1.1 Personal data refers to any information which can be used to identify a living person.
In addition to images, names and contact data, this may also include numerical or statistical information which can be used to identify a person.
1.2 Sensitive personal data are personal data which reveal the racial or ethnic origin, health, data on health or sex life and sexual orientation, political opinions, union membership, criminal records or religious or philosophical beliefs and, according to the GDPR, also genetic and biometric data. These data must be particularly protected during collection, processing and transfer.
1.3 Data can be considered as anonymised if the personal identity of persons cannot be retraced or if the personal identity can only be determined with unreasonable effort.
1.4 A data subject is the person who is the subject of personal data. In some countries, legal entities may also be data subjects.
1.5 A controller determines the purposes for which personal data are processed. The controller of the processing bears the final responsibility for the personal data, regardless of whether or not they are passed on to a processor. This includes the responsibility to react to the access inquiries and complaints of data subjects.
1.6 The European Economic Area (EEA) is an economic zone which is associated with the EU and includes Norway, Iceland and Liechtenstein
1.7 A controller is someone who processes personal data on behalf of and for the purposes determined by the owner.
1.8 Third parties are any and all individuals other than the data subject and the controller who is responsible for the processing.
1.9 Transfer means the passing on of protected data by the controller to third parties.
This document describes the data protection policy of Mitsubishi Chemical (“Mitsubishi”). It provides an overview of the data protections and guidance.
4. BASIC PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
4.1 Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
4.2 Purpose limitation
Personal data must be collected for defined, clear and legal purposes and must not be processed in any way that is not compatible with these purposes. Personal data can only be processed for the purpose which was defined prior to data collection. Subsequent changes of the purpose are only possible to a limited extent and require justification.
The data subject must be informed about how their data are handled. In general, personal data must be collected directly from the data subject. At the time of data collection, the data subject must know or have been informed about the identity of the controller, the purpose of data processing and third parties or categories of third parties to whom the data might be transferred.
4.4 Data minimization
Personal data must be suitable, relevant and limited to those which are required for the purposes for which they are processed. Prior to the processing of personal data, it is to be checked whether and to what extent the processing of personal data is required to achieve the purpose for which it is intended. If the purpose allows it and the effort is appropriate in relation to the pursued objective, anonymized or statistical data are to be used. Personal data must not be collected beforehand and retained for possible future purposes unless this is required or allowed according to national law.
When the legal or business process-related terms have expired, any personal data which are no longer required must be erased. In individual cases, there may be legitimate interests or the historical significance of these data that may oppose such erasure. In this case, the data must be stored until the legitimate interests have been legally clarified or until the company archive has analysed the data regarding the requirement to keep them for historical purposes.
Personal data must be accurate, complete and – if applicable – up to date. All reasonable measures must be taken to ensure that inaccurate or incomplete data are erased, rectified, completed or updated.
4.7 Storage limitation
Personal data must be stored in a way that ensures that the identification of the data subjects is not possible for longer than is required for the purposes for which personal data are processed. Personal data may be stored for longer periods if the data is exclusively processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR and provided that suitable technical and organisation measures are taken.
4.8 Confidentiality and data security
Personal data are subject to data secrecy. They must be treated as confidential information and must be protected by appropriate organisational or technical measures against unauthorised and unlawful access, unauthorised processing or dissemination as well as accidental loss, damage, modification or erasure. This applies to paper and electronical recording systems. Systems should have access control; the personnel should be appropriately trained, and security processes should be developed and understood. Suitable monitoring and reporting on data security risks, initiatives and developments must be performed.
4.9 Data secrecy
Personal data are subject to data secrecy. The data protection regulations require that employees who handle personal data treat these data confidentially (data secrecy). Persons who are commissioned with data processing must not collect, process or use personal data in an unauthorised manner (confidentiality). They are obliged to maintain this confidentiality even after their employment is terminated. The “need to know” principle applies. Employees only have access to personal data if it is necessary for the type and scope of the task in question. This requires a careful allocation and separation and the assignment of roles and responsibilities.
Employees are not allowed to use personal data for private or commercial purposes, to make them accessible to unauthorised persons or make them available in any other way. This obligation remains valid even after the termination of employment.
The data controller is responsible for compliance with these principles and can furnish proof of it.
4.11 Data protection by design and default
The data controller takes appropriate technical and organisational measures to ensure that only those personal data are processed which are required for the corresponding purpose of data processing. This obligation applies to the quantity of collected personal data, the extent of their processing, the duration of their storage and their accessibility. These measures ensure in particular that personal data are not made accessible without the action of an unspecified number of natural persons.
