|Applicable privacy laws and regulations||The EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and Japan’s Act on the Protection of Personal Information|
|GDPR||The EU General Data Protection Regulation|
|Controller||“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.|
|Personal data||“Personal data” means any information related to an identified or identifiable natural person (the “data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|Data subject||“Data subject” means an identified or identifiable natural person whose personal data is processed by a controller who processes personal data.|
|Processor||“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.|
|Recipient||“Recipient” means a natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. However, public authorities that may receive personal data within the framework of a particular inquiry in accordance with European Union or member state law shall not be regarded as recipients. The processing of data by public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.|
|Third Party||“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons that, under the direct authority of the controller or processor, is authorized to process personal data.|
|Restriction of processing||“Restriction of processing” means the marking of recorded and stored personal data to restrict the processing of that data in the future.|
|Processing||“Processing” means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.|
|Profiling||“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. In particular, it means to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.|
|Consent of the data subject||“Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.|
2. Name and address of controller
Name: Toei Animation Co., Ltd.
Address: 5F Nakano Central Park East, 4-10-1 Nakano, Nakano-ku, Tokyo 164-0001
3. Address of data protection officer (DPO)
4. Name and address of principle supervisory organization
Information Commissioner’s Office
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK
Telephone: +44(0)303 123 1113
The data subject has the right to lodge a complaint with the above-mentioned supervisory organization at any time. However, we would ask data subjects to contact the data protection officer (DPO) described in section 3 above in advance, so that we have an opportunity to respond to the complaint before the data subject contacts the supervisory authority.
Note: Types of cookies
- Classified by duration
- Session cookies: Cookies that are deleted when the user closes the browser window
- Persistent cookies: Cookies that remain on the user’s computer or device for a predefined period of time
- Classified by attribution
- First-party cookies: Cookies set by the web server that can only be shared within the same domain
6. The purposes of processing personal data
- Processing purposes
Our company processes personal data for the following purposes.
- Personal information about customers and business partners
- The provision of services, such as installation, maintenance, inspection, and repairs of products related to our business
- Planning, research, development, testing, and demonstration of products related to our business
- Controlling access to our facilities
- Business contact information management, payments, and income processing
- Communications, business negotiations, and the conclusion of contracts necessary for business
- Responding to various inquiries
- Personal information about job applicants
- Contacting and sharing job information with job applicants
- Managing hiring operations at our company
- Personal information about employees
- Personnel and labor management
- Payment of compensation, salary, bonuses, etc.
- Procedures for social insurance, taxes, etc.
- Contacting and providing information to labor unions, health insurance associations, corporate pension funds, affiliated companies, and assignee companies
- Procedures related to employees leaving the company
- Contacting personnel during emergencies
- Sending notices and reports to government agencies
- Notification, reporting, and communication with customers and business partners related to our business
- Other necessary business-related procedures and communications
- Personal information about customers and business partners
- Sources from which personal data will be acquired
Our company will acquire personal data for the purposes described in section (1) above from the following sources.
- Direct acquisition from the data subject (example: personal data written on an application form)
- Indirect acquisition from the data subject (example: an IP address acquired when he or she visits our website)
- Publicly available information (information available on the Internet)
- Social media (examples: Twitter, LinkedIn, and Facebook)
- Surveys provided by third parties
- Types of personal data that will be acquired
- Personal attributes
- Personal purchase history related to personal data processed by our company
- Products and services provided
- Financial information
- Employee information
- Providing and sharing personal data
Our company might need to share data with the following third parties for the purpose of the processing described in section (1) above. Whenever this is necessary, our company will comply with applicable privacy laws and regulations.
- Other companies in our group
- Professional specialists, such as lawyers, tax accountants, and certified public accountants
- Financial institutions
- Current, past, and future employees
- Service providers and suppliers
7. Legal grounds for processing personal data
The legal grounds that allow the processing of personal data are as follows.
- If the data subject has given his or her consent for his or her personal data to be processed for one or more specific purposes.
Note: If the processing is based on the data subject’s consent as described in item (1) above, then the data subject has the right to withdraw his or her consent.
- If the processing is necessary in order to execute a contract to which the data subject is a party, or to execute a procedure at the request of the data subject prior to the signing of a contract.
- If processing is necessary in order to comply with legal obligations to which the controller is subject.
- If processing is necessary in order to protect the vital interests of the data subject or another natural person.
- If processing is necessary for the execution of an operation performed in the public interest or to exercise official authority granted to the controller.
- If processing is necessary for legitimate interests pursued by the controller or a third party. However, the data subject’s fundamental rights and freedoms — particularly when seeking the protection of the personal data of a data subject who is a child — shall prevail over such interests.
Note: “Legitimate interests” in (6) refers to a legitimate legal basis for processing in the following instances.
- Marketing (direct marketing) to customers
- Providing customer service to customers
- Accepting applications for employment at the company
8. Rights of the data subject
Applicable privacy laws and regulations, including GDPR, grant the following rights to data subjects. Data subjects may contact our company’s appointed data protection officer (DPO) at any time in order to assert these rights.
- Right to information
If a controller collects personal data from a data subject, it must provide the data subject with certain information at the time the personal data is obtained.
- Right of access
If the data subject requests access to the personal data being processed, the controller must provide a copy of the personal data.
- Right to rectification
The data subject can demand that the controller rectify inaccurate personal data.
- Right to erasure (right to be forgotten)
The data subject shall have the right, under certain conditions, to obtain from the controller the erasure of personal data concerning himself or herself without undue delay.
- Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing under certain conditions.
- Right to be notified regarding rectification and erasure of personal data and restriction of processing
If the data subject asserts the rights described in items (3), (4), and (5) above, the controller shall communicate that processing to the recipients of the personal data. The controller shall also inform the data subject about those recipients if the data subject requests it.
- Right to data portability
The data subject shall have the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit that data to another controller without hindrance from the controller to whom the personal data was originally provided.
- Right to object
The data subject shall have the right to object to the processing of his or her personal data on the basis of legitimate interests pursued by the controller or a third party.
- Right not to be subjected to automated processing, including profiling
The data subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, that has legal consequences for him or her or that significantly affects him or her in a similar manner. Moreover, our company shall not conduct any automated processing, including profiling, related to the personal data of data subjects.
9. Safety control measures
As the controller, our company has put in place adequate technical and organizational safeguards for the protection of personal data. If a data subject has concerns about a particular method of data transfer, we will implement adequate alternative measures.
10. Cross-border data transfers
Our company may transfer the personal data of data subjects from our business facilities (branches, representative offices, local subsidiaries, and so on) in countries and regions within the EU to sales offices in Japan and to other international offices of group companies. The personal data of data subjects that may be transferred includes the personal data of customers and the personal data of employees at business facilities within the EU.
The transfer of personal data to Japan shall be based on certification of an adequate level of data protection related to the cross-border transfer of data obtained by the government of Japan or on standard contractual clauses that our company has already entered into.
The transfer of personal data to third-party countries other than Japan and the EU (except for countries and regions that have obtained adequacy certification) will be carried out through a method based on standard contractual clauses our company has entered into.
For more information on adequacy certification by the government of Japan, please see the European Commission website (https://ec.europa.eu/info/law/law-topic/data-protection_en).
Please contact the data protection officer (DPO) for information on how to obtain the standard contractual clauses our company has signed.
11. Retention periods for personal data
The retention periods for personal data are the legal retention periods of Japan and the various EU member states. Personal data shall be deleted promptly and securely after the legal retention period has expired, unless that data remains necessary for contractual purposes or other processing purposes.
12. General provisions