Privacy Policy for Personal Employee’s Data Subject to GDPR

This privacy policy(This “privacy policy”) only applies to the processing of employees’ data subject to EU General Data Protection Regulation No 2016/679(The “GDPR”)​.

1. SBRG employees’ privacy policy

This Privacy Policy is implemented by SoftBank Robotics Group Corp. (“SBRG”) whose targets are its officers, workers(who may include employees, part-time employees, temporary employees, seconded employees, ), applicants and retirees in the European Economic Area (the “EEA”) (collectively, “Employees”) protected under the GDPR, regarding how SBRG collects and processes employees’ personal data as the data controller if employees’ personal data is provided or disclosed by the Data Subject or if personal data is received or acquired through a third party. SBRG processes the personal data in accordance with the GDPR (and other applicable EU and Member State regulations on data protection, if such regulations exist).

SBRG processes the personal data in accordance with the GDPR (and other applicable EU and Member State regulations on data protection, if such regulations exist). Processing of personal data in this Privacy Policy means processing of personal data of Employees who are in the EEA in any of the following cases:

  • I. if carried out in connection to activities of our establishment in the EEA,
  • II. if related to the offering of goods or services to the Employees, or
  • III. if related to the monitoring of the Employees’ behavior as far as their behavior takes place within the EEA.

2. Collection and processing of Employees’ personal data

SBRG always processes Employees’ personal data based on one of the legal bases provided for in the GDPR (Articles 6 and 7). In addition, if processing personal data that requires special care, SBRG will do so in accordance with the special rules provided for in the GDPR (Articles 9 and 10).

SBRG may collect and process Employees’ personal data in the following cases :(ⅰ) if required in order to provide the data with adequate services and products and SBRG otherwise has a legitimate interest; (ⅱ) if required in order to perform an agreement with Employees or carry out procedures before execution; or (ⅲ) if SBRG has obtained the Employees’ express prior consent. The Employee is entitled to withdraw his or her consent to the collection and processing of the personal data at any time, but this withdrawal will not affect the lawfulness of processing based on the consent before withdrawal thereof. SBR will keep Employees’ personal data for as long as it is necessary for us to comply with our legal obligations, to ensure that SBRG provides an adequate service, and to support our business activities (Articles 5 and 25(2) of the GDPR).

3.Purpose of collection and process

SBRG uses the following Employees’ personal data for the respective purposes as follows:

Purpose of use

Item Details Purpose of use
Internally disclosed information Name, Employee ID number, department, title, employment status, company e-mail address, information of mobile phone for business For business communication
Basic information Name, address, age, birth date, sex, phone number, face photograph For employment & HR management, posting (including secondment/relocation), creation of staff register, payment of salary, provision of benefit packages, social insurance related procedures, legally required procedures and other employment management
Pay-related information Decision method for annual and monthly earnings, bonus and salary, retirement allowance For decision and payment of salary, tax withholding procedures, social insurance related procedures, retirement allowance and benefit packages, workers’ tax-free property-forming and other employment management
HR information Performance evaluation, educational background, qualification/license, title, professional background, disciplinary punishment/official commendation For understanding human resources, decision of posting/assigned responsibility, secondment/relocation, training/skill development, promotion/demotion and other employment management
Family and relatives information Family structure, living-together/separated, presence of dependants, health condition For decision of salary, tax withholding procedures, social security related procedures, baby-care/nursing care leaves, benefit packages and other employment management
Physical and health information Health condition, medical records, physical or mental disabilities, results of health checkup For health care, ensuring appropriate labor environment, leave of absence, decision of posting, management of working hours and other employment management

Purpose of collection and processing of applicants’ personal data

Item Details Purpose of use
Basic information Name, address, age, birth date, sex, phone number, face photograph For review/decision of employment, review/decision of employment conditions, response to enquiries and business communication
Pay-related information Decision method for annual and monthly earnings, bonus and salary, retirement allowance
HR information Educational background, qualification/license, title, professional background
Family and relatives information Presence of dependants

Purpose of collection and processing retirees’ personal data

Item Details Purpose of use
Basic information Name, address, age, birth date, sex, phone number, face photograph For creation of HR data and communication after retirement
Pay-related information Decision method for annual and monthly earnings, bonus and salary, retirement allowance
HR information Performance evaluation, educational background, qualification/license, title, professional background, disciplinary punishment/official commendation
Family and relatives information Family structure, living-together/separated
Physical and health information Health condition, medical records, physical or mental disabilities, results of health checkup

SBRG gives notification of the purpose of that collection and processing to Employees when obtaining consent, agreement, or other appropriate means.SBRG processes Employees’ personal data for the above specified, explicit and legitimate purposes, and will not further process the data in a way that is incompatible with those purposes. If SBRG intends to process Employees’ personal data originally corrected for another objectives or purposes, SBRG ensures that Employees are informed of this action.

SBRG ensures that the data processed shall be limited to what is adequate and necessary in relation to the purposes for which they are processed.

4. Sharing Employees’ personal data

SBRG may share personal data with our group entities and third-parties in accordance with the GDPR. When SBRG shares the data with a data processor, SBRG will put the appropriate legal framework in place in order to cover data transfer and processing (Articles 26, 28 and 29 of the GDPR)).Furthermore, when SBRG shares the data with any entity outside the EEA, SBRG will put appropriate legal frameworks in place, notably controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EU) Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Chapter 5 of the GDPR).

Outsourcing

SBRP may outsource all or part of Employees’ personal data processing to outsourcee. When executing an outsourcing agreement, the eligibility of the counterparty as an outsourcee is sufficiently investigated. Safety management measures, confidentiality, conditions for the outsourcee to outsource to another party, and other matters regarding the appropriate processing of the data are prescribed in the outsourcing agreement, and our outsourcee are appropriately supervised by implementing periodic monitoