Exhibit: EEA (European Economic Area) and UK
Enacted July 21, 2023
This Exhibit applies to Data Subjects located or residing in the EEA (European Economic Area) and the UK to which the General Data Protection Regulation 2016/679 (the GDPR) and the GDPR as it is incorporated into UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 (the UK GDPR) (hereinafter the GDPR and the UK GDPR shall collectively be referred to as the “GDPR”) are applicable.
In providing our services to Data Subjects, we bear responsibility for processing personal information (in this Exhibit “personal information” means the same as “personal data” as defined within the GDPR) about these Data Subjects In doing so, we shall comply with the General Data Protection Regulation as enacted in the European Union or the UK.
1.Purpose and legal basis for processing personal information
We process the personal information of Data Subjects for the purposes listed in the table below and based on one or more of the following legal bases:
- ・Contractual obligation: Necessary for the performance of a contract with our Data Subjects or in order to take steps prior to entering into such contract. (GDPR Article 6(1)(b) GDPR).
- ・Legal obligations: Necessary for compliance with a legal obligation to which we are subject (GDPR Article 6(1)(c))
- ・Legitimate interests: Necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subjects which require protection of personal information) (GDPR Article 6(1)(f))
- ・Consent: Data Subjects have given consent to the processing of their personal information for one or more specific purposes (GDPR Article 6(1)(a))
In exceptional cases, we may also process your data in order to protect your vital interests or those of other individuals (GDPR Article 6(1)(d)) or where this is necessary for the performance of a public task (GDPR Article 6(1)(e)).
1. Service subscribers
# | Purpose for processing | Categories of personal information processed | Legal basis |
---|---|---|---|
1 | To process contracts and introduce services | Contact data, contract data | Contractual obligation, legitimate interest |
2 | To respond to inquiries | Contact data, contract data, inquiry data | Contractual obligation, Legitimate interests |
3 | To maintain/improve business operations and quality | Contact data, contract data, inquiry data | Legitimate interests |
4 | To provide information related contracts, services, etc. | Contact data, contract data, inquiry data | Contractual obligation, Legitimate interests |
5 | To send email newsletters, etc. | Contact data, contract data, inquiry data | Consent, Legitimate interests |
6 | To detect and prevent fraud in contract processing, provision of services, etc. | Contact data, contract data, inquiry data, Payment data, technical data | Legitimate interests, legal obligations |
2. Credit card and other users
# | Purpose for processing | Categories of personal information processed | Legal basis |
---|---|---|---|
1 | To execute payment processing | Payment data | Contractual obligation |
2 | To maintain/improve business operations and quality | Payment data | Legitimate interests |
3 | To detect and prevent fraudulent payment processing, etc. | Payment data | Legitimate interests |
3. Partners
# | Purpose for processing | Categories of personal information processed | Legal basis |
---|---|---|---|
1 | To conclude partner contracts | Contact data | Contractual obligation, legitimate interest |
2 | To respond to inquiries | Contact data, inquiry data | Contractual obligation, Legitimate interests |
3 | To send email newsletters, etc. | Contact data | Consent, Legitimate interests |
4 | To maintain/improve business operations and quality | Contact data, inquiry data | Legitimate interests |
5 | To detect and prevent fraud in contract processing, partner operations, etc. | Contact data, technical data | Legitimate interests, legal obligations |
4. Website users
# | Purpose for processing | Categories of personal information processed | Legal basis |
---|---|---|---|
1 | To respond to inquiries by online form or phone | Contact data, inquiry data | Contractual obligation, Legitimate interests |
2 | To send email newsletters, etc. | Contact data, inquiry data | Consent, Legitimate interests |
3 | To detect and prevent fraudulent use of our website | Contact data, inquiry data | Legitimate interests |
4 | To improve quality through surveys on the use of our website, etc. | Technical data, behavioral data | Consent *Cookie settings can be changed via the link below with regard to cookies that are not necessarily required for the provision of our website. |
5 | Delivery of targeted advertisements, etc. | Behavioral data | Consent *Cookie settings can be changed via the link below with regard to the use of cookies for advertising purposes. |
2.Data transfer outside of the EEA and the UK
Should we transfer personal information of Data Subjects outside of the EEA and the UK to the extent necessary for the purposes outlined above, we will ensure the protection of personal information by transferring it to Japan that provides an adequate level of data protection as recognized by the European Commission or UK government, or by entering into a contract with a transferee using the standard contractual clauses. For details, please contact us using the contact details listed in Section 9.
3.Rights of Data Subjects
Data Subjects retain the following rights with respect to their personal information processed by us.
--he right to withdraw consent: Customers, partners etc, have the right to withdraw the given consent to the processing of their personal data at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7(3)).
--Information regarding personal information processing: Data Subjects have the right to obtain all necessary information regarding our processing of personal information related to them (GDPR Articles 13 and 14).
--Access to personal information: Data Subjects have the right to confirm whether their personal information is being processed and, if so, access their personal information and certain related information (GDPR Article 15).
--Rectification and erasure of personal information: Data Subjects have the right to request that we rectify without undue delay any inaccurate personal information concerning them, and to have incomplete personal information completed (GDPR Article 16). Data Subjects. also have the right to request that personal information concerning them be deleted without undue delay under certain legal grounds (GDPR Article 17).
--Restriction of processing personal information: Data Subjects have the right to obtain from us restriction of processing under certain legal grounds (GDPR Article 18).
--Right of data portability: Customers, partners etc. have the right to require that personal data be moved from us to another party. This right is limited to data provided to us by you (GDPR Article 20).
--The right to object to processing personal information: Data Subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal information concerning them under certain legal grounds (GDPR Article 21).Exclusion from automated individual decision-making: Data Subjects have the right not to be subject to a decision based solely on automated processing (including profiling) of their personal information which produces legal effects concerning them or similarly significantly affects them under certain legal grounds (GDPR Article 22).
These rights may be limited where they would infringe the rights of a third party (including our rights), for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR, and in local data protection laws. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, please contact us using the contact details listed in Section 9.
Data Subjects may also file objections with the supervisory authorities (see here for an overview in the EEA, or the UK Information Commissioner’s Office if relevant) for data protection should they object to the processing of their personal information.
4.Inquiries
Should you have any questions regarding this notice or the personal information on Data Subjects that we retain, please contact us by mail or email at the following address.
Contact details:
SB Payment Service Corp.
Tokyo Portcity Takeshiba Office Tower, 1-7-1 Kaigan, Minato-ku, Tokyo 105-7529
privacy@sbpayment.jp