Silicon Light

EU Personal Data Protection Policy and Procedure

General Provisions

Article 1 the Policy (Purpose)

This Policy provides basic matters concerning the processing of EU personal data of natural persons who are in the EU region hereinafter defined that Company holds in accordance with EU General Data Protection Regulation (GDPR). This Policy aims to ensure that Company practices EU personal data protection during the course of its activities.

Article 2 the Policy (Definition)

The terms used in this Policy are defined as below:

  1.  ‘EU region’ means the EEA (European Economic Area) participating countries including the EU Member States at the time of establishment of this Regulation and in the future;
  2.  ‘EU data subject’ means a natural person who is in the EU region that can be identified or identified; in particular, it is a person who can be identified either directly or indirectly, referring to identifiers such as name, identification number, position data, online identifier, or elements specific to the physical, physiological, genetic, spiritual, economic, cultural, social identity;
  3. ‘EU Personal data’ means any information related to EU data subjects, which is listed, processed by filing system, and automatically processed by information system;
  4. ‘EU Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, EU personal data transmitted, stored or otherwise processed;
  5. ‘Supervisory authority’ means an independent public authority which is established by the EU Member States and is responsible for monitoring the application of laws on EU personal data protection in the EU;
  6. ‘holding company’ means SCREEN Holdings Co., Ltd.

Article 3 the Policy (Scope)

This Policy applies to all the executives and employees (including temporary employees, and part-time employees hereinafter referred to as ‘employees’) in Company.

EU personal data management system

Article 4 (Appointment of EU personal data management officer)

In order to achieve the purpose of this Policy, Company appoints the Chief Officer of CSR Management (in the case of absence, one director) as the EU personal data management officer. The EU personal data management officer shall be subject to the supervision of the General Manager of EU Personal Data established at the holding company.

Article 5 (EU Personal data management officer)

  1. The EU personal data management officer holds overall responsibility and the authority to appropriately process acquisition, utilization, provision and management of EU personal data that Company owns and to respond to requests such as disclosure and rectification from EU data subject in accordance with this Policy;The EU personal data management officer can appoint a Supporter who assists him/herself.
  2. The chief of each division that processes EU personal data has responsibility and authority concerning the processing of EU personal data in the division
  3. The EU personal data management officer assigns the General system manager the role of the EU person responsible for the operation of the information system which processes EU personal data. The General system manager shall be subject to the supervision of the system supervisor set up in the holding company;
  4. The EU Personal data management officer sets up the EU personal data complaint reception desk;
  5. EU personal data management officer shall establish specific procedures to comply with this Policy and review them periodically under the supervision of the General Manager of EU Personal Data.

Obligation of the EU personal data management officer

Article 6 (Safeguards)

The EU personal data management officer shall implement appropriate technical and organizational measures to protect EU personal data. Additionally, the EU personal data management officer shall provide necessary and appropriate supervision and training for employees to ensure the security of processing EU personal data.

Article 7 (Data protection impact assessment)

The EU personal data management officer has to establish a procedures for data protection impact assessment and carry out the assessment in accordance with the Guideline for Processing EU Personal Data which is prescribed separately (hereinafter referred to as ‘guideline’) in order to assess the risks associated with the processing new EU personal data.

Article 8 (Establishment of inquiry desk)

EU Personal data management officer shall establish the inquiry desk to respond to the following requests from EU data subject, maintain the inquiry system so that necessary information is provided to EU data subject free of charge within a month, and establish specific procedures for request response.

Requests based upon the right to access to EU personal data;
Requests based upon the right to rectification;
Requests based upon the right to erasure (right to be forgotten);
Requests based upon the right to restriction of processing;
Requests based upon the right to data portability;
Requests based upon the right to object; and
Requests based upon the right not to be subject to automated decision-making.

Article 9 (Response to EU personal data breach)

The EU personal data management officer, shall establish specific procedures in case of EU personal data breach and notify employees and outsourcees to ensure that the following processes must be followed:

Report matters of EU personal data breach referred to in the Guideline to Supervisory authority in principle no later than 72 hours after having become aware of the EU personal data breach;
Where the EU personal data breach is likely to affect EU data subject, promptly notify matters of the  EU personal data breach referred to in the Guideline to the EU data subject concerned;
If EU personal data breach happened in an outsourcee, have the outsourcee promptly report it; and
Record the facts and actions relating to the EU personal data breach and maintain them.

Article 10 ( Safeguards for international data transfer)

Where transferring EU personal data to a country outside the EU region is necessary, the EU personal data management officer shall provide the necessary safeguards referred to in the Guideline and keep the records of the transfer.

Article 11 (Measures to take when outsourcing the processing of EU personal data to other organization)

Where wholly or partially outsourcing the processing of EU personal data to other organizations, EU personal data management officer shall select the organizations that possess adequate level of EU personal data protection, and conduct necessary and appropriate supervision over the outsourcee such as concluding a contract including a clause of restrictions of subcontract and receiving a commitment form explaining that adequate protection measures are in place.

Obligations of employees relating to processing EU personal data

Article 12 (Processing of EU personal data)

In accordance with the provisions of this Policy, employees shall process EU personal data only in accordance with business directions. Additionally, employees shall be subject to a duty of confidentiality with regards to EU personal data which has come to that person’s knowledge in the course of ordinary business tasks even after he or she no longer processes the data because of such reasons as employees change, retirement, termination of contract, etc.

Article 13 (Lawfulness of processing)

  1. When processing EU personal data, employees shall process it lawfully, fairly and in a transparent manner.
  2. When considering the introduction of a system that automatically processes EU personal data, it is necessary to notify the department responsible for IT Planning in advance and perform system design that takes necessary measures.
  3. Where EU personal data is jointly used with other organizations, the EU personal data management officer shall conclude a contract with such organizations and define responsibilities and obligations regarding the processing of the data.

Article 14 (Data minimization of EU personal data)

When acquiring EU personal data, employees shall only acquire EU personal data that is adequate, relevant and limited to what is necessary in relation to the purposes of processing.

Article 15, the Policy (Notification to data subject)

When acquiring EU personal data or changing the purpose of processing from the initial purpose, employees shall notify the necessary information referred to in the Guideline to the EU data subject concerned.

Article 16 (Purpose limitation)

EU Personal data shall be used only within the purposes of processing.

Article 17 (Accuracy)

Employees shall maintain accuracy of EU personal data and keep it updated where necessary.

Article 18 (Safeguards)

When processing EU personal data, employees shall protect them from unauthorized access, loss, destruction, alteration, leakage and any other possible risks.

Article 19 (Storage limitation)

Employees shall certainly and promptly erase and/or dispose of EU personal data that is no longer necessary after achieving the purposes of processing, and that is legitimately requested to erase from the EU data subject concerned.

Article 20 (Consent of EU data subject)

When processing EU personal data, employees must obtain consent in advance from EU data subject using clear and plain language, except for the case where the processing is necessary to fulfill the contract with EU data subject and the other specific cases referred to in the Guideline;
Employees shall specify that EU data subject has the right to withdraw his or her consent at any time;
Employees shall not ask for consent from EU data subject for provision of EU personal data that is not related to the intended service as a requirement of the service provision;
When processing EU personal data of the children under the age of 16, employees must obtain consent from the holder of parental responsibility over the child;
Employees shall not process special categories of data referred in the Guideline unless consent is obtained from the EU data subject prior to the processing;
Employees shall keep the record of consent from the EU data subject for the period that the EU personal data is stored.

Article 21 (Response to request from EU data subject)

When receiving request from EU data subject regarding his or her EU personal data, employees shall promptly perform necessary process and information provision in accordance with the procedures established by EU personal data management officer.

Article 22 (Response to EU personal data breach)

When becoming aware of EU personal data breach or its possibility, employees shall promptly conduct necessary process and reporting in accordance with the procedures established by EU personal data management officer.

Article 23 (Restrictions of international data transfer)

In principle, EU personal data must not be transferred outside the EU region. Where a transfer of EU personal data outside the EU region is necessary, employees shall conduct appropriate safeguards for the transfer in accordance with the procedures established by the General Manager of EU Personal Data in advance.

Article 24 (Processing instructions on entrusted business)

When entrusting wholly or in part of processing EU personal data to other organization, an appropriate selection and supervision of consignee are required according to the provisions of Article 11.
Where processing EU personal data is wholly or partially entrusted from other organization, the EU personal data management officer shall provide appropriate technical and organizational safeguards in accordance with the contract with the organization.
In the case referred to in the preceding paragraph, EU personal data relating to the business entrusted must not be processed except for instructions from the entruster. Additionally, the entrusted operation shall not be subcontracted without a prior permission from the entruster.
When EU personal data breach occurs relating to the entrusted operation, promptly report the fact of breach to the EU personal data management officer and the entruster.
Penalties

Article 25 (Penalties)

In case of infringements of this Policy, employees may be penalized in accordance with HR policy.

Revision

Article 26 (Revision)

In principle, the EU personal data management officer decides to revise or eliminate this Guideline as the responsible chief officer based on the instructions of the General Manager of EU Personal Data of the holding company.