Chapter 1. Handling of Personal Information at CYBERDYNE
2. Scope of application
3. Purposes of using personal information
CYBERDYNE utilizes personal information obtained from customers/employees for the following purposes (collectively, the “purposes”)
(1) Purposes of utilizing customer’s personal information
1. For receiving applications for and providing the products and services offered by CYBERDYNE
2. For guidance, provision and management of other services and products offered by CYBERDYNE
3. For research, analysis and recruiting activity related to CYBERDYNE’s business.
4. For all operations incidental or related to 1 – 3 above.
5. For implementation of questionnaires concerning the services and products, etc., offered by CYBERDYNE
6. For development of new services and products
7. For guidance, operation, management and provision of information regarding various events and campaigns
8. For notification of services and products offered by CYBERDYNE
9. For guidance, operation, management and notification of services, products, events and campaigns of CYBERDYNE as well as its group companies and partner companies
10. For fulfilling obligations and delivering printed materials to CYBERDYNE’s shareholders
11. For responding to inquiries and requests
(2) Purposes of utilizing employee’s personal information
1. For recruitment and employment, social insurance, provision of benefit packages, business communication, legally required procedures and any other procedures related to employment management
2. For decision and payment of salary, tax withholding procedures, payment of prefectural and municipal inhabitants’ taxes, and any other procedures related to salary payment
3. For performance evaluation, posting, promotion, secondment, leave of absence, reinstatement and any other procedures related to personnel changes
4. All operations incidental or related to the above
4. Acquisition of personal information
CYBERDYNE will obtain the following personal information from customers and employees by fair and appropriate means in order to achieve the purposes defined in Article 3. The following items are merely examples and, depending on the case, may not be considered personal information.
(1) Acquisition of personal information from customers
1. Personal information provided to CYBERDYNE by customer when applying for or using the services or purchasing, renting or using the products.
The customer’s name, gender, date of birth, address, telephone number, fax number, email address, business contact, mailing address, physical and medical information relating to use of the products or services and information related to the usage of other products or services.
2. Information provided to CYBERDYNE by customer upon visiting CYBERDYNE’s website
IP address, cookies and web beacons, etc. will be obtained from the customer’s browser upon visiting CYBERDYNE’s website which provides the services to the users and information on advertisements, access history and access situation of websites and the customer’s usage environment will be automatically collected.
(2) Acquisition of personal information from employees
1. Basic information of employees such as name, address, department, title, etc.
2. Information regarding employee’s family such as names and existence of dependents, etc.
3. HR information such as qualification/license, personnel changes, performance evaluation, official commendation and disciplinary punishment
4. Information related to salary, bonus, retirement allowance and pension, etc.
5. Information related to benefit packages such as status of use of welfare programs
6. Information related to health such as health check results
5. Choice by the customers/employees
As a rule, CYBERDYNE obtains personal information by the volition of the customers/employees. Customers may experience disadvantages if they refuse to provide their personal information, such as being unable to make use of the various services provided by CYBERDYNE, or being unable to receive campaign notices and other CYBERDYNE information because part or all of the functions of CYBERDYNE’s system become inoperable and thereby unavailable. The same circumstances will apply to employees who are engaged in CYBERDYNE’s business operations. Please note that customers/employees may at any time change their contact information, in a manner designated separately by CYBERDYNE.
6. Disclosure and provision of information to third parties
CYBERDYNE will not disclose or provide the personal information of customers/employees to any third parties, except under the following circumstances:
1. Customer’s/employee’s consent has been obtained;
2. Disclosure or provision is required or within the scope allowed by laws or regulations;
3. Disclosure is required to protect human life, health, or property in cases where obtaining customer’s/employee’s consent is difficult;
4. Disclosure is required to cooperate with the public affairs of national or local governments, and when obtaining customer’s/employee’s consent is likely to hinder the administration of public affairs;
5. Disclosure or provision of information as statistical data (in a format that does not disclose the customer’s or employee’s identity);
6. Provision of information as a result of the succession of business due to a merger, company split, transfer of business or otherwise;
7. Provision of information in accordance with procedures based on laws and regulations, under the condition that the following information can be easily checked by the customer or employee themselves through the CYBERDYNE website, etc., and that the customer/employee has not declared their wish to refuse provision of their information:
① The purpose of obtaining information is to provide such information to a third party;
② The specific personal data items to be provided to a third party;
③ The means by which such personal information is provided to a third party;
④ The fact that the provision of information will be suspended upon the customer’s/employee’s request; and
⑤ The methods for accepting requests from customers/employees
Further, personal information of the customer/employee which includes sensitive information will not be provided to a third party for any reason, unless such provision is stipulated under the laws or regulations or consent is obtained from the customer/employee. Data sharing or provision to business entrusted companies shall not be considered as disclosure or provision to a third party.
7. Data Sharing
CYBERDYNE will share customer/employee information as follows:
(1) Scope of Data Sharing
CYBERDYNE, INC., its consolidated subsidiaries and affiliated companies accounted for by the equity-method as stated in the annual securities report, etc.
(2) Purpose of use by the user
1) Personal information of customers
1. For development of new services and products, etc.
2. For notification of new products and services
3. For delivery and transfer to relevant company in the event of an inquiry, application for use or other request from a customer regarding products and services provided by CYBERDYNE or its group companies
4. For appropriate and smooth fulfillment of other transactions with customers, etc.
2) Personal information of employees
For using personal information of employees such as information defined in “3. Purposes of using personal information” and to conduct business communications.
(3) Personal information items to be shared
1) Personal information of customers
Customer ID, customer name, gender, date of birth, address, telephone number, fax number, email address, business contact (name of company, department, title, address, telephone and fax numbers), mailing address, information on physical conditions or diseases related to service offered by CYBERDYNE, record of service use, vital information (heart rate, blood pressure, pulse), transaction history, etc.
2) Personal information of employees
Employee name, address, department, title and other basic information of the employee stated in “4. Obtaining personal information”
(4) Head of administration for data sharing
8. Business entrustment
In providing products and services to customers or handling the personal information of employees, CYBERDYNE may entrust part of its business operations to third parties to which personal information may also be disclosed to the extent required to achieve the purposes of the entrustment. In these cases, CYBERDYNE will implement all appropriate measures in managing and supervising such third parties to safeguard the handling of customers’/employees’ personal information, including executing agreements on the handling of such personal information.
9. Transfer to outside of Japan
If CYBERDYNE provides customers’/employees’ personal information to third party business operators outside of Japan, including business entrusted companies and data sharing partners, CYBERDYNE will take necessary and appropriate measures in compliance with the laws and regulations.
10. Management of personal information
In receiving customers’/employees’ personal information, CYBERDYNE will manage such information according to the strictest standards and take the utmost care to prevent leaks, losses, or alterations. CYBERDYNE ensures that its officers and employees are properly trained regarding appropriate handling to safeguard the security of information identifying individual customers/employees An appropriate retention period for personal information will be established in accordance with the purpose for which such information is used. After the purpose of the information has been achieved, CYBERDYNE will dispose of the information in question by appropriate methods.
11. Requests about handling of personal information
If CYBERDYNE receives a request from a customer/employee, submitted in the manner specified, regarding the disclosure, correction, deletion, addition, discontinuance, or erasure (hereinafter, “disclosure, etc.”) of such customer’s/employee’s personal information stored in a database held by CYBERDYNE, the request will be handled as follows, within a reasonable timeframe and scope, after confirming that the request was submitted by such customer/employee themselves.
(1) Request for disclosure
Personal information items will be disclosed in accordance with the customer’s/employee’s request.
(2) Request for correction, deletion, or addition
Correction, deletion or addition of personal information will be undertaken wherever possible after due review of the request.
