Enacted: May, 2020
In the event that Daifuku Co., Ltd. and its group companies ("Daifuku") collect personal data concerning an individual ("Data Subject") who is protected by the EU General Data Protection Regulation ("GDPR") and/or other applicational laws of countries in which Daifuku operates, Daifuku shall handle personal data as set out below, giving precedence to relevant national laws over the GDPR where relevant national laws exist, and observing GDPR-like rules otherwise. The handling of personal data about employees shall be determined separately in accordance with policies implemented within the Daifuku Group.
Daifuku processes personal data when the law allows it to and it has the Data Subject's consent and usually when Daifuku has one of the following legal bases:
(1) where it is necessary for Daifuku's legitimate interests,
(2) to enable Daifuku to fulfil the contract it has entered into with the Data Subject, and
(3) where Daifuku needs to comply with any legal obligations.
1. Daifuku collects the following types of personal data:
(a) basic information used to identify the Data Subject (e.g. name, date of birth, gender);
(b) information needed to contact the Data Subject (e.g. telephone number, mobile number, email address); and
(c) technical information that could be used to identify the Data Subject (e.g. IP address, type and version of browser used).
2. Daifuku does not collect the following personal data without the prior explicit consent of the Data Subject:
(a) data about political opinions or religious beliefs, and
(b) data concerning health.
Daifuku generally uses the personal data it collects for the purposes shown below.
1. Personal data collected from customers and business partners (includes potential customers and business partners):
(a) to provide the products and services handled by Daifuku and to provide information about these products and services;
(b) to plan, research and develop products and services;
(c) to deal with inquiries; and
(d) to conduct negotiations and meetings, to contact customers and business partners and to execute business operations relating thereto.
2. Personal data collected from shareholders and investors (includes potential shareholders and investors):
(a) to manage shareholders, investors and shares;
(b) to allow shareholders to exercise their rights and to fulfil obligations;
(c) to prepare documents and create records and data in accordance with applicable national laws;
(d) to provide data to shareholders; and
(e) to otherwise take action in accordance with the provisions of laws or directives, guidance, etc. issued by the authorities.
3. Personal data collected from job applicants, those wishing to visit the company or its demo center and those who access the Daifuku website:
(a) to conduct recruitment activities and business operations related thereto; and
(b) to provide information, refreshments, etc. to visitors to Daifuku's offices or its demo center.
With respect to personal data managed by Daifuku, the following rights of the Data Subject are protected:
(1) the right to be informed (the right to be informed about the details such as the identity of the controller, the purposes of the processing, legitimate interests pursued by the controller, and when the controller collects personal data);
(2) the right of access (the right to obtain from the controller confirmation as to whether or not personal data is held concerning him or her);
(3) the right to rectification (the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her);
(4) the right to erasure (the right to obtain from the controller the erasure of personal data concerning him or her);
(5) the right to restrict processing (the right to obtain from the controller restriction of processing);
(6) the right to data portability (the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit to another controller without hindrance from the controller);
(7) the right to object (the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her);
(8) the rights in relation to automated decision making and profiling (the right not to be subject to a decision based solely on automated processing, including profiling).
Finance and Accounting Division
Daifuku Co., Ltd.
Daifuku may entrust the processing of personal data to a third party. In this case, Daifuku shall enter into an agreement with the processor stipulating that the processor
(1) processes the personal data only on documented instructions from Daifuku,
(2) commits to confidentiality,
(3) takes all measures required to ensure data security,
(4) assists the exercise of the Data Subject's rights, and
(5) returns all the personal data (including copies) to Daifuku once the purpose of processing ceases to exist.
As the controller of the personal data, Daifuku manages records of the processing of personal data in its possession.
Daifuku also periodically updates records of the processing of this personal data.
Daifuku retains personal data for the minimum period necessary to achieve the abovementioned purposes of collection of personal data and only for the amount of time required by law or for accounting purposes or similar reporting requirements.
Daifuku properly implements organizational security management measures, including developing and applying regulations such as the Information Security Basic Policy, as well as technical security management measures such as the anonymization and encryption of personal data, and the establishment of a periodic inspection process.
In case of a data leak or other breach of security, Daifuku has put in place a framework for reporting to the supervisory authorities responsible for protecting personal data within the required timeframe, and also engages in appropriate communication with the Data Subject.
Daifuku shall transfer personal data to a company located outside the European Economic Area or a third country only if the measures considered necessary under Japan's "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" have been taken.