Personal Data Processing Policy

    1. An indispensable condition for achievement of Yamaguchi-Europe (hereinafter Yamaguchi-Europe or the Operator) objectives is the provision of necessary and sufficient level of information security, which includes personal data.
    2. The Personal data processing policy (hereinafter – the Regulation) in Yamaguchi-Europe defines the procedure for the collection, storage, transfer and other processing of personal data in Yamaguchi-Europe (hereinafter – the Company), as well as information about the personal data protection requirements.
    3. The Policy is developed in accordance with the current Russian Federation legislation.
    1. Information constituting personal data is any information relating directly or indirectly to a specific or identifiable natural person (personal data subject). A detailed list of personal data is contained in internal regulatory documentation of Yamaguchi-Europe.
    2. All personal data processed by Yamaguchi-Europe is confidential and closely protected in accordance with the legislation.
    1. Personal data are processed by Yamaguchi-Europe for formalization of labor and other contractual relations, personnel, business, tax accounting on the grounds stipulated by Article 22 of Federal Law No. 152-FZ 85-90 dated 27.06.2006, RF Labor Code, as well as for development and implementation by Yamaguchi-Europe (including with the involvement of third parties) of loyalty programs, marketing and/or promotional events, research, surveys and other activities; fulfillment of Yamaguchi-Europe obligations under an agreement for retail purchase and sale of goods in Yamaguchi-Europe retail stores, as well as in Yamaguchi-Europe Internet stores; provision of other services to personal data subjects; promotion of services and/or goods of Yamaguchi-Europe and/or Yamaguchi-Europe partners in the market through direct contacts with Yamaguchi-Europe customers using various means of communication, including but not limited to telephone, e-mail, postal mailing, Internet, etc.; for other purposes to the extent Yamaguchi-Europe operations are not inconsistent with current legislation.
    2. For proper management of its area of responsibility as the Operator, Yamaguchi-Europe processes the following personal data necessary for proper performance of its contractual obligations:
      • personal data of Operator employees who have an employment relationship with the Operator;
      • personal data of other individuals, including but not limited to those who have contractual, learner's, civil law relationship with the Operator, including but not limited to learners, buyers, regular customers, professional athletes, and candidates.
    1. Non-automated personal data processing is done in such a way that it is possible to determine the place of personal data storage (tangible media) for each personal data category. The Operator fixed a list of persons engaged in personal data processing or having access to personal data. Personal data (material carriers) processed for different purposes is stored separately. The operator ensures security of personal data using tamper-proof facilities.
    2. Automated personal data processing is subject to the following actions: The Operator takes technical measures aimed at prevention of unauthorized access to personal data and (or) personal data transfer to unauthorized persons; security instruments are configured to timely detection of unauthorized accesses to personal data; automated personal data processing facilities are isolated in order to prevent any potential attacks that can result in their malfunction; the Operator backups the personal data so that it can be immediately restored if modified or destroyed due to an unauthorized access; monitors the level of personal data protection.
    1. The Operator implements the following measures: defines threats to processed personal data, develops threat-based models; uses threat-based models for development of a personal data protection system which neutralizes suspected threats using methods and techniques of personal data protection provided for the appropriate class of information systems; shapes a plan for prerequisite check of new information protection facilities and draws up a completions report; installs and commissions information security products in accordance with operational and technical documentation; trains persons who use information security tools in information systems in the work rules; keeps track of applicable information security tools, relevant operational and technical documentation, and personal data storage media; keeps track of persons admitted to work with personal data in the information system; monitors compliance with the conditions of information security facility use contained in operational and technical documentation; has the right to initiate proceedings and draw conclusions on non-compliances with conditions for personal data storage media safekeeping, use of information security tools that can result in breach of personal data confidentiality or other violations that lead to erosion of personal data protection, development and adoption of measures to prevent potential hazards and effects of such violations; has a description of the personal data protection system.
    2. The Information Technology department of the Operator is responsible for development and implementation of specific measures ensuring personal data security processing in the information system by the Operator or an authorized person. Persons who need access to personal data processed in the information system for performance of their official (employment) duties are admitted to relevant personal data in accordance with the Operator-approved list. Information system user requests for personal data and personal data provision facts are recorded automatically by the information system to the electronic call log. The content of this electronic call log is occasionally checked by appropriate officials (employees) of the Operator or authorized person. If violations of the personal data provision procedure are detected, the Operator or an authorized person shall immediately suspend the provision of personal data to information system users until the causes of violations are identified and removed.
    1. Yamaguchi-Europe as the Operator of personal data has the right to:
      • seek legal redress;
      • provide personal data of subjects to third parties if it is stipulated by current legislation (tax, law enforcement agencies, etc.);
      • withhold personal data where statutorily provided;
      • use personal data of a subject without his/her consent where statutorily provided.
    1. A personal data subject has the right to:
      • demand refinement of his/her personal data, its blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his/her rights;
      • demand a list of his/her personal data processed by the Operator and the data source;
      • obtain information about the terms of personal data processing including the storage terms;
      • demand notification of all persons who have previously received incorrect or incomplete personal data about any exceptions, corrections or additions;
      • challenge illegal actions or omissions in his/her personal data processing in a personal data subject protection authority or court;
      • protect his/her rights and legitimate interests, including payment of damages and (or) compensation for moral injury in court.
    1. This Policy is subject to amendment should new personal data processing and protection legislation and special regulations are issued.
    2. This Policy is an internal document of Yamaguchi-Europe and is to be posted on the official website of Yamaguchi-Europe.
    3. Compliance with the requirements of this Policy is monitored by Yamaguchi-Europe which is responsible for provision of personal data security.