GDPR Privacy Policy

Last revised: October 12th, 2023

Yamato Holdings Co., Ltd. (hereinafter “Yamato Holdings”, “we”, “us”, “our”) respects your privacy and is committed to protecting the privacy of our customers including our Website Visitors (hereinafter “you”, “your”). This Privacy Policy describes the ways we collect, store, use and protect your personal data and informs you about your privacy rights. Please read this Privacy Policy carefully and in full before using our Website(s) and/or our services, or otherwise contacting us.

This Privacy Policy is provided in a layered format so you can click through the links to the specific areas set out below:

ARTICLE 1 SCOPE OF THIS PRIVACY POLICY

The scope of this Privacy Policy is limited to processing activities of your personal data to which the privacy rules of the countries of the European Economic Area (“EEA”) and United Kingdom (“UK”) apply, such as the General Data Protection Regulation (“GDPR”) and UK GDPR.

ARTICLE 2 WHO IS RESPONSIBLE FOR THE DATA PROCESSING?

  1. 2.1Data Controller.
    Yamato Holdings is responsible for the processing of your personal data. Our affiliate Yamato Transport Co., Ltd. (“Yamato Transport”) is responsible for the collection and further processing of personal data via the website contact form (and is considered data controller for this processing). For the sake of completeness, we have described the collection of personal data via this contact form in ARTICLE 3;
  2. 2.2Processing of Yamato EU.
    For processing activities of Yamato Transport Europe B.V. (“Yamato EU”) reference is made to the Privacy Policy of Yamato EU. This Privacy Policy contains the processing activities of Yamato EU for which Yamato Holdings and Yamato EU are jointly responsible.
  3. 2.3Data Processor.
    In principle, we control the processing of your personal data and do not process your personal data on behalf of another party.
  4. 2.4Compliant processing.
    We will only process personal data in accordance with the Applicable Privacy Legislation and as described in this Privacy Policy.
  5. 2.5Third party references Website(s).
    Our Website(s) include links to websites of third parties (for example hyperlinks, banners or buttons). We are not responsible for the content of these websites, services provided by these third parties, or their compliance with the Applicable Privacy Legislation. We recommend you to carefully read the privacy policies of the third party websites you are visiting.

ARTICLE 3 WHICH PERSONAL DATA IS USED AND FOR WHAT PURPOSES?

  1. 3.1Collection of personal data.
    We may collect information of you when:
    1. aentering data on our contact form and contact form of Yamato Transport; or
    2. botherwise you use our Website(s).
  2. 3.2Categories of personal data.
    We may collect the following personal data from you:
    1. aWe may collect the following information via our contact form and contact form of Yamato Transport
      - first and last name;
      - address;
      - e-mail address;
      - phone number;
      - shipper/receiver;
      - company name;
      - information on your shipment (tracking number; package size and number of packages);
      - your message to us;
      - Kuroneko ID (if applicable).
    2. bWe may collect the following information if you use Website(s):
      - IP address;
      - Website(s) behavior.
  3. 3.3No sensitive personal data.
    In principle we do not obtain sensitive personal data and personal data relating to criminal offences except in cases where it meets the requirements of the applicable laws. We also do not intend or wish to obtain personal data (directly) from minors.
  4. 3.4Purposes and legal grounds.
    We may process personal data collected in accordance with this Privacy Policy based on the following purposes and legal grounds:
    1. aPerformance of a Contract:
      We use your personal data for performing a Contract that you have concluded with us or another party or in order to take steps at your request prior to entering into such Contract.
      Legal ground: If you decide to place an order via one of our Website(s), your personal data are processed by us for performing Contract between us. We do not process more personal data than is necessary for the performance of a Contract.
    2. bCommunication:
      Your personal data may be used to communicate with you about our services and to inform you of matters that are important for your use of our Website(s) and the handling of any complaints.
      Legal grounds: This processing of personal data is necessary for the performance of a Contract and/or for purposes of a legitimate interest pursued by Yamato Holdings, namely to conduct our normal business.
    3. cMarketing purposes and customer experience surveys:
      To approach you for marketing purposes or to measure customer satisfaction to improve customer experience, we request your prior consent, unless it concerns offers about similar services that you have ordered. You always have the right to unsubscribe from mailings.
      Legal ground: This processing of personal data is necessary for purposes of a legitimate interest pursued by Yamato Holdings, namely to keep in touch with you and to offer you similar services or is based on your prior consent.
    4. d Customer service:
      If you use our customer service, your personal data may be used to provide you with customer service. For example, we process your personal data when you fill out our contact form or when you contact us for inquires.
      Legal grounds: This processing of your personal data is necessary for the performance of a Contract, or is necessary for purposes of a legitimate interest pursued by Yamato Holdings, namely to conduct our normal business.
    5. eLegal obligations:
      We may also be required to comply with legal obligations to which we are subject under the applicable laws. We only provide personal data obtained from you to third parties, such as competent authorities, if required by law.
      Legal grounds: Our legal grounds for the processing activity with regards to legal objectives is to comply with a legal obligation under EEA and UK law and our legitimate interest to comply with non EEA / UK laws.
  5. 3.5Legitimate interest.
    Sometimes we indicate that we process your personal data based on the legal ground "legitimate interest". This means that a balance of interests is performed between the interests: the interests that are served by the processing on one hand and your privacy interests on the other hand, and that the interests in favor of the processing prevail. The related legitimate interests are included above per processing activity.
  6. 3.6Further processing.
    It may be that we intend to further process your personal data for a purpose other than those for which the personal data have been collected, but compatible with the initial processing purpose. In such case, we will provide you with information about that further processing.

