DATA PROTECTION POLICY (GDPR Version)

ADEKA Corporation (the “Company”) and certain of its wholly or majority-owned entities below (collectively, the “Group”),


・ ADEKA CORPORATION
・ ADEKA Europe GmbH
・ ADEKA POLYMER ADDITIVES EUROPE SAS
・ ADEKA USA CORP.
・ ADEKA(SINGAPORE)PTE.LTD.
・ ADEKA (ASIA) PTE.LTD.
・ CHANG CHIANG CHEMICAL(SHANGHAI)CO.,LTD.
・ ADEKA FOODS(ASIA)SDN.BHD.
・ ADEKA KOREA CORP.
・ ADEKA FINE CHEMICAL(CHANGSHU)CO.,LTD.
・ ADEKA FOODS(CHANGSHU)CO.,LTD.

have firm commitment to respect your privacy and the right to Personal Data under EU General Data Protection Regulation (“GDPR”):
(i) if the processing of Personal Data is related to the activities of the Company’s subsidiaries, affiliates, branches, representative offices and other establishments in the EEA
or
(ii) if you are in the European Economic Area (“EEA”) and if GDPR applies
Thus, the Company hereby presents its Policy on data protection, and the definitions of some of the technical words are provided in Annex 2 to this Policy. This Policy covers those issues of data protection for those national persons other than the current employees of the Group.

1. Your rights of Data Protection
The Group respects your rights to Personal Data (defined in the Annex 2) as follows:
1.1. Access: You have the right to request information on your Personal Data Processed and information related to your rights, and to obtain a copy of your stored Personal Data. (The contact details are specified in Paragraph 2.1.below).

1.2. Accuracy and Rectification: The Group seeks to ensure that Personal Data are accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Purposes. If the Personal Data are incorrect, incomplete or not processed in compliance with GDPR, you have the right to have your Personal Data rectified, deleted or blocked (as appropriate) by contacting Company.
1.3. Right to be forgotten: You have the right to obtain from the Group the erasure of your Personal Data without undue delay unless the Group have legal obligation or find public interests or other clear compelling or legitimate interest to maintain the Personal Data.
1.4. Right to restrict the Processing (GDPR§18/21)
Under certain conditions, you have the right to request that processing be limited. The requirements are:
・ The accuracy of your Personal Data is contested by you and the Group must verify the accuracy of the Personal Data;
・ The processing is unlawful, but you oppose the erasure of the Personal Data and request the restriction of their use instead;
・ The Group no longer needs the Personal Data for the purposes of processing, but you require the Personal Data to establish, exercise or defend your legal claims;
・ You have objected to processing pending the verification of whether the legitimate grounds of the Group override your legitimate interests;
1.5. Right to object to Processing: (GDPR§21)
You have the right to object to the processing your Personal Data on grounds relating to your particular situation if the Group process your Personal Data on grounds of legitimate interests or in the public interest. Insofar as the Group base the processing of your Personal Data on a balancing of interests, the Group generally assume that the Group can demonstrate compelling legitimate ground but will, of course, examine in each individual case. In the event of an objection, the Group will no longer process your Personal Data, unless the Group can demonstrate compelling legitimate grounds for the processing of these Personal Data that override your interests, rights and freedoms, or your Personal Data serves the establishment, exercise or defense of legal claims. In addition, you have an unrestricted right to object if the Group process your Personal Data for the Group’s direct marketing purposes.
1.6. Right to object to automated individual decision-making, including profiling (GDPR§22)
You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects on you or similarly significantly affects you unless the decision is:
・ necessary for entering into, or performance of, a contract between you and the Group;
・ authorized by European Union or Member State law to which the Group are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
・ based on your explicit Consent.
1.7. Right to data portability (GDPR§20)
You have the right to receive your Personal Data, which you have provided to the Group, in a structured, commonly used and machine-readable format and have the right to transmit those Personal Data to another company without hindrance from the Group to which you have provided, where:
・ the Processing is based on Consent or on a contract; and
・ the Processing is carried out by automated means.
1.8. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority.

