PRIVACY POLICY
For users in Europe, South Korea, Mainland China, Hong Kong, Thailand, Singapore, Malaysia, Indonesia, Vietnam, Australia, U.S.A, Canada, and Mexico, please check below.
1. OUR PRIVACY STATEMENT
The protection of your personal data is of great importance to Japan National Tourism Organization (the “Organization”, “we”, “us” and “our”). This privacy policy (the “Privacy Policy”) therefore intends to inform users, followers, subscribers, (potential) individuals we provide services to, business partners, contractors, vendors, seminar participants and their respective employees and other third parties outside the Organization whose data is processed by our UK office about how the Organization, acting as data controller, collects and processes your personal data that you submit or disclose to us. We also act as data controller when we process your personal data received or obtained through third-parties. We process this personal data in accordance with the applicable data protection law, in particular, the General Data Protection Regulation No 2016/679 (the “GDPR”) and the retained EU law version of the GDPR (the “UK GDPR”).
We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that where we need to collect personal data by law, or in order to provide you with services, we may not be able to provide you with our services and you will not be able to access or use some features of our websites. If you have any queries or comments relating to this Privacy Policy, please contact info_uk@jnto.go.jp.
2. WHAT DATA DO WE COLLECT?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes address, email address and telephone numbers.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites.
• Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
• Usage Data includes information about how you use our websites, and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Events Data includes data you provide to us in connection to an event or trip that we hold or arrange such as your preferences, travel information, smoking status, emergency contact, data contained in ID (such as a copy of your passport), and nationality.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We may collect certain Special Categories of Personal Data about you as follows:
• Information about your health.
3. HOW DO WE COLLECT YOUR PERSONAL DATA?
We use different methods to collect data from and about you including through:
• Direct interactions. You may give us your Identity, Contact and Events Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
• request that we provide services;
• participate in an event or trip we arrange or are involved with;
• subscribe to our publications;
• request information or marketing to be sent to you;
• enter a competition, promotion or survey; or
• give us feedback or contact us.
• Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy https://www.japan.travel/en/uk/cookie-policy/ for further details.
• Third parties or publicly available sources. We will receive personal data about you from various third parties [and public sources] as set out below:
Technical Data from the following parties:
(a) analytics providers such as Google based outside the UK;
(b) advertising networks such as Google, Facebook, YouTube, and Sojern based outside the UK;
(c) search information providers such as Google, Tripadvisor, and Skyscanner based outside the UK;
• Your employer, where we are dealing with your employer.
• Other offices of the Organization.
• Contact, Financial and Transaction Data from providers of technical, services.
• Identity and Contact Data from publicly available sources such as Companies House based inside the UK.
4. HOW DO WE USE YOUR PERSONAL DATA?
We ensure that the personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will only process your personal data when the law allows us to.
Most commonly, we will use your personal data in the following circumstances:
• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.
• Where you have consented to the use of your personal data.
Where you have provided consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us using the contact details below. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for that purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
5. PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA
Annex A sets out what we use your personal data for and our reasons for doing so.
6. HOW DO WE SHARE YOUR PERSONAL DATA?
We may share your personal data between the offices of the Organization and with third parties for the purposes set out IN Annex A.
Strategic Partners (operating as Controllers)
Your personal data may be transferred to, stored and further processed by our strategic partners that work with us to provide our services or help us conduct business with customers and provide assistance with managing our relationship with our staff. We may currently share your personal data with the following categories of partners: suppliers, e.g. travel services, airlines, travel insurance providers, project management service providers, IT service providers, marketing service providers , communication service providers, webinar platform providers, meetings, incentives, conferences and exhibitions (MICE) organization service providers, public authorities, seminar organizers, project contractors, advertising service providers.
Your personal data will only be shared by us with these companies for the purposes specified above in this Privacy Policy.
Service Providers (operating as Processors)
We share your personal data with companies which provide services on our behalf, such as software companies, consulting companies, suppliers, e.g. social networking services, travel services, airlines, travel insurance, e-learning platforms providers, project management service providers, IT service providers and consultants, Social Networking Service (SNS) providers (Facebook, Twitter, Youtube, Instagram), IT service providers, PR consultants, meetings, incentives, conferences and exhibitions (MICE) organization services, project contractors, project management services and service providers social insurance.
Your personal data will only be shared by us with these companies for the purposes specified above in this Privacy Policy.
Corporate Affiliates and Corporate Business Transactions
We may share your personal data with all of the Organization’s affiliates and with other third parties in the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.
Legal Compliance and Security
It may be necessary for us – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your personal data. We may also disclose your personal data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary or appropriate.
We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, protect our operations or users, or where we are otherwise permitted to do so under applicable data protection law.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International Data Transfers
Such disclosures may involve transferring your personal data out of the European Union and the UK to Japan, the USA, Turkey, Israel, countries within the EU, and Norway.
Whenever we transfer your personal data out of the UK or the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data and where the transfer is permitted under applicable data protection law.
• Where we use certain service providers and for certain other data recipients, we may use specific contracts approved for use in the UK (for transfers from the UK) or the EU (for transfers from the EU) which give personal data the same protection it has in the UK or the EU (as the case may be).
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EU.
7. SECURITY MEASURES
We process your personal data in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. We use appropriate technical or organisational measures to achieve this level of protection in accordance with applicable data protection law.
8. NOTIFICATION OF DATA BREACHES TO THE COMPETENT SUPERVISORY AUTHORITIES
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify the breach and assess it promptly. Depending on the outcome of our assessment and where we are required to under applicable data protection law, we will make the requisite notifications to the relevant supervisory authorities and communications to the affected data subjects, which might include you.
9. YOUR RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These are as follows:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you intend to exercise such rights, please refer to the contact section below.
If you are not satisfied with the way in which we have proceeded with any request, or if you have any complaint regarding the way in which we process your personal data, you may lodge a complaint with a Data Protection Supervisory Authority (please refer to section 14 below.
10. RETENTION
We will keep your personal information while you have an account with us or we are providing services to you or to your employer. Thereafter, we will keep your personal information for as long as is necessary:
• to respond to any questions, complaints or claims made by you or on your behalf;
• to show that we treated you fairly;
• to keep records required by law.
We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information
11. CHILDREN
Our services are intended for adults. Thus, we do not knowingly collect and process any personal data of children.
12. LINKS TO OTHER SITES
We may propose hypertext links from the Website to third-party websites or Internet sources. Links are provided for information purposes only and we do not control and cannot be held liable for third parties’ data protection practices and content. Please read their privacy policies carefully to find out how they collect and process your personal data before you provide data to third parties.
13. UPDATES TO PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES
We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy via the Services so we recommend that you check our website regularly.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
14. CONTACT AND COMPLAINTS
For any questions or requests relating to this Privacy Policy, you can contact us by email (info_uk@jnto.go.jp).
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
We would, however, appreciate the chance to deal with your concerns before you approach a data protection regulator so please contact us in the first instance.