ARTICLE 4 HOW DO WE OBTAIN YOUR PERSONAL DATA?

  1. 4.1Means of collection.
    We obtain your personal data in various ways:
    1. aProvided by you.
      We obtain information actively provided by you. For example, if you contact us via the contact form you provide us information. When you provide personal data to Yamato Holdings, please do not provide information that is irrelevant, not accurate and/or unnecessary for the services provided.
    2. bAutomatically retrieved.
      We obtain some information automatically when you visit our Website(s). For example, we automatically obtain information about you via cookies when you visit our Website(s). For more information on this, please refer to our Cookie Notice.
    3. cThird-party sources.
      We also may obtain information from third parties in exceptional cases.
    4. dDerived.
      We may perform analysis on personal data about you. The resulting data can also qualify as personal data about you. For example, we may analyze which webpages are visited most frequently, and from which previous website the Website Visitor was referred to such webpage.
  2. 4.2Required provision.
    It may be that providing certain personal data to us is a statutory or contractual requirement. If that is the case, we will inform you thereof separately, and will also explain the possible consequences if you fail to provide such personal data to us.

ARTICLE 5 WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Sometimes it is necessary to share your personal data with another party. In this paragraph we inform you under what conditions we will share personal data and with whom.

  1. 5.1Conditions for data sharing.
    We only share your personal data with third parties if:
    1. aThis is necessary for the provision of a service or the involvement of the third party. Third parties will, for example, in principle only get access to the personal data that they require for their part of the service provision.
    2. bThe persons within the third party that have access to the personal data are under an obligation to treat the personal data confidentially.
    3. cThe third party is obliged to comply with the applicable data protection laws.
  2. 5.2Parties with whom we share your personal data.
    We may share all or part of the above-mentioned information referred to in ARTICLE 3 above with the following (third) parties:
    1. aYamato Group;
    2. bagents involved, operating on behalf of Yamato Holdings;
    3. csubcontractors and service providers involved, such as airlines, shipping lines, trucking companies, depots, auditing companies, consulting and law firms, insurance companies, other authorities, marketing and market research agencies and hosting and payment providers;
    4. dpersons authorized to this end, employed or engaged by a data processor of Yamato Holdings or affiliated companies of Yamato Holdings, involved in the processing, on a need-to-know basis (accounting and auditing firms, insurance and tax institutions);
    5. ecompetent authorities, such as the police or the authorities of the country of transit or destination for customs clearance in as far as required by the laws of the respective country; and
    6. fother third parties, on a need-to-know basis.

