11, 01, 2019
Appendix 1 Description of the personal data processing 6
In connection with the relationship with you and with the group-wide implementation of a human resources management system (the "HR System"), mainly the Workday software, which will help all of you with the entire life in Rakuten including onboarding, training, evaluation, and talent development and also enable the Rakuten Group to improve the group HR program, the Rakuten Group company which employs you or uses your services (the "Company") has prepared this Staff Privacy Policy (the "Policy") to describe its practices regarding the collection, use, storage, transfer and other processing of personal data about Staff ("Personal Data"). For the purposes of this Policy, "Staff" means past, present and future staff of the Company (including candidates who have been offered employment by the Company, volunteers, subcontractors, agents, interns, temporary staff, partner staff, and casual workers).
The data controller is the entity with primary responsibility for the handling of Personal Data. For the purposes of this Policy, the data controllers of the Personal Data collected in connection with the HR System are primarily the Company and, for some specific purposes, Rakuten, Inc. ("we", "us" and "Data Controllers").
We may be required by law to collect certain Personal Data about you, or as a consequence of any contractual relationships we have with you. Failure to provide this information may prevent or delay the fulfilment of these obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.
The Company collects Personal Data about Staff that is directly relevant to the Staff's execution of their roles and responsibilities during their time with us, Rakuten Group's business, and that is required to meet the Data Controllers' legal obligations, or otherwise permissible to collect under local laws. In particular, the Company collects the categories and types of Personal Data as set out in Appendix 1.
The Company also collects and processes Personal Data generated by us including Personal Data contained in appraisals, training records, records of your history with the Company, and compensation information.
We use the Personal Data listed in Appendix 1 and set out above for the purposes and on the basis of legal grounds set out in the same appendix. At any time when we process your Personal Data, we will respect your privacy and especially when we process Personal Data to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that your interests or fundamental rights and freedoms are not overridden by our legitimate interests.
We do not use Personal Data of any Staff (gathered from you in your capacity as a staff) for marketing purposes, except where we obtain the Staff's express consent to do so and provide the Staff with the subsequent right to withdraw their consent at any time and at no charge to the use of Personal Data for marketing purposes.
We may collect and process certain special categories of Personal Data (also known as "Sensitive Personal Data") about Staff where permitted by local law to comply with employment and/or social security laws or where necessary for the establishment, exercise or defence of legal claims. In particular, the Company may process information regarding ethnic origin, religious, physical and/or mental health. Some other Personal Data such as citizenship, marital status or liability for military service may also be processed, for purposes of benefits administration and addressing workplace health, safety and accommodation issues as required under employment and social security laws.
As shown in Appendix 1, the HR System contains emergency contact information (this type of Personal Data includes Personal Data of relatives, guardians and associates of the Staff ("Emergency Contacts")) for emergency contact purposes only.
We occasionally feature our Staff in our internal materials to promote the internal communication of the Rakuten Group or the public relations of it, which is necessary for our legitimate interests.
We may use your featured likeness and/or name in any photograph, image, video, motion picture, performance or sound recording (collectively the Staff’s “Likeness”) to circulate or publicize the Rakuten Group’s businesses, or for any other communication and PR purposes as separately instructed to you when you are featured.
We may choose to edit, alter, copy, exhibit, publish, or broadcast your Likeness at any time, and choice of media (the end product shall be known as “Media”), on condition that these Media are only made and used for the above-mentioned purposes. The Media may be exhibited globally in the Rakuten Group and any other media managed by the Rakuten Group, which include our corporate media, TV, YouTube, and LinkedIn. Please note that you might be captured in the background of such Media even if we do not feature yourself but we will make reasonable efforts to protect your privacy in such a way of shading off. Also, please see section 4.1 below on the measures we take to protect transfers of Personal Data to overseas entities of the Rakuten Group.
In addition to storing Staff's Personal Data in the HR System, we maintain an individual hard-copy file on each Staff. The Global Human Resources Department and the Company's Human Resources Department maintain these files in a secure environment.
Access to Personal Data is restricted to those individuals who need such access for the purposes listed in Appendix 1 or where required by law, including members of the Global Human Resources Department and the Company's Human Resources Department, the managers in the Staff's line of business, and to authorised representatives of the Data Controllers' internal control functions such as Compliance and Legal. Access may also be granted on a strict need-to-know basis to other managers of the Data Controllers where relevant if the Staff is being considered for an alternative job opportunity, or if a new manager appointed in the line of business needs to review files. All Staff, including managers, are bound by the requirement of this Policy.
We may disclose in accordance with applicable law relevant Personal Data to certain third parties for the maintenance and operation of the HR System and in connection with the provision of the following services to us: benefits administration (including insurance and retirement plans administration), compensation administration, human resources administration and assistance, payroll services, business travel administration and associated services, recruiting services and training services. In addition, if necessary and in accordance with applicable law, we may disclose Personal Data to our auditors and other external professional advisers and to other parties that provide products or services to us, such as IT systems providers and consulting firms.
Where we engage a third party data processor to process Personal Data on our behalf, such as some of those listed above, we will delegate such processing by contract in writing, will choose a data processor that provides sufficient guarantees with respect to technical and organisational security measures governing the relevant processing and will ensure that the processor acts on our behalf and under our instructions. In addition, we will impose by contract in writing appropriate data protection and information security requirements on such third party data processors.
Given the global nature of the Rakuten Group, we may transfer Personal Data, including Sensitive Personal Data, to certain other entities of the Rakuten Group based in countries other than the country in which the information was originally collected (a list of which is available for consultation here: https://www.myworkday.com/rakuten/d/task/1422$1801.htmld). Such Personal Data will be transferred for some of the purposes set out in Appendix 1.
Where we transfer Personal Data to Rakuten Group companies that are not bound by Rakuten’s BCRs we put in place appropriate contractual clauses with these Rakuten Group companies.
In addition to Rakuten Group's overseas entities, we may disclose and transfer Personal Data to data processors located in jurisdictions which may not provide for an equivalent level of protection compared to where the data was collected. We will ensure their compliance with our global privacy standard by appropriate contractual agreements incorporating, for example, appropriate contractual clauses .
From time to time, we may, where necessary to comply with our legal obligations, also disclose Personal Data to other parties, such as to legal and regulatory authorities located overseas. As noted above, data protection laws in these locations may not provide for an equivalent level of protection compared to where the data was collected and, in such cases, we will require the recipient to provide appropriate protection for the Personal Data disclosed to it in compliance with applicable data protection laws such as entering into appropriate contractual clauses. For further information on how we will protect your Personal Data in these circumstances, please contact us using the details in section 7 below.
Personal Data may also be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of the financial or structural status of the Data Controllers or any of their affiliated entities. Should such a disclosure occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your Personal Data uses it in a manner that is consistent with this Policy.
We maintain appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage to Personal Data.
We will keep your Personal Data for as long as we have a contractual relationship with you. Once our relationship with you has come to an end, we will retain your Personal Data for a period of time that enables us to:
Maintain business records for analysis and/or audit purposes;
Comply with record retention requirements under the law;
Defend or bring any existing or potential legal claims; and
Deal with any complaints.
We will delete your Personal Data when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.
You have certain rights regarding your Personal Data, subject to local law. These include the following rights to:
access your Personal Data;
rectify the information we hold about you;
erase your Personal Data;
restrict our use of your Personal Data;
object to our use of your Personal Data;
receive your Personal Data in a usable electronic format and transmit it to a third party (right to data portability); and
lodge a complaint with your local data protection authority.
If you would like to discuss or exercise such rights, please contact us at hr-privacy@mail.rakuten.com. However, please note that the applicable law may restrict your right to exercise some of the above-mentioned rights.
We encourage you to contact us to update or correct your information if it changes or if the Personal Data we hold about you is inaccurate.
We will contact you if we need additional information from you in order to honour your requests.
For any questions regarding this Policy, Staff should contact the Global Human Resources Department (hr-privacy@mail.rakuten.com) and we, with our data protection officer, will respond without undue delay.
