For the persons residing in the European Economic Area (the "EEA") protected under the GDPR
(1) Compliance with laws and regulations regarding personal information protection
X-Ability Co.,Ltd. ("the Company") complies with laws, ordinances, national guidelines and other regulations regarding personal information protection.
(2) The acquisition of the personal information
The Company acquires customers' personal information as follows;
1. Full name, address, contact information, e-mail address
2. Organization to belong to, laboratory, and position
3. Usage history of our product
(3) Purpose of use of personal information
The purpose of use of personal information that the Company acquires is as follows;
1. Performance of the agreement with the Data Subject
2. Improvement of products of the Company and Group companies
3. Provision of information on products and services of the Company and Group companies
In any case where personal information shall be used for other than the purposes mentioned above, the Company shall clarify them in advance.
(4) Limitation of purpose of use
The Company shall not handle personal information beyond the necessity to fulfill the purpose of use without consent from the person in question.
However, the following cases are exceptional.
1. Cases in which the provision of personal information is based on laws
2. Cases in which the provision of personal information is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person
3. Cases in which the provision of personal information is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person
4. Cases in which the provision of personal information is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned
(5) Limitation of provision to a third party
The Company shall not provide personal information to a third party without consent from the person except the following cases;
1. Cases in which the provision of personal information is based on laws
2. Cases in which the provision of personal information is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person
3. Cases in which the provision of personal information is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person
4. Cases in which the provision of personal information is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned
(6) Security control measures
The Company shall take necessary control of security for personal information protection.
(7) Opinions and inquiries regarding personal information
The Company shall respond to requests for, opinions on and inquiries about disclosure, correction, deletion and suspension of personal information in accordance with laws, ordinances and internal regulations.
Please indicate your request, such as "usage purpose notification," "disclosure," "correction," "suspend usage" etc. when making a personal information inquiry. Forms and procedural documents will be sent.
Personal Information Inquiries - Legal department of X-Ability (info@x-ability.jp)
The application form filled with necessary information and identification document specified by the Company are needed for application. Please refer to the procedure guide for details.
When the application can not be taken, the reason will be informed without delay.
When "Handling of Personal Information" is revised, the revision will be posted on the Web site of the Company.
THIS PRIVACY POLICY (THIS "privacy policy") ONLY APPLIES TO PROCESSING OF PERSONAL DATA SUBJECT TO EU GENERAL DATA PROTECTION REGULATION No 2016/679 (THE "GDPR").
This Privacy Policy is an explanation by X-Ability Co.,Ltd.("We"/"Us") to persons residing in the European Economic Area (the "EEA") protected under the GDPR (who may include our customers) (the "Data Subject") regarding how we collect and process personal data as the data controller if personal data is provided or disclosed by the Data Subject or if personal data is received or acquired through a third party. We process the personal data in accordance with the GDPR (and other applicable EU and Member State regulations on data protection, if such regulations exist).
Processing of personal data in this Privacy Policy means processing of personal data of persons who are in the EEA in any of the following cases:
(ⅰ)if carried out in connection to activities of our establishment in the EEA,
(ⅱ)if related to the offering of products or services to the Data Subjects, or
(ⅲ)if related to the monitoring of the Data Subject's behavior as far as their behavior takes place within the EEA.
We will always process the Data Subject's personal data based on one of the legal bases provided for in the GDPR (Articles 6 and 7). In addition, if processing personal data that requires special care, we will do so in accordance with the special rules provided for in the GDPR (Articles 9 and 10).
(1) We collect and process the Data Subject's personal data as follows;
1. Full name, address, contact information, e-mail address
2. Organization to belong to, laboratory, and position
3. Usage history of our product
(2) The purpose of use of personal date that we collect is as follows;
1. Performance of the agreement with the Data Subject
2. Improvement of products of us and our group companies
3. Provision of information on products and services of us and our group companies.
In any case where personal data shall be used for other than the purposes mentioned above, we shall clarify them in advance.
Anyone who wants to use our products or services must consent to the collection and processing of personal data.