ARTICLE 6 HOW DO WE SECURE YOUR PERSONAL DATA?

  1. 6.1Security measures.
    We take appropriate organizational and technical security measures to protect your personal data and to prevent misuse, loss or alteration thereof. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a need to have access. Also the aforementioned persons involved are bound by a confidentiality obligation, either in their employment agreements, data processor agreements or other similar agreements.
  2. 6.2Security policies.
    We have in place information security guideline in which it is described how we ensure an appropriate level of technical and organizational security. This guideline also includes a data breach policy in which it is described how to deal with suspected personal data breaches. We will for example notify the relevant EU supervisory authority and the data subjects involved if required under Applicable Privacy Legislation.

ARTICLE 7 TO WHICH COUNTRIES DO WE TRANSFER YOUR PERSONAL DATA?

In addition to transferring your personal data to Japan, we may also transfer it to other countries or territories outside the EEA and UK in connection with the sharing of personal data with third parties as described above. In this paragraph we provide you with more information on data transfers and the legitimization thereof.

  1. 7.1Transfers outside the EEA.
    Part of the third parties which we entrust with your personal data are based outside the EEA and/or the UK (“GDPR Third Countries”). Any data transfers from the EEA/UK to GDPR Third Countries shall always take place in compliance with the GDPR and UK GDPR and additional recommendation or decision issued in this regard by the European Data Protection Board, European Commission or other competent authority. In case the data is transferred outside the EEA or the UK, the transfer is legitimized in the manner described below. Please note that if we collect personal data directly from you, this does not qualify as a transfer.
  2. 7.2Legitimization of transfers outside the EEA and UK.
    Whenever we transfer your personal data to GDPR Third Countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
    - Transfers of your personal data to GDPR Third Countries may be legitimized on the basis of a so-called EU adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. See Open in New Windowthis webpage for the current list of adequacy decisions. This is for example the case for transfers of your personal data from the EEA to Japan.
    - If and insofar as we transfer personal data to GDPR Third Countries to which no adequacy decision applies, we will conclude the applicable version of the model clauses to safeguard data protection as published by the European Commission, so called standard contractual clauses (“Transfer SCCs”) or UK transfer agreement approved by the Open in New WindowICO. If deemed required under the Applicable Privacy Legislation, additional measures will be taken. This may concern technical, organizational and/or contractual measures.

ARTICLE 8 HOW DO WE DETERMINE HOW LONG WE RETAIN YOUR PERSONAL DATA?

  1. 8.1Main rule.
    In principle, we do not store your personal data any longer than is necessary for the purposes for which we process your personal data.
  2. 8.2Exception: shorter retention.
    If you or another person successfully exercises one of your privacy rights, it can be that the relevant personal data may no longer be retained. In such cases, we may process your personal data for a shorter period, than as stated under the ‘main rule’. Please refer to ARTICLE 10 below for more information on this.
  3. 8.3Exception: longer retention.
    In exceptional cases, we may process your personal data longer. In such cases we may process your personal data longer than as stated under the ‘main rule’. This is the case if we need to process your personal data for a longer period in view of:
    1. aa longer minimum statutory retention period that applies to Yamato Holdings or other specific statutory obligation;
    2. bpracticality;
    3. ca legal procedure;
    4. dthe right to freedom of expression and to information;
    5. ea task carried out in the public interest or in the exercise of official authority vested in the controller; or
    6. fpublic health.

ARTICLE 9 COOKIES

  1. 9.1Use of cookies.
    We use cookies to ensure that our Website(s) functions properly. Cookies are small text files that can be placed on your computer, tablet, smartphone or other electronic device with which you can use to surf the internet via a web browser. Please refer to our Cookie Notice for more information.

ARTICLE 10 WHAT ARE YOUR PRIVACY RIGHTS?