(3) Request for discontinuance or erasure
The use of personal information items designated by customers/employees will be discontinued, and the relevant information erased if so desired, in accordance with the submitted request. However, please note that such requests may prevent customers from being provided with services that they have utilized, or may impede the provision of services in accordance with their wishes. For the employees, it may prevent them from engaging in company business.
CYBERDYNE may not be able to fulfill the customers’/employees’ requests if compliance with such request would seriously impede CYBERDYNE’s business operations or result in a violation of the laws and regulations.
12. Submission of request for disclosure, etc.
The method for submitting requests for disclosure, etc., or notification of purposes of use of personal information received by CYBERDYNE from a customer/employee is as follows:
(1) How to make requests
Please send the required documents by postal mail or e-mail to the address below.
Personal Information Handling Desk, Corporate Department
2-2-1, Gakuen-minami, Tsukuba, Ibaraki, 305-0818, Japan.
(2) Documents required for confirmation of identification of individual, etc.
1) For the individual
Copies of two from the following: driver’s license, passport, health insurance certificate, basic resident registration card with photo, pension insurance booklet, physical disability certificate, resident card or special permanent resident certificate, certificate of seal registration, Individual Number Card (front side only)
2) For a representative (Both (a) and (b) below are required)
(a) Letter of proxy (legal representatives must provide a certifying document)
(b) Document to identify the representative (copies of two from the following: driver’s license, passport, health insurance certificate, basic resident registration card with photo, pension insurance booklet, physical disability certificate, resident card or special permanent certificate, certificate of seal registration, Individual Number Card [front side only])
A fee may be charged depending on the type of request.
Chapter 2. Handling of personal information of EEA residents at CYBERDYNE
In addition to Chapter 1, Chapter 2 will also be applied to the handling of personal information of customers/employees residing in the European Economic Area, which consists of the European Union member States, Norway, Iceland and Liechtenstein (the “EEA”) based on the “REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive “95/46/EC”” (the “GDPR“). In the event of any provision of this chapter contradicting those of chapter 1, the provisions of this chapter shall prevail. In particular, items 6. and 9. in Chapter 1 do not apply upon the handling of personal information of customers and employees residing in the EEA.
1. Legal basis for handling personal information
2. Request about handling of Personal Information
An EEA resident, has a right to withdraw their consent, request a copy of their personal information, request correction, request to delete or limit the usage of personal data, and request data portability to CYBERDYNE. Furthermore, an EEA resident may object to the handling of their personal information (including personal information handled by CYBERDYNE for direct marketing) if it is recognized by law.
If CYBERDYNE receives a request from an EEA resident, submitted in the manner specified, for copying, correcting, deleting and limiting the usage of their personal information, the request will be handled as follows, within a reasonable timeframe and scope, after confirming that the request was submitted by the customer/employee themselves according to Chapter 1, Article 11 (Request about handling personal information).
(1) Request for withdrawal
Personal information will be deleted or suspended in accordance with the customer’s or employee’s request, wherever possible and appropriate, after due review of the request.
However, please note that such requests may prevent customers from being provided with services that they had utilized, may impede the provision of services in accordance with their wishes, or may prevent employees from engaging in CYBERDYNE’s business.
(2) Request for data portability
A copy of the personal information held by CYBERDYNE will be provided in accordance with the customer’s/employee’s request, wherever possible and appropriate, after due review of the request.
(3) Objection to data processing
The use of personal information will be suspended, wherever possible and appropriate, after due review of a request therefor.
(4) Making a request or an objection
Customers/employees may submit such request by the method provided in Chapter 1, Article 12.
3. Transfers to outside the EEA
1. In the case that the country in which the third party is located is outside the EEA, such country does not have the same data protection laws as the EEA, many of the rights provided in the EEA to the data subjects of the data will not necessarily be secured.
2. The customers’/employees’ personal data may be provided for the purposes specified above to the subsidiaries and affiliates of CYBERDYNE or third parties, outside the EEA.