The Data Subject is entitled to withdraw his or her consent to the collection and processing of the personal data at any time, but this withdrawal will not affect the lawfulness of processing based on the consent before withdrawal thereof.
We will process the Data Subject's personal data for the purposes described above, and will not further process the personal data in a way that is incompatible with those purposes. If we intend to process personal data originally collected for the purpose described above in order to attain other objectives or purposes, we will ensure that the Data Subject is informed of this. We will keep personal data for as long as it is necessary for us to comply with our legal obligations, to ensure that we provide an adequate service, and to support our business activities (Articles 5 and 25(2) of the GDPR).
We may share personal data with our group entities in accordance with the GDPR. Where we share personal data with a data processor, we will put the appropriate legal framework in place in order to cover data transfer and processing (Articles 26, 28 and 29 of the GDPR). Furthermore, where we share personal data with any entity outside the EEA, we will put appropriate legal frameworks in place, notably controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EU) Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Chapter 5 of the GDPR).
Collaborative Partners
Subject to the Data Subject's prior consent, personal data may be transferred to, stored, and further processed by collaborative partners that work with us to provide our products and services or help us market to Data Subjects.
Outsourcing
(1) We may outsource all or part of the personal data processing in marketing services, and other services.
(2) When executing an outsourcing agreement, the eligibility of the counterparty as an outsourcee is sufficiently investigated. Safety management measures, confidentiality, conditions for the outsourcee to outsource to another party, and other matters regarding the appropriate processing of personal data are prescribed in the outsourcing agreement, and our outsourcees are appropriately supervised.
(3) The personal data provided (deposited) by the outsourcer in the services outsourcing is utilized within the scope necessary to perform the agreement with the outsourcer.
Corporate Affiliates and Corporate Reorganisations
We may share the personal data with all corporate affiliates. In the event of a merger, corporate reorganisation, civil rehabilitation, acquisition, joint venture, assignment, transfer, sale or disposition of all or any portion of our business (including in connection with any bankruptcy or similar proceedings), etc., we may transfer any and all personal data to the relevant third party.
Legal Compliance and Security
It may be necessary for us - by law, legal process, litigation, and/or requests from public and governmental authorities within or outside the Data Subject's country of residence - to disclose personal data. We may also disclose personal data if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our internal regulations, investigate fraud, or protect our operations or users.
Data Transfers
Disclosures or sharing of personal data as described above may involve transferring personal data out of the EEA. For each of these transfers we make sure that we provide an adequate level of protection to the data transferred, in particular by entering into Standard Contract Clauses as defined by the European Commission decisions 2001/497/EC, 2002/16/EC, 2004/915/EC and 2010/87/EU.
We handle records of processing of personal data in accordance with the obligations established by the GDPR (Article 30), where we might process personal data. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities in accordance with the GDPR (Article 31).
We process personal data in a manner that ensures such data appropriate security (including protection against unauthorized or unlawful processing and against accidental loss, destruction damage, etc.) using appropriate technical or organizational measures to achieve this (Articles 25(1) and 32 of the GDPR).
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess the details of the breach promptly. Depending on the outcome of our assessment, we will make the necessary notifications to the supervisory authorities and communications to the affected data subjects (Articles 33 and 34 of the GDPR).
We have mechanisms and policies in place in order to identify data processing activities that may result in high risk to the data subject's rights and freedoms (Article 35 of the GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational protective measures are in place in order to proceed with it.
In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 of the GDPR).
If the Data Subject will exercise the rights granted to the Data Subject under the GDPR, please contact us at the address set forth section 10 below.
If the Data Subject is not satisfied with the way in which we have proceeded with any request, or if the Data Subject has any complaint regarding the way in which we process personal data, the Data Subject may lodge a complaint with a Data Protection Supervisory Authority.
We may change this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy via the Website. If we make changes which we believe are significant, we will inform the Data Subject through the Website to the extent possible and seek for the Data Subject's consent where applicable.
For any questions or requests relating to this Privacy Policy, please contact us as follows:
Legal department of X-Ability (info@x-ability.jp)