Additional Provisions for the Data Subjects in EEA
For individuals residing in the European Economic Area (“EEA”), Phybbit Ltd. has adopted the following additional provisions for the processing ('processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) of personal information and other information provided by individuals residing in EEA based on the General Data Protection Regulation (“GDPR”).
1. Processing of the Information
(1) Categories of the information
We collect and retain from individuals residing in EEA the Information including the following categories (collectively the “Information”):
- Basic information (name, address, phone number, e-mail address, etc.)
- Additional information (occupation, title, office information (company name, address, telephone number, department name), etc.)
- Informative matters/Messages (e-mail, website form input, fax, a phone note, letter, the answers to the questionnaires, etc.)
- Information collected on the internet (IP address, device and OS information, cookies, mobile identifiers such as the ID for Advertising for iOS (IDFA), Google Advertising ID or similar mobile identifiers, interactions within an app, information regarding which advertisements have been seen or clicked on, etc.)
(2) Purposes of use:
(3) Acquisition of the Information
We collect the Information from the following sources in conducting business related to our facilities, services and products:
- Direct acquisition from an individual: by telephone, letter (including email and other electro-magnetic records), business cards, verbally, through the internet, etc.
- Acquisition from persons with proper authorization to provide information for an individual: an individual applying on behalf of another, a party introduced by as second party, business partners and agents.
- Acquisition from published material or public sources: internet, newspapers, telephone directories, books and other publications, etc.
- Acquisition from third parties’ data analytics tools embedded in third party websites and mobile applications
(4) Provision to a third party:
We provide the Information to a person who falls under any of the following items:
- a business operator whom we entrust with handling of the Information;
- a Joint User among which we jointly use personal Information; and
- information providing destination specified by laws and regulations, etc., in case of provision of the Information under laws and regulations, etc.
(5) Retention Period
We retain the information for the period necessary to accomplish its purpose of processing. Following the retention period, we eliminate or anonymize such Information in a secure way within a reasonable period of time.
2. Legal Basis
We process the Information based on your consent in principle. The processing of the Information in the absence of your consent shall be based on (i) the necessity for the performance of the contract with you, (ii) the necessity to take steps at the request of you prior to entering into a contract, (iii) the necessity for the purposes of the legitimate interests pursued by us or a third party, or (iv) the necessity for compliance with a legal obligation to which we are subject.
The legitimate interests pursued by us or a third party include (i) an increase in operating income from marketing and improvement of services, and (ii) improvement of the convenience, security, etc., of our website and services.
3. Transfer of the Information to a Third Country located outside of EEA
We store the Information in Japan. In addition, we may transfer the Information to business partners of us located in countries outside of EEA.
We may transfer the Information to third parties located in countries outside of the EEA, where the Information may not receive the adequate protection, as they do not have legal frameworks for the protection of Information equivalent to that of the EU.
4. Data Subject’s Rights
You have the following rights with respect to us based on laws and regulations and you may exercise these rights by contacting our DPO. In the event that you exercise these rights, we will respond in good faith, barring statutory exceptions, after confirming that the requesting person is the person in question.
- The right of access: The right to obtain confirmation as to whether or not the Information concerning you is being processed, and where that is the case, (the right to) access to the Information and the accompanying information.
- The right to rectification: The right to obtain the rectification of inaccurate Information concerning you.
- The right to erasure: The right to obtain the erasure of personal information concerning you in certain cases.
- The right to restriction of the processing: The right to obtain restriction of the processing in certain cases.
- The right to object to the processing: The right to object the processing of Information based on the purposes of the legitimate interests pursued by us or third parties.
- The right to data portability: The right to receive the Information concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us.
5. Withdrawal of Consent
You can withdraw consent on the processing of information at any time. Withdrawing consent does not affect the lawfulness of the processing based on consent before the withdrawal. You can withdraw consent by contacting our DPO.
6. Lodging a Complaint with an Authority
You have the right to lodge a complaint on the processing of Information with the protection authority having jurisdiction over your residence.
7. Automated Individual Decision-Making, including profiling
We do not make decisions based solely on automated processing, including profiling.
8. Security and confidentiality measures
We handle the Information with appropriate security and confidentiality measures.
9. Data Protection Officer（DPO）and EU Representative and these contacts
Data Protection Officer
BIS Nishiazabu 4F, 4-22-12 Nishi-Azabu, Minatoku, Tokyo 106-0031
(2) EU Representative
Gonçalo Duarte Garcia Pereira
Phybbit Office, R. Abranches Ferrão 23, 1600-892 Lisboa, Portugal