Also, Staff can lodge a complaint to the Global Privacy Manager of Rakuten or a data protection authority in accordance with Rakuten’s BCRs (https://corp.rakuten.co.jp/privacy/en/bcr.html).
In case of any material changes to the way in which we use Personal Data or any other aspect of this Policy, we will notify Staff as soon as possible by reissuing a revised Policy.
|
Category of Personal Data |
Type of Personal Data |
Purpose of Use, and Reason of necessity of processing (Legal Basis) |
||||||
|
|
Name |
|
||||||
|
|
Gender |
|
||||||
|
|
Date of Birth |
|
||||||
|
|
Photo |
|
||||||
|
|
Nationality |
|
||||||
|
|
Department he/she belongs to |
|
||||||
|
Employment contract management information |
Job title |
For you and the Company to work with. This is necessary to allow us to fulfil our contractual obligations to you in connection with your employment contract, such as creating user accounts for IT products & HR management purposes and to manage; and For appraisal, personnel transfer, talent management, performance management and HR management purposes. It is in our legitimate interests to use this data for HR purposes to allow the Data Controllers to manage its resources. |
||||||
|
Job category |
||||||||
|
Resignation |
||||||||
|
Leave of absence |
||||||||
|
Office location |
||||||||
|
Company E-mail address | ||||||||
|
Business phone number |
||||||||
|
Employee number |
||||||||
|
|
Employment status |
|
||||||
|
|
Grade |
|
||||||
|
|
Salary |
|
||||||
|
|
Personal address |
|
||||||
|
|
Work permit / VISA information |
|
||||||
|
Talent management information |
Language skill |
For appraisal, transfer, talent management, performance management and HR management purposes. It is in our legitimate interests to use this data for HR purposes to allow the Data Controllers to manage its resources. |
||||||
|
Willingness for mobilityy |
||||||||
|
Training history |
||||||||
|
Main/Additional post history |
||||||||
|
Job experience |
||||||||
|
Overseas work experience |
||||||||
|
Previous employment |
||||||||
|
Education |
||||||||
|
Award |
||||||||
|
Discipline |
||||||||
|
Global experience program history |
||||||||
|
Qualifications |
||||||||
|
Compensation & Payroll operation information |
Salary |
For compensation information management and payroll operation purposes to fulfil contractual obligations to you in connection with your contract with the Company. |
||||||
|
Bonus |
||||||||
|
Incentive |
||||||||
|
Number of stocks |
||||||||
|
Working Time Recorded |
||||||||
|
Family information |
||||||||
|
Personal address |
||||||||
|
Securities account |
||||||||
|
Tax code |
||||||||
|
HR management & Collaboration information |
Name |
For HR management purposes and to manage, the search and use the HR system. It is in our legitimate interests to use this data for these purposes to allow the Company to perform its business activities and manage its resources. |
||||||
|
Photo |
||||||||
|
Department he/she belongs |
||||||||
|
Job title |
||||||||
|
Job category |
||||||||
|
Resignation |
||||||||
|
Leave of absence |
||||||||
|
Office location |
||||||||
|
Company E-mail address |
||||||||
|
Business phone number |
||||||||
|
Employee number |
||||||||
|
Employment status |
||||||||
|
Emergency information |
Name |
For emergency contact reasons. This is necessary to comply with our legal obligations to you in relation to your health and safety or in some circumstances to protect your vital interests or those of another person. |
||||||
|
Emergency contact information |
||||||||
* We here in this Appendix 1 list up any Personal Data we may collect but we will only collect necessary Personal Data relating to Staff. Therefore, we will not collect and use Personal Data
such as Talent management information and Compensation & Payroll operation information of temporary staff, partner staff, and subcontractors unless such Staff’s Personal Data is necessary for the purposes listed above. Likewise, we will not intentionally collect and use Employment contract management information which is not necessary under the relationship with each Staff (e.g. leave of absence, date of birth and grade of temporary staff, partner staff, and subcontractors).