2. Details of the Processing of Your Personal Data

2.1. Controller: ADEKA CORPORATION
2.2 (address) 7-2-35 Higashi-ogu, Arakawa-ku, Tokyo, 116-8554, Japan
The contact address for GDPR in respect of all of the Group companies in the above is as follows;
The Controller’s representative: Chief Information Officer (Kohji Tajima, Director and Managing Operating Officer)
Phone number: +81-3-4455-2801 (Monday to Friday, (except public holidays) 9am-5pm in Japanese time)
FAX: +81-3-3809-8210
E-mail address: privacy@adeka.co.jp

2.3 Data Protection Officer: Not applicable (except for ADEKA Europe GmbH; see their web-site)

2.4 Unless otherwise notified, the Purposes for which Processing of the Personal Data are intended as well as the legal basis for the Processing are as follows:
2.4.1. If you are a customer, or a potential customer;
Purposes: The Purposes are conventional marketing and electronic dissemination of the Group’s products, technology, events and other business opportunities, customer services and those listed in Annex 1(a).
Legal basis: The legal basis is as follows:
2.4.1.1. “Legitimate interests”. The Group will make best efforts to maintain good balance between the legitimate interests and the right to privacy; or
2.4.1.2. performance of contract to which a customer or a potential customer is party or in order to take steps at the request of the customer or the potential customer before entering into the contract.

2.4.2.. ii. If you are a supplier or a potential supplier
Purposes: The Purposes are to assess quality and the fitness of your products and services in relation to our Company business
Legal basis: The legal basis is as follows:
2.4.2.1. “Legitimate interests”. The Group will make best efforts to maintain good balance between the legitimate interests and the right to privacy; or
2.4.2.2. performance of contract to which a supplier or a potential supplier is party or in order to take steps at the request of the supplier or the potential supplier before entering into the contract.

2.4.3. If you are an applicant for employment at our Group company:
Purposes: The Purposes are to evaluate your talent, fitness to the job and potential disadvantages and to compare them with other candidates.
Legal basis: The legal basis is as follows:
2.4.3.1. It is necessary for the hiring decision; or
2.4.3.2. Consent. See the web-site of ADEKA Europe GmbH or each of other Group Companies concerned in respect of the applicants for employment at ADEKA Europe GmbH or each of other Group Companies concerned.

2.4.4. The categories of Personal Data:
The categories of Personal Data to be processed are as follows:
2.4.4.1. If you are a customer, a potential customer, a supplier, or a potential supplier, the information on your business card and the information contained in your e-mails as well as such information as listed in Annex 1.a.
2.4.4.2 In case of the applicants for employment, the information in Annex 1.b. or a part of it.

2.4.5. The recipients or categories of recipients of Personal Data, if any, are as follows:
2.4.5.1. If you are a customer, or a potential customer, the recipients will be our sales representatives, their supervisors (including directors) and assistants as well as our distributors (including trading companies and agents).
2.4.5.2. If you are a supplier or a potential supplier, the recipients will be our employees, their supervisors (including directors) and assistants in the purchasing departments and any administrative departments as well as our distributors (including trading companies and agents).
2.4.5.3. If you are an applicant for employment: the recipients will be our employees and their supervisors (including directors) in the HR departments and any administrative departments as well as the departments to which the applicant may be assigned.

2.4.6. The fact that the Group intends to transfer Personal Data to a third country outside the EEA:
The Personal Data collected may be transferred to the following recipients or categories of recipients. The transfer of personal data from the EU/EEA to Japan can be treated as if it were transferred between EU/EEA Member States because the prohibition of transfer outside of the EEA has been lifted by the adequacy decision of the European Commission on 23 January 2019. Other transfer is justified by the Data Transfer Agreement in the Standard Contractual Clause (so called “SCC”) published by the European Commission. You can obtain a copy of the Clause agreed upon or applicable from the contact described in 2.a., in order to be sure that you have adequate level of protection.
The purposes of the transfer:
2.4.6.1. If you are a customer, or a potential customer, for marketing and advertisement, the transfer is necessary to know the needs of the customers, to develop, manufacture the products they would like and to make various practical arrangements for transactions and promotion.
2.4.6.2. If you are a supplier or a potential supplier, such transfer may be necessary to out-source goods or services.
2.4.6.3. If you are an applicant for employment, such transfer may be necessary for hiring decision, globalized talent management and cost-and-productivity analysis.