5. DATA PROCESSING
5.1 Consent to data processing
The data may be processed with the data subject’s prior consent. Before giving consent, the data subject must be provided with information regarding the processing. The declaration of consent must be obtained in writing or electronically for documentation purposes. Under certain circumstances, e. g. phone calls, the consent may be given orally. The consent must be documented.
The consent must constitute a freely provided, specific, informed and clear expression of the individual’s wishes. It must be a clear form of consent. The consent cannot be deduced from silence, prepared check boxes or inactivity. The consent must also be separated from other conditions. There must be an easy way to revoke consent.
5.2 Data processing – legal requirements
The processing of personal data is also admissible if national laws require or allow it. Type and extent of data processing must be required for the legally admissible data processing and must be in accordance with the relevant legal requirements.
5.3 Automatic individual decision-making
The automated processing of personal data which is used to evaluate certain aspects (e. g. creditworthiness) cannot be used as the sole basis for decisions which have negative legal consequences or may severe legal consequences for the data subject. The data subject must be informed about the facts and results of automatic individual decisions and of their possibilities to react. A review and plausibility check must be performed by an employee.
5.4 User data
If the websites or apps can access personal data in an area which is limited to registered users, the identification and authentication of the data subject must provide sufficient security for access.
5.5 Data processing for a contractual relationship
The personal data of interested parties, customers and partners may be processed to establish, execute and terminate a contract. This includes the provision of consulting services to the contracting party if this is included in the purpose of the contract. Before entering into a contract – in the contract initiation phase – personal data may be processed to create quotations or orders or to reply to other inquiries by the interested party which relate to the conclusion of the contract. Interested parties may be contacted during the contract preparation process using the information they provided. The restriction which are demanded by the interested parties must be adhered to. For advertising measures which go beyond this, the following requirements are to be observed.
5.6 Data processing for advertising purposes
If the data subject contacts a Mitsubishi company to request information (e. g. information material on a product), data processing to fulfil this request is admissible. Customer retention or advertising measures are subject to additional legal requirements. Personal data may be processed for advertising purposes or for market and opinion research if this is in accordance with the purpose for which the data were originally collected. The data subject must have been informed on the use of their data for advertising purposes. If the data are only collected for advertising purposes, their disclosure by the data subject is optional. The data subject is to be informed that the provision of data for this purpose is optional. During communication with the data subject, their consent regarding the processing of data for advertising purposes is to be obtained. When giving consent, the data subject should be able to choose between the available contact options such as mail, email and telephone. If the data subject objects to the use of their data for advertising purposes, the data can no longer be used for these purposes and must be blocked for these purposes. Additional country-specific limitations regarding the use of data for advertising purposes are to be observed
6. TRANSFER OF PERSONAL DATA
6.1 The transfer of personal data is only admissible with the data subject’s consent or if it is required or permitted by law.
6.2 Publishing information on the Internet is to be considered as an export of data outside the European Union/European Economic Area. For the storage or transfer of sensitive personal data, web-based or cloud-based services should not be used unless it was agreed with the data protection officer.
6.3 If personal data are to be transferred by a group company based in the European Union/European Economic Area to a group company or a third party based outside the European Union/European Economic Area (third country), the data protection officer should be consulted to ensure that all provisions and requirements of the supervisory authority regarding the processing of the transferred data are met. The same applies to the transfer of data by group companies from other countries. If they are part of an international certification system for binding company data protection regulations, they must ensure the cooperation with the competent auditors and agencies. The participation in a certification system of this kind must be agreed with the data protection officer.
7. COMMISSIONED DATA PROCESSING
7.1 Commissioned data processing means that a service provider is commissioned to process personal data without a corresponding transfer of the responsibility for the associated business process. In these cases, an agreement regarding the commissioned data processing must be concluded between the external service providers and the company of the Mitsubishi Group.
7.2 On commissioning, the following requirements must be observed; the ordering departments must ensure that all legal requirements are met.
7.3 The service provider is to be selected based on their ability to ensure the that required technical and organisational protective measures are taken.
7.4 Personal data may only be processed following the documented instruction by the data controller. The processor must ensure that the individuals who are authorised to process data have been sworn to secrecy or are subject to a corresponding legal duty of confidentiality.
7.5 The commissioned processing is regulated by a contract in which the subject matter, the duration of processing, the type and purpose of processing, the type of personal data and the categories of data subjects as well as the data controller’s duties and rights are defined. The instructions regarding the further processing of the data are to be documented.
7.6 Before data processing starts, the customer must be sure that the service provider meets their obligations. A service provider can provide proof for the compliance with the data security requirements in particular by presenting a corresponding certification. Depending on the risk of data processing, the audits must be repeated regularly over the duration of the contract.
