hiring; or
not more than 10 years and to the extent necessary in respect of Personal Data
contained or attached to any accounting documents;
Unless the Controller’s representative decides otherwise, promptly after the
applicable retention period has ended, the relevant Personal Data will be:
1 securely deleted or destroyed;
2 anonymized; or
3 set to Archived.
Our Group shall erase Personal Data after 10 years as they are presumed to have
become unnecessary unless otherwise demonstrated.
h. Where the Processing is based on the legitimate interests pursued by the Controller
or by a third party, what the legitimate interest is. If the Controller or a third party
process on the basis of “legitimate interest” it shall notify it to the data subject.
See above 2.c. and below.
In case of a customer or potential customer, the grounds for Processing are
"legitimate purposes” or performance of the contract (or request before contract”.
In case of a supplier or a potential supplier, he grounds for Processing are "legitimate
purposes” or performance of the contract (or request before contract”.
The purposes of the Processing are as follows
i. If you are a customer or a potential customer: conventional direct marketing and
other forms of marketing and advertisement including dissemination of
information on products, services, promotion, campaign, events and other
business by email transmission, meetings and telephone calls.
ii. If you are a supplier or potential supplier, it is a legitimate interest of the Group
to assess quality of and the fitness of your products and services in relation to
our Group’s business.
i. You have the right to withdraw your Consent, if any, at any time; Please note that
the withdrawal applies prospectively only. Processing that occurred before the
withdrawal of consent is unaffected.
j. You will be informed of the following: whether the provision of Personal Data is a
statutory or contractual requirement, or a requirement necessary to enter into a
contract, as well as whether you are obliged to provide the Personal Data and of the
possible consequences of failure to provide such Personal Data;
k. The Group currently have no profiling or automated decision making in respect of a
customer, potential customer, supplier or potential supplier, or applicants for
employment.
l. Where your Personal Data are collected directly or indirectly through a third party,
the Group shall, within a reasonable period after the collection, provide you with the
whole information listed in 2.a. through 2.k. and, regarding indirect acquisition, the
categories of Personal Data and the source from which person or company the
Personal Data originate (GDPR§14). (The information on legal basis under GDPR is
given in the next Paragraph 4.)
3. List of Personal Data to be collected
The Group may be led to Process various kinds of Personal Data of customer, potential
customer, supplier, potential supplier as well as employee candidate for a range of
purposes. See above and Annex 1.a./1.b.. These categories of Personal Data thus
Processed and the Purposes for which they are Processed are described above or in Annex
1a./1.b..
4. Grounds for Processing
The Group "Processes" "Personal Data" only if one of the following six conditions under
GDPR is met.
a. You have given Consent to the Processing of your Personal Data for one or more
specific purposes.
b. Processing is necessary for the performance of a contract to which you are the party
or in order to take steps at your request prior to entering into a contract;
c. Processing is necessary for compliance with a legal obligation to which Group is
subject;
d. Processing is necessary in order to protect the vital interests of you or of another
natural person;
e. Processing is necessary for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the Group;
f. Processing is necessary for the purposes of the "legitimate interests" pursued by the
Group or by a third party, except where such interests are overridden by your
interests or fundamental rights and freedoms.
5. Sensitive Personal Data (GDP9)
The Group shall Process Sensitive Personal Data (defined in Annex 2) only to the extent
necessary to serve the applicable Purpose and according to GDPR requirements.
6. Data security, Minimization, Transparency and Compliance
Taking into account the nature, scope, context and purposes of Processing as well as
the risks of varying likelihood and severity for the rights and freedoms, the Group shall
implement appropriate technical and organizational measures to ensure and to
demonstrate that Processing is performed in accordance with GDPR. Those measures shall
be reviewed and updated where necessary (GDPR§24(1)).
Where Processing is to be carried out on behalf of the Group, the Group shall use only
Processors providing sufficient guarantees to implement appropriate technical and
organizational measures in such a manner that Processing will meet the requirements of
GDPR and ensure the protection of the rights of the Data Subject (GDPR§28(1)).
ANNEX 1 (a):
CATEGORIES OF PERSONAL DATA RELATED TO CUSTOMERS, POTENTIAL
CUSTOMERS, SUPPLIERS AND POTENTIAL SUPPLIERS
PURPOSES:
CUSTOMERS, POTENTIAL CUSTOMERS, SUPPLIERS AND POTENTIAL SUPPLIERS
Purposes: Details:
Statistics
Sales statistics: breakdown of sales by customer, by product, by
geographical market, etc.
Analysis of Sales Analysis of customer preference, their proposals, complaints, records of
any settlements for complaints, statistical analysis
Servicing
Records of repairs and replacement for free guarantee and costs; paid
servicing and their profit and loss analysis
Marketing
Planning
Evaluation of various customers, expectation of sales growth, focusing
of certain customers, certain product lines, and making promotional
planning
Strategy Promotional campaign, sales technics, entertainment
Development Development of new product; new customer development
Categories and classification of Personal Data:
The following categories of Personal Data will be Processed:
Categories of Personal
Data
Details
Information on Data Subject Name, working address, telephone and mobile numbers, e-mail
address, date of birth, gender, language, country of residence,
time zone, user pass word, hobbies and preferences, smoking
habit
Products purchased
Product code number(s), date or period of purchases,
cumulated purchases during the fiscal year
Sales Conditions
Payment conditions, delivery conditions, prices and discount
agreement, rebate practice
History Start of purchases, records of repairs, records of complaints,
IP address, Web-site, automatically collected by browser cookies
proposal
Annex 1 (b) :
CATEGORIES OF CANDIDATE DATA PROCESSED, AND PURPOSES OF PROCESSING
PURPOSES:
1. Hiring procedures and decision
a. Head-counting and recruiting planning
b. Selection of category of personnel to be employed
c. Possibility of temporary or interim employees
d. Evaluation of applicants
2. Evaluation of applicants 2. Staff-related administration:
a. Application of employment and labour law
b. Preparation of employment contract
c. Application of the Work Regulations
d. Filing requirement
The Purposes applicable to each category of Personal Data
Categories of Personal Data Purposes
Personal identification data: name, addresses, telephone numbers,
passport number, etc.
2.a.
Age, sex, date of birth, place of birth, citizenship, visa details, etc. 2.a., 2.b.
Financial data: bank account numbers, insurance, revenue &
income, etc
1.a., 1.b.
Personal characteristics: 1.b., 1.c.
Family: marital status, cohabitation, spouse/partner name,
children, parents, etc.
1.b., 1.c.,
2.a., 2.b.
Housing: Address, kind of housing, length of stay in housing 1.b., 2.b.
Health-related data: physical health, psychological health, risk-
inducing behaviour & situations, treatment data. Records of sick
leave, medical certificates or diag
nosis, medical examinations and
the results.
1.b., 1.d.,
2.a., 2.b.
Education: studies curriculum, financial history of studies,
qualifications, professional experience, publications, etc.
1.d., 2.a.,
2.b.
Profession & employment: current employment,
function, task
description, recruitment data, data on end of employment, career
data, salary, work management & organisation, security (passwords
& passcodes, security level), data on use of computer resources,
etc.
1.d., 2.a.
National identification number & social security number 2.a., 2.b.
Image recordings: photos, videos (e.g. CCTV) 1.d.
Annex 2
DEFINITIONS
Personal Data’ means any information relating to an identified or identifiable natural person
(“Data Subject") ; an identifiable natural persons is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, online identifiers, or to one or more factors specific to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of
the natural person:
Processing’ means any operation or set of operations which is performed on Personal Data
or on sets of Personal Data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction;
Restriction of Processing’ means the marking of stored Personal Data with the aim of limiting
their Processing in the future;
Profiling’ means any form of automated Processing of Personal Data consisting of the use of
Personal Data to evaluate certain personal aspects relating to a natural person, in particular
to analyse or predict aspects concerning that natural person's performance at work, economic
situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Filing system’ means any structured set of Personal Data which are accessible according to
specific criteria, whether centralised, decentralised or dispersed on a functional or geographical
basis;
Controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the Processing of Personal
Data; where the purposes and means of such Processing are determined by Union or Member
State law, the Controller or the specific criteria for its nomination may be provided for by
Union or Member State law;
Consent’ of the Data Subject means any freely given, specific, informed and unambiguous
indication of the Data Subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the Processing of Personal Data relating to him or
her;
"Archive" means a collection of Personal Data that are no longer necessary to achieve the
Purposes for which the Employee Data originally were collected or that are no longer used for
general business activities, but are used only for historical, scientific or statistical purposes,
dispute resolution, investigations or general archiving purposes after having pseudonymised or
set that is subject to appropriately enhanced security and has restricted access (e.g., only by
the system administrator and the Data Protection Officer, );
"GDPR" means REGULATION (EU) 2016/679 0F THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL OF 27 April 2016 on the protection of Personal Data and on the free
movement of such data, and repealing Directive 95/46/EC.
"Data Protection Officer” means the officer appointed to the extent the Group satisfies the
conditions under Article 37 of GDPR or Article 38 of German Act to Adapt Data Protection
Law to GDPR.
"Purpose(s)" means the purposes for Processing that are set out in Annexes 1.a. and 1.b.
hereto or that was communicated to the Data Subject;
"Sensitive Personal Data" means as provided for in Article 9 of GDPR Personal Data as the
Special Categories of Personal Data revealing racial or ethnic origin, political opinions, religious
or philosophical beliefs, or trade union membership, and the Processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning health
or data concerning a natural person's sex life or sexual orientation as well as Criminal
information;