  1. 10.1Privacy rights.
    In relation to our processing of your personal data, you have the below privacy rights. For more information on your privacy rights, please refer to Open in New Windowthis webpage of the European Commission.
    1. aRight to withdraw consent.
      In so far as our processing of your personal data is based on your consent (see ARTICLE 3), you have the right to withdraw consent at any time.
    2. bRight of access.
      You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves).
    3. cRight to rectification.
      You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
    4. dRight to erasure.
      You have the right to request erasure of your personal data.
      This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR. We do not have to honor your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defense of legal claims.
    5. eRight to object.
      You have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see ARTICLE 3). Insofar as the processing of your personal data takes place for direct marketing purposes, we will honor your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.
    6. fRight to restriction.
      You have the right to request restriction of processing of your personal data in case: (i) the accuracy of the personal data is contested by you, during the period we verify your request, (ii) the processing is unlawful and restriction is requested by you instead of erasure, (iii) we no longer need the personal data but they are required by you for the establishment, exercise or defense of legal claims, or (iv) in case you have objected to processing, during the period we verify your request. If we have restricted the processing of your personal data, this means that we will only store them and no longer process them in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defense of legal claims, (iii) for the protection of the rights of another natural or legal person, or (iv) for reasons of important public interest.
    7. gRight to data portability.
      You have the right to request to transfer of your personal data to you or to a third party of your choice. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if our processing ground for such processing is your consent or the performance of a Contract to which you are a party (see ARTICLE 3).
    8. hAutomated decision-making.
      You have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
    9. iRight to complaint.
      In addition to the above mentioned rights you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement of the GDPR at all times. Please refer to Open in New Windowthis webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us beforehand.
  2. 10.2How to exercise your rights.
    The exercise of the abovementioned rights is free of charge and can be carried out by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.
  3. 10.3Verification of your identity.
    We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.
  4. 10.4Follow-up of your requests.
    We will provide you with information about the follow-up to the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The Applicable Privacy Legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

ARTICLE 11 CONTACT DETAILS

For any questions, complaints or in the event that you wish to make use of one of the rights mentioned in ARTICLE 10, you may contact us at the contact details below:

  1. 11.1Contact Yamato Holdings. You can contact Yamato Holdings for any question relating to your privacy, via GDPR@kuronekoyamato.co.jp. You may also contact us via post (address: 16-10, Ginza 2-chome, Chuo-ku, Tokyo 104-8125, Japan).
  2. 11.2Contact DPO. We have appointed a Data Protection Officer. Our DPO can be contacted via dpo@yamatoeurope.com. Please let the DPO know by e-mail if you prefer to have further contact over the phone and indicate your preferred language, provided that this is the national language of an EEA country, or Japanese. The DPO will then provide you with the relevant phone number.

ARTICLE 12 MISCELLANEOUS

  1. 12.1Yamato Holdings reserves the right to change this Privacy Policy from time to time. It is your responsibility to regularly review the applicable conditions.
  2. 12.2If a provision from this Privacy Policy is in conflict with the law, it will be replaced by a provision of the same purport that reflects the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain applicable unchanged.

ARTICLE 13 DEFINITIONS

  1. 13.1In this Privacy Policy, the definitions the following definitions apply:
    • “Applicable Privacy Legislation” means the Applicable Privacy Legislation, including the GDPR and the relevant national implementation acts.
    • “Contract” means any contract between you and Yamato Holdings.
    • “GDPR” means either or both the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the Data Protection Act 2018 (“UK GDPR”).
    • “Privacy Policy” means the present Privacy Policy.
    • “Website(s)” means the website(s) listed Open a pop-uphere that controlled by Yamato Transport in as far as these are directed towards EEA individuals and fall under the scope of the GDPR.
    • “Website Visitor” means individuals who visit one of our Website(s).
    • “Yamato Group” means all entities which are part of the Yamato group and an affiliate entity of Yamato Transport.
  2. 13.2Other terms that are defined in the Applicable Privacy Legislation, such as ‘personal data’, ‘(joint) controller’, ‘processor’, ‘data subject’ and ‘processing’ will have the meaning as described in the Applicable Privacy Legislation.