7.7 According to the data controller’s request, the service provider shall erase all personal data or return them to the data controller and erase any existing copies unless the retention of the personal data is required by law.
7.8 The service provider shall provide the data controller with any and all information that is required to prove compliance with the legal obligations and to allow and support audits, including inspections, by the data controller or a different auditor who is commissioned by the data controller.
7.9 If a service provider commissions another service provider to perform certain processing activities on behalf of the data controller, the same data protection obligations as specified in the contract or in other legal acts between the data controller and the service provider shall apply.
7.10 In case of cross-border commissioned data processing, the relevant national requirements regarding the disclosure of personal data in foreign countries must be met. Please contact the data protection officer in these cases.
8. RIGHTS OF THE DATA SUBJECTS
8.1 The data subject has the right to request access to information on what personal data about them are stored by the company and how and for which purpose they were collected. If there are any additional rights of access to the employer’s documents on the employment relationship (e. g. personnel file), these rights remain unaffected.
8.2 If personal data are passed on to third parties, information on the identity of the recipient or groups of recipients are to be provided.
8.3 If personal data are inaccurate or incomplete, the data subject can request their rectification or completion. The data subject can object to the processing of their data for the purpose of advertising or market and opinion research. The data must then be blocked for this type of use.
8.4 The data subject can request the erasure of their data if the processing of these data does not have a legal basis or the legal basis has ceased to exist. The same applies if the purpose of data processing has expired or no longer exists for other reasons. Existing storage periods and opposing legitimate interests are to be observed.
8.5 The data subject generally has the right to object to the processing of their data; such right is to be respected if the protection of their interests takes precedence over the data controller’s interests due to a special personal situation. This does not apply if a legal regulation requires the processing of the data.
8.6 The data subject’s rights to objection to the processing, data portability, restriction of processing and erasure (“right to be forgotten”) must be respected.
8.7 Please inform the data protection officer about a request of this kind by a data subject.
9. DATA PRIVACY INCIDENTS
9.1 Any unauthorised access to personal data or the disclosure of personal data or any other violation of data security should be reported to the data protection officer and/or the information security officer as soon as possible. The supervisor or department responsible for the function is obliged to inform the competent data protection officer immediately about data privacy incidents.
9.2 In the case of an unauthorised transfer of personal data to third parties, unauthorized third parties gaining access to personal data or if personal data have been lost, the required company reports (information security incident management) must be prepared immediately so that potentially applicable reporting obligations according to national law can be met.
10. RESPONSIBILITY, SANCTIONS
10.1 The organs of the group companies are responsible for data processing in their area of responsibility. They must therefore ensure that the legal provisions and data protection requirements (e. g. national reporting obligations) are met. It is the managers’ responsibility to ensure that organisational, personnel and technical measures are taken to ensure data processing in accordance with the data protection regulations.
10.2 Compliance with these requirements is the responsibility of the relevant employees. If official bodies perform data protection audits or inspections, the data protection officer must be informed immediately.
10.3 The data protection officers are the points of contact on site for data protection.
They can perform audits and are required to ensure that the employees are familiar with the data protection guidelines. The competent management is obliged to support the data protection officer in their efforts. The departments which are responsible for business processes and projects must inform the data protection officer about the new processing of personal data in a timely manner. The company management is responsible for data processing plans which may involve specials risks for the individual rights of the data subjects. The data protection officer is to be informed before data processing starts. This applies especially to particularly sensitive personal data. Managers must ensure that their employees have been sufficiently trained regarding data protection.
10.4 The persons responsible for data protection and every relevant employee must inform the data protection officer immediately about any data protection risks. Any data subject can contact the data protection officer or the person responsible for data protection at any time to express concerns, pose questions, request information or lodge a complaint regarding data protection or data security. On request, concerns and complaints are treated confidentially.
10.5 The unlawful processing of personal data or other violations of data protection laws can be prosecuted in many countries and lead to damage claims. Violations which were caused by individual employees may also lead to disciplinary action according to employment law.
Specifics relevant for Wethje Carbon Composites GmbH (WCC)
WCC keeps a process register in accordance with the GDPR.
WCC processes personal data mainly in the area of human resources management. To a lesser extent, personal data are also used in sales, procurement and production control, such processing is based on current legislation and contractual agreements.
Due to the low number of persons who are “constantly occupied with the automated processing of personal data”, WCC has not appointed a data protection officer.
The legal department in terms of this policy is the legal department of Mitsubishi Chemical
Holdings Europe GmbH.