Riken Keiki GmbH (“RKG”)
DATA PROTECTION POLICY
Version 1-1 dated 15.DEC.2021
Riken Keiki GmbH (“RKG” or “we”) has a responsibility to look after the information which we collect about individuals, whether our customers, employees, or people browsing our websites. When people trust us with their information, we should live up to that trust.
Data protection law gives individuals the right to understand – and in some cases control – how their data is used. It also places obligations on RKG to handle people’s data fairly and respect their rights.
The main law we must follow is the General Data Protection Regulation 2016/679 (“GDPR”) becoming effective 25 May, 2018 and any national laws implementing it. In some cases, local laws and regulations may be more restrictive than this Policy; where that is the case, the more restrictive rules must be followed when processing personal data in that jurisdiction.
RKG takes its obligations under data protection law seriously. A breach of our data protection responsibilities could result in a significant financial penalty or criminal investigations against us and our staff as well as negative publicity and damage to our brands. Any staff should immediately contact us if they become aware of a potential breach.
To protect against these risks, this Data Protection Policy (“Policy”) and its accompanying Guidelines should be read and followed by all staff. These documents shall demonstrate our commitment to data protection and privacy and are an essential part of our program to support compliance with relevant laws. Any staff who fail to comply with this Policy may be subject to disciplinary action, up to and including dismissal.
Because this Policy and our Guidelines cannot address every issue that may arise, we expect that employees will use their common sense, act prudently, professionally, and with clarity of intention. Always consider what a reasonable person would consider appropriate in the circumstances. If you have any questions about this Policy, you should contact RKG’s management.
- Who and What is covered by this Policy?
This Policy applies to all RKG business units, operations, functions and staff, including permanent and temporary employees and any third party personnel such as agents, temporaries, contractors and consultants, who have access to personal data processed by RKG, in particular but without limitation users, stakeholders responsible to introduce IT systems and stakeholders defining the business needs for IT systems.
- What’s “personal data”? This Policy only applies to “personal data”. That means information which relates to an identified or identifiable individual (i.e. a natural person). It includes names, addresses, email addresses, job applications, photographs, purchase histories, user account information, and correspondence to and from an individual. Where it can be linked to an individual, it also includes web browsing information (e.g. cookie data).
- What about other confidential information? This Policy does not apply to confidential commercial information which is not personal data, e.g. financial information. -
- What’s “sensitive personal data”? Certain personal data is designated as “sensitive” and given enhanced legal protections. Sensitive personal data is personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; biometric or genetic information; information about a person’s health, sex life or sexual orientation; or – to some extent – information about criminal convictions.
- What’s “processing”? This Policy also talks about “processing” personal data. Processing means doing anything with personal data; this includes collecting it, storing it, combining it with other data, sharing it with a third party, and even deleting it.
- What are “data subjects”, “controllers” and “processors”? The natural person whose data is processed is called “data subject”. Such legal entity (e.g. us) that alone or jointly with others, determines the purposes and means of a processing is a “controller” and such entities that process personal data only upon the instructions of a controller without determining the purpose or means are “processors”.
RKG processes personal data about staff at our customers and prospective customers, our own staff, job applicants, staff at our suppliers. All of this personal data should be treated in accordance with this Policy.
- How you should read and apply this Policy
This Policy explains to you and gives an overview of the data protection principles we at RKG seek to apply. This Policy includes the general rules relevant to and applicable to everyone at RKG, who deals with personal data.
Depending on your role, e.g. when being a responsible stakeholder for the decisions on the introduction of new IT services or engagement of service providers or when deciding on activities and campaigns as HR manager or marketing, some of you may have additional obligations, e.g. to follow more specific and defined procedures. Furthermore, when dealing with specific scenarios that may involve larger amounts of personal data, e.g. HR, IT, marketing, you may have more specific questions.
In order to see more guidance on specific processing situations or to learn about more detailed procedures that need to be followed, please see our Guidelines.
- The Data Protection Principles
Everyone (e.g. employees, contractors or officers) at RKG should comply with the following principles and consider the data protection risks before and when processing personal data (our “Data Protection Principles”).
- Lawful Processing: Make sure we always have a good, lawful reason to process their personal data
What does this mean?
RKG must comply with any applicable laws when it processes personal data.
In general, RKG should only process personal data if it can satisfy certain conditions set out in data protection law. For RKG, the most important of these are one of the following: (i) that individual has consented; (ii) that the processing is necessary for a contract with the individual; (iii) that the processing is necessary to comply with a legal obligation; or (iv) that the processing is necessary for RKG (or a third party’s) legitimate interests, which are not overridden by any risk or harm to the individuals.