4. Change of purposes of use of personal data
5. Lodging a complaint with an authority
Customers/Employees have the right to express a complaint on the processing of their personal data with the data protection authority having jurisdiction over their residence. Customers/employees are requested to use the following URL to contact the authority having jurisdiction over their residence:（http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080）
6. Holding period of personal information
CYBERDYNE will store personal information for 10 years after obtaining the information; provided, however, that this shall not apply in the case where CYBERDYNE is obliged or allowed to store the same for more than 10 years due to the provisions of laws or regulations or of contracts.
(as of October 17th, 2018)
How we deal with customer/employee personal information on our website
By using the CYBERDYNE website the customer/employee is deemed to have understood and agreed to the following content:
■ Security technology which protects personal information
To protect from illegal accesses by an unauthorized third party, protection of personal information is secured by encrypting personal information by using SSL (Secure Sockets Layer) encryption technology and the other similar technology. This means that any information provided by customers/employees when using this site cannot be accessed by an unauthorized third party. Furthermore, a firewall, anti-virus measures and the other reasonable security measures have been installed to prevent disclosure, appropriation, alteration, etc. of personal information.
Structure of SSL (Secure Sockets Layer)
By using the SSL, a digital “handshake” (by digital confirmation, digital signature) between CYBERDYNE and the customer takes place where security is mutually confirmed, and upon mutual confirmation, the personal information of the customer is sent by customer. At that time, the data is encrypted and this prevents the data from being sent to any third-party identity thieves.
Moreover, the data transmitted through SSL is encrypted using two types of encryption; namely, public key encryption (RSA) and common key (private key) encryption scheme. A key is required to decrypt such information. Even when data is intercepted by a third party, such encrypted data may not be decrypted without the correct key. Even though the number of types of keys is limited, it will take an unrealistically long time to figure out the correct key by trying out each key in order, even electronically by using devises such as a personal computer and thus it can be said that it is extremely difficult for a third party to decrypt the information.
3. Collection of data
■ Site access
So that our customers can use our website with greater ease, the information below is collected.
CYBERDYNE will collect Cookies under a purpose to provide the following information.
· Log-in data for online service provided by CYBERDYNE
· Data from personalized pages for customers
· Registration data including special campaigns, etc.
· Site access history (using Web beacon*2)
Customers may always block Cookies by setting their browser. It is recommended that customers set their browser to only accept cookies from websites they can trust. However, please be advised that without the cookie, the speed of the website may substantially decrease.
(2) Regarding use of IP Address *3
CYBERDYNE will collect IP addresses under a purpose to provide information suiting the customer’s region. When the customer views the CYBERDYNE website, the region the customer is accessing from will be determined based on the IP address, but the customer will not be identified.
When CYBERDYNE sends e-mail to our customers, the following data may be collected:
· The status of HTML emails, i.e., whether they have been opened or previewed (using Web beacon*2)
· Whether our website has been accessed via a link in a text email or HTML mail.
1. A Cookie is a function where the fact that the user visited a specific website will be stored in the computer of such user. Information such as e-mail address or name which can identify the individual is not among the data collected through the Cookie.
3. Users may select whether the Cookie may be used for each purpose on its own under the setting method of the web browser used by the user. If the user accepts the Cookie and thereupon visits the CYBERDYNE website, it is deemed that the user agreed to CYBERDYNE’s use of the information that the user visited our website.
* In order to gain full advantage of our website, it is recommended that the user accepts the Cookie.
*2 Web beacon
Web beacon means a structure constituting minute pictures invisible to the naked eye (1×1 pixel GIF) that are embedded into webpages or HTML emails and used to record the following data: opening/ previewing of emails, and access to websites using links in emails.
*3 IP Address
This is a number automatically assigned when the customer visits various websites. The webserver (the computer providing the website) automatically recognizes the customer’s computer based on the IP address and connects.