Enacted: May, 2020
1. Purpose of enactment of this Policy
In the event that Daifuku Co., Ltd. and its group companies ("Daifuku") collect personal data concerning
an individual ("Data Subject") who is protected by the EU General Data Protection Regulation ("GDPR")
and/or other applicational laws of countries in which Daifuku operates, Daifuku shall handle personal data
as set out below, giving precedence to relevant national laws over the GDPR where relevant national laws
exist, and observing GDPR-like rules otherwise. The handling of personal data about employees shall be
determined separately in accordance with policies implemented within the Daifuku Group.
2. Lawfulness of processing
Daifuku processes personal data when the law allows it to and it has the Data Subject's consent and
usually when Daifuku has one of the following legal bases:
- (1)where it is necessary for
Daifuku's legitimate interests,
- (2)to enable Daifuku to
fulfil the contract it has entered into with the Data Subject, and
- (3)where Daifuku needs to
comply with any legal obligations.
3. Types of personal data collected
1. Daifuku collects the following types of personal data:
- (a)basic information used
to identify the Data Subject (e.g. name, date of birth, gender);
- (b)information needed to
contact the Data Subject (e.g. telephone number, mobile number, email address); and
- (c)technical information
that could be used to identify the Data Subject (e.g. IP address, type and version of browser used).
2. Daifuku does not collect the following personal data without the prior
explicit consent of the Data Subject:
- (a) data about political
opinions or religious beliefs, and
- (b)data concerning health.
4. Purpose of collection and use
Daifuku generally uses the personal data it collects for the purposes shown below.
1. Personal data collected from customers and business partners (includes
potential customers and business partners):
- (a)to provide the products
and services handled by Daifuku and to provide information about these products and services;
- (b)to plan, research and
develop products and services;
- (c)to deal with inquiries;
- (d)to conduct negotiations
and meetings, to contact customers and business partners and to execute business operations relating
2. Personal data collected from shareholders and investors (includes potential
shareholders and investors):
- (a)to manage shareholders,
investors and shares;
- (b) to allow shareholders
to exercise their rights and to fulfil obligations;
- (c)to prepare documents and
create records and data in accordance with applicable national laws;
- (d)to provide data to
- (e) to otherwise take
action in accordance with the provisions of laws or directives, guidance, etc. issued by the
3. Personal data collected from job applicants, those wishing to visit the
company or its demo center and those who access the Daifuku website:
- (a)to conduct recruitment
activities and business operations related thereto; and
- (b)to provide information,
refreshments, etc. to visitors to Daifuku's offices or its demo center.
5. Rights of the Data Subject
5.1 Protected rights of the Data Subject
With respect to personal data managed by Daifuku, the following rights of the Data Subject are
- (1) the right to be
informed (the right to be informed about the details such as the identity of the controller, the
purposes of the processing, legitimate interests pursued by the controller, and when the controller
collects personal data);
- (2)the right of access (the
right to obtain from the controller confirmation as to whether or not personal data is held concerning
him or her);
- (3)the right to
rectification (the right to obtain from the controller without undue delay the rectification of
inaccurate personal data concerning him or her);
- (4) the right to erasure
(the right to obtain from the controller the erasure of personal data concerning him or her);
- (5)the right to restrict
processing (the right to obtain from the controller restriction of processing);
- (6) the right to data
portability (the right to receive the personal data concerning him or her, which he or she has
provided to a controller, in a structured, commonly used and machine-readable format and the right to
transmit to another controller without hindrance from the controller);
- (7)the right to object (the
right to object, on grounds relating to his or her particular situation, at any time to processing of
personal data concerning him or her);
- (8) the rights in relation
to automated decision making and profiling (the right not to be subject to a decision based solely on
automated processing, including profiling).
5.2 Point of contact for exercise of the above rights
Information System Department
Finance and Accounting Division
Daifuku Co., Ltd.
Daifuku may entrust the processing of personal data to a third party. In this case, Daifuku shall enter
into an agreement with the processor stipulating that the processor
- (1)processes the personal
data only on documented instructions from Daifuku,
- (2)commits to
- (3)takes all measures
required to ensure data security,
- (4)assists the exercise of
the Data Subject's rights, and
- (5)returns all the personal
data (including copies) to Daifuku once the purpose of processing ceases to exist.
7. Records of data processing
As the controller of the personal data, Daifuku manages records of the processing of personal data in its possession.
Daifuku also periodically updates records of the processing of this personal data.
8. Retention period
Daifuku retains personal data for the minimum period necessary to achieve the abovementioned purposes of collection of personal data and only for the amount of time required by law or for accounting purposes or similar reporting requirements.
9. Data security
Daifuku properly implements organizational security management measures, including developing and applying regulations such as the Information Security Basic Policy, as well as technical security management measures such as the anonymization and encryption of personal data, and the establishment of a periodic inspection process.
10. Notification of personal data breaches
In case of a data leak or other breach of security, Daifuku has put in place a framework for reporting to the supervisory authorities responsible for protecting personal data within the required timeframe, and also engages in appropriate communication with the Data Subject.
11. Transfer to a third country
Daifuku shall transfer personal data to a company located outside the European Economic Area or a third country only if the measures considered necessary under Japan's "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" have been taken.
12. Revisions and updates to this Policy