HR data of employee, such as name, address, insurance information, salary etc., may be processed by RKG on the basis of performing employment contract, and legitimate interest of RKG, such as HR management or enabling access of IT systems. Please be aware that with respect to sensitive HR data and the monitoring of employees, more specific requirements, e.g. under Sec. 26 German Federal Data Protection Act may apply.
Customer information, such as contact details of staff at customer, may be processed by RKG on the basis of legitimate interest of RKG, such as marketing for the customer. Please be aware, that before addressing any individual with any kind of marketing messages or materials, you need to ensure that there is also a legal basis for the chosen way to contact an individual for these purposes. Such requirements may, depending on the case, include a prior consent or at least giving every recipient the opportunity to object (opt-out) to receive further marketing messages (every marketing message needs to include a notice about this right and include, e.g. a link to enable such an objection).
RKG should only process sensitive personal data in exceptional circumstances, where it is positively satisfied it has a lawful basis for doing so.
Each stakeholder introducing a new processing needs to ensure that an assessment of the lawful reasons is made (which we also need to give individuals information), as well as an assessment of risks in connection with the applied security measures (if there could be high risks associated with any new processing, RKG will conduct a data protection impact assessment to decide whether any safeguards need to be put in place to protect the individuals) and that these are documented; we have determined the basic responsibilities and required risk assessments in our New Systems Guideline.
- Fairness and Transparency: Give people information about how RKG processes their personal data.
What does this mean?
We should be transparent and give people information about how we use their personal data. This also means not doing anything with their personal data which they would not expect or that we would be embarrassed for them to know about. This is also called to provide a “notice” to data subjects, e.g. by way of putting a policy on a website, include it in general terms or other information materials provided to the individuals.
In particular, we should always tell people if their personal data will be passed to a third party. Similarly, if we receive personal data about someone from a third party, we should make sure the individual knows about it as soon we can.
- Purpose Limitation: Only collect personal data for a specific business need of RKG. If we want to reuse the personal data for a new purpose, we must make sure the two are compatible.
What does this mean?
We should always have a clear purpose for any personal data before we collect it, and this should reflect a specific business need of RKG; then we should only process personal data in a manner that is compatible with the purpose(s) for which it is collected
If RKG later wants to use the personal data for a new purpose or share it with a new third party, we should consider whether (i) the processing for the new purpose is lawful, and (ii) it is compatible with the original purpose, and whether it would be within the reasonable expectations of the individual (which may require a further notice explaining the proposed change and any likely consequences for the individual).
Before starting any new processing or collecting any new data, you should follow our procedures defined in our New Systems Guideline, to ensure data protection and privacy is considered from the outset.
- Data Minimisation: Only process as much personal data as we need, and no more.
What does this mean?
In any particular case, RKG should only collect or otherwise process as much personal data as it needs for that specific purpose. This means we should not collect personal data that we do not need, or ask for personal data ‘just in case’ it may be useful and not use personal data that is not relevant and necessary for a specified, explicit and legitimate purpose.
Before asking for or accessing information about someone, you should ask yourself whether you really need that information to achieve your result.
- Accuracy: Keep personal data accurate, complete and up-to-date.
What does this mean?
Wherever possible, RKG should carefully assess if personal data is complete, accurate and up-to-date (including considering verification if data comes from a third party), as well as give individuals the opportunity to amend or correct their personal data (and offer a self-service tool where possible). If we become aware of personal data which is inaccurate or out-of-date, we should take reasonable steps to correct it or delete it.
Staff should inform HR about any changes in the personal data which we process about you.
- Retention: Only keep personal data for as long as we need it. If we don’t need the personal data anymore, we must delete it or anonymise it.
What does this mean?
RKG should only keep personal data for as long as we need it for its specified purpose. The specific purpose may end with the complete termination of a transaction or performance of a contract taking into consideration post-contractual obligations, warranty rights, etc. Once the personal data is no longer needed, it should be either (i) deleted, (ii) anonymised so that individuals can no longer be identified from it, or (iii) to the extent the information is subject to statutory archiving obligations (in Germany statutory archiving obligations typically vary from 6 years for business correspondence to 10 years for tax relevant documents), be kept in an archive with limited access. We will make you aware of exemptions to these rules in specific cases, e.g. when preparing for litigation or investigations; in such cases please always comply with our instructions.
Security: Protect RKG’s personal data from getting lost or stolen. Make sure our service providers protect our personal data as well.