The countries and the territories of the following recipient (except for those in Japan) have not been decided by the Commission that the country, a territory or organization in question ensures an adequate level of protection. The justification for such transfer is the Standard Contractual Clauses (SCC) that the European Commission published in its Official Journal. Further, the Group makes best efforts to ensure that the following recipients should Process Personal Data at the comparable or similar level to that under GDPR:

  • ADEKA CORPORATION
  • ADEKA USA CORP.
  • ADEKA (SINGAPORE) PTE.LTD.
  • ADEKA (ASIA) PTE.LTD.
  • CHANG CHIANG CHEMICAL CO .,LTD.
  • ADEKA FOODS(ASIA)SDN.BHD.
  • ADEKA KOREA CORP.
  • ADEKA FINE CHEMICAL (CHANGSHU) CO.,LTD.
  • ADEKA FOODS (CHANGSHU) CO.,LTD.

2.4.7. The period for which Personal Data will be stored:
Following the requirement that the Processing of Personal Data shall be adequate, relevant and limited to what is necessary for achieving the purpose. (Art. 5(1c) GDPR, Preamble (78)), the Group will retain Personal Data for the period required to serve the applicable Purpose and for the period:
  • required by law, courts or authorities including applicable legal hold and litigation document preservation requirements, or by contracts and agreements;
  • as advisable in light of an applicable requirement to acquire or preserve intellectual property rights or other rights or privilege of the Data Subject, our Group or a third party;
  • as necessary to acquire or preserve legitimate interests of the Data Subject, the Group or a third party;
  • as advisable in light of an applicable statute of limitations;
  • regarding employees, the period of the employment and 3 years afterwards, and regarding candidates who were not hired, 6 months after the decision concerning the decision on the hiring; or
  • not more than 10 years in respect of Personal Data contained or attached to any accounting documents;
Unless the Controller’s representative decides otherwise, promptly after the applicable retention period has ended, the relevant Personal Data will be:
2.4.7.1. securely deleted or destroyed;
2.4.7.2. anonymized; or
2.4.7.3. set to Archived.
Our Group shall erase Personal Data after 10 years as they are presumed to have become unnecessary.

2.4.8. where the Processing is based on the legitimate interests pursued by the Group or by a third party, what the legitimate interest is. If the Controller or a third party process on the basis of “legitimate interest” it shall notify it to the data subject.
See above 2.3. and below. 
In case of a customer or potential customer, the grounds for Processing are "legitimate purposes” or performance of the contract (or request before contract).
In case of a supplier or a potential supplier, the grounds for Processing are "legitimate purposes” or performance of the contract (or request before contract).
The purposes of the Processing are as follows:
2.4.8.1. If you are a customer or a potential customer: conventional direct marketing and other forms of marketing and advertisement including dissemination of information on products, services, promotion, campaign, events and other business by email transmission, meetings and telephone calls. Understanding of the needs of the customer and potential customer.
2.4.8.2. If you are a supplier or potential supplier, it is a legitimate interest of the Group to assess quality of and the fitness of your products and services in relation to our Group’s business.

2.4.9. You have the right to withdraw your Consent, if any, at any time; Please note that the withdrawal applies prospectively only. Processing that occurred before the withdrawal of consent is unaffected.

2.4.10. You will be informed of the following: whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the Personal Data and of the possible consequences of failure to provide such Personal Data;

2.4.11. The Group currently has no profiling or automated decision making in respect of a customer, potential customer, supplier or potential supplier, or applicants for employment.