What does this mean?
We must make sure we always protect personal data with appropriate security measures, to prevent any accidental or unauthorised access, damage, loss or disclosure.
As a company, we must ensure that we take into consideration data protection and security requirements at an early design stage (“privacy by design”) and set up default settings in a privacy-friendly way (“privacy by default”). Furthermore, the level of security safeguards to be applied largely depends on a risk assessment (which in case of high risks may lead to the data protection impact assessment), please see our New Systems Guideline. Our staff handling personal data must sign a respective Confidentiality Agreement.
This Security Principle extends to our service providers who handle personal data on our behalf. RKG should only appoint service providers who can provide appropriate protection for our personal data.
If you become aware of any actual or suspected loss or breach of security relating to personal data, everyone should immediately report it to Managing Director of RKG without any own judgement of severity or potential responsibilities for such breach. RKG has very strict reporting obligations for serious breaches within seventy-two hours after noticing such an incident. Thus, immediate reaction is of utmost importance. If you report as described, we have Security Breach Guideline in place, how to handle, and, if necessary, report such incidents to the extent necessary.
- Individual Rights: Allow individuals the right to access, correct or erase their personal data, or object to it being used for certain purposes.
What does this mean?
Anyone whose personal data we process has certain rights that RKG must respect, and respond to requests in accordance with our legal obligations. RKG is also entitled to refuse requests in certain circumstances. But no one shall be victimized or prejudiced directly or indirectly as a result of lodging a request or a complaint.
E.g. individuals have the right to obtain a copy of that personal data (in some case in a portable format), and correct any inaccuracies. In certain circumstances, they also have a right to have their personal data erased (sometimes also called “right to be forgotten”) or not to be used for a particular purpose.
Furthermore, individuals may have a right to object to a processing and always have the right to opt-out from processing of data for marketing purposes or of receiving marketing from us.
RKG has established an Individual Rights Guideline on how to deal with such requests. In order to enable us to follow those procedures, if you receive a request from an individual relating to their personal data, you should always forward it to and consult with Managing Director of RKG.
- Transfers of Personal Data: Put in place safeguards before sending personal data to others, in particular when outside Europe.
What does this mean?
You should ensure RKG only makes personal data available to third parties in appropriate circumstances, informs data subjects on transfers and categories of recipients, and that measures are put in place to safeguard the personal data.
Firstly, depending on the role of a third party, it may become necessary to have specific agreements in place with them, e.g. a data processor agreement may be required. For others, an agreement between joint controllers may be required.
Secondly, because data protection standards may not be the same in countries outside the European Economic Area (EEA), EU data protection law places restrictions on when personal data may be transferred outside the EEA. The transfer will only be allowed if certain safeguards are put in place to protect the personal data, wherever it goes.
Both these requirements apply whether RKG is sending personal data to a third party (e.g. a US-based cloud provider) or a company within our company group. Importantly, these restrictions apply not only when the personal data will be stored at the third party (e.g. in the non-EEA country), but also if the personal data will only be accessed remotely from that country (e.g. if they will have access to personal data on our systems).
You should consult Managing Director of RKG before disclosing personal data to third parties, sending personal data outside the EEA or allowing a party outside the EEA to have access to personal data stored within the EEA.
- Accountability: RKG will take steps to make sure our processing of personal data complies with this Policy.
What does this mean?
RKG is responsible for ensuring our processing of personal data is compliant with the law. That is why we have implemented this Data Protection Policy, as well as the Guidelines which accompany it. See below for a list of the accompanying Guidelines.
RKG will keep track of each data processing in its data processing register, which is our central internal information tool to keep track of our obligations; for details please see New Systems Guideline.
RKG will conduct training for all staff who handle personal data on their responsibilities under this Policy. It is the responsibility of everyone working at RKG to complete their required training and the responsibility of every manager to ensure their staff has done so.
Any new websites, apps, user functionality or other tools should be designed to enable RKG to comply with our Data Protection Principles and introduction needs to follow the further procedures described herein, for details please see New Systems Guideline.
We, or internal and external auditors engaged by us, will monitor and conduct periodic or ad hoc audits, to assess our and your compliance with this Policy, in order to constantly revise and improve our data protection program if necessary.
This Policy and the accompanying Guidelines will be periodically reviewed and updated as necessary to ensure they are effective and meet RKG’s requirements. Such changes will be published on the intranet. You are advised to check periodically to ensure that you are aware of any change.
List of Guideline and other Documents
New Systems Guideline
Security Breach Guideline
Individual Rights Guideline