2.4.12. Where your Personal Data are collected directly or indirectly through a third party, the Group shall, within a reasonable period after the collection, provide you with the whole information listed in from 2.3.1. through 2.3.11., and, regarding indirect acquisition, the categories of Personal Data and the source from which person or company the Personal Data originate (GDPR§14). (The information on legal basis under GDPR is given in the next Paragraph 4.)

2.4.13. You can lodge a complaint with a data protection supervisory authority that would have jurisdiction.

3. List of Personal Data to be collected
The Group may be led to Process various kinds of Personal Data of customer, potential customer, supplier, potential supplier as well as employee candidate for a range of purposes. See above and Annex 1(a)/1(b). These categories of Personal Data thus Processed and the Purposes for which they are Processed are described above or in Annex 1a./1.b..

4. Grounds for Processing
The Group Processes "Personal Data" only if one of the following six conditions under GDPR is met.

  • You have given Consent to the Processing of your Personal Data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which you are the party or in order to take steps at your request prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which Group is subject;
  • Processing is necessary in order to protect the vital interests of you or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Group;
  • Processing is necessary for the purposes of the "legitimate interests" pursued by the Group or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

5. Sensitive Personal Data (GDPR§9)
The Group shall Process Sensitive Personal Data (defined in Annex 2) only to the extent necessary to serve the applicable Purpose and according to GDPR requirements.

6. Data security, Minimization, Transparency and Compliance
Taking into account the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms, the Group shall implement appropriate technical and organizational measures to ensure and to demonstrate that Processing is performed in accordance with GDPR. Those measures shall be reviewed and updated where necessary (GDPR§24(1)).
Where Processing is to be carried out on behalf of the Group, the Group shall use only Processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of GDPR and ensure the protection of the rights of the Data Subject (GDPR§28(1))

ANNEX1 (a):
CATEGORIES OF PERSONAL DATA RELATED TO CUSTOMERS, POTENTIALCUSTOMERS, SUPPLIERS AND POTENTIAL SUPPLIERS


PURPOSES:

CUSTOMERS, POTENTIAL CUSTOMERS, VENDORS AND POTENTIAL VENDORS

Purposes: Details:
Statistics Sales statistics: breakdown of sales by customer, by product, by geographical market, etc.
Analysis of Sales Analysis of customer preference, their proposals, complaints, records of any settlements for complaints, statistical analysis, market research
Servicing Records of repairs and replacement for free guarantee and costs; paid servicing and their profit and loss analysis, provision of technology and support, quality assurance, technical guide, transportation, delivery, newsletter
Marketing Planning Evaluation of various customers, expectation of sales growth, focusing of certain customers, certain product lines, and making promotional planning, meeting memo, analysis of competing products and market penetration,
Strategy Promotional campaign, sales technics, entertainment, transportation and delivery, coordination of appointments and consultation with clients and financial institutions, response to inquiries from websites, exhibitions
Reserch&Development Development of new product; new customer development, product improvements from customers, communications on European environmental, and other regulatory requirement for registration and/or approvals
Other Information exchanges required for globalization of customer developments, improvements for product quality and/or services as well as global talent managaements

Categories and classification of data:
The following categories of Personal Data will be Processed:

Categories of data Details
Information on Data Subject Name, working address, telephone and mobile numbers, e-mail address, date of birth, age, gender, language, country of residence, time zone, user pass word, hobbies and preferences, Family Information Address, meeting attendance lists, courier companies, greetings of personnel changes, skin photo; all information (including a photo) on the business cards collected; photos and videos taken on various business occasions such as exhibitions, distributor meetings, and other company events;
Products purchased Product code number(s), date or period of purchases, cumulated purchases during the fiscal year, product sold to the person in charge of the corporate customer
Sales Conditions Payment conditions, delivery conditions, prices and discount agreement, rebate practice
History Start of purchases, records of repairs, records of complaints and processing costs, orders and other records to logistics companies, entertainment records, minutes of meetings, meeting attendee list, i,a file relating to a sales achievement record, a sales promotion to a specific customer, a file of a sales strategy, information on entertainment, courier companies (overseas shipping methods such as EMS, FedEX, DHL, UPS), orders to freight forwarders, logistics companies and other ancillary records
Particular demand or proposal files on proposals for improvement or modification of products from customers as well as requests and complaints from Data Subjests:

Website visitors


Purposes: Details:
Operating of websites IP-address and cookies are processed to generate and deliver websites to visitors.
Analysis of security incidence In case of security incident logfiles are analysed to understand what has happened to reduce damage, fulfil legal obligations such as reporting to supervisory authorities close security gaps.

The following categories of Personal Data will be Processed:


Categories of data Details
website usage data IP-address, User Agent, Timestamp of access, ID used operating system, screen resolution, browser typ, browser version, plugins referrer URL , Cookies, Java-Script on/off, URL of requested resource, clickstream, technical parameter of client device (e.g. type)

Annex 1 (b) :


CATEGORIES OF EMPLOYEE APPLICANT DATA PROCESSED, AND PURPOSES OFPROCESSING

PURPOSES:
1. Hiring procedures and decision
a) Head-counting and recruiting planning
b) Selection of category of personnel to be employed
c) Possibility of temporary or interim employees
d) Evaluation of applicants
2. Evaluation of applicants and Staff-related administration:
a) Application of employment and labour law
b) Preparation of employment contract
c) Application of the Work Regulations
d) Filing requirement

Categories and classification of Personal Data:
The following categories of Personal Data will be Processed:

Categories of Personal Data Purposes
Personal identification data: name, addresses, telephone numbers, passport number, etc. 2.a.
Age, sex, date of birth, place of birth, citizenship, visa. 2.a., 2.b.,
Financial data: bank account numbers 1.a., 1.b.,
Personal characteristics: 1.b., 1.c.,
Family: marital status, cohabitation, spouse/partner name, children, parents, etc. 1.b., 1.c., 2.a., 2.b.,
Housing: Address 1.b., 2.b.,
Health-related data: physical health, psychological health, risk-inducing behaviour & situations, treatment data. Records of sick leave, medical certificates, medical examinations and the results. 1.d., 2.a., 2.b.,
Education: School records, studies curriculum, financial history of studies, qualifications, professional experience, publications, etc. 1.d., 2.a,
Profession & employment: current employment, function, task description, recruitment data, data on end of employment, career data, salary, work management & organisation, security (passwords & passcodes, security level), data on use of computer resources, etc. 1.d., 2.a,
National identification number & social security number 2.a., 2.b.,
Image recordings: photos, videos 1.d.
Other 1
Other 2


Annex 2
DEFINITIONS
‘Personal Data’ means any information relating to an identified or identifiable natural person (“Data Subject"); an identifiable natural persons is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers, or to one or more factors specific to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person:

‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Restriction of Processing’ means the marking of stored Personal Data with the aim of limiting their Processing in the future;

‘Profiling’ means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘Filing system’ means any structured set of Personal Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;
"Archive" means a collection of Personal Data that are no longer necessary to achieve the Purposes for which the Employee Data originally were collected or that are no longer used for general business activities, but are used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes after having pseudonymised or set that is subject to appropriately enhanced security and has restricted access (e.g., only by the system administrator and the Data Protection Officer, );

"GDPR" means REGULATION (EU) 2016/679 0F THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 on the protection of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

"Data Protection Officer” means the officer appointed to the extent the Group satisfies the conditions under GDPR or Article 38 of German Act to Adapt Data Protection Law to GDPR.

"Purpose(s)" means the purposes for Processing that are set out in Annexes 1.a. and 1.b. hereto and that were communicated to the Data Subject;

"Sensitive Personal Data" means as provided for in Article 9 of GDPR Personal Data as the Special Categories of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation as well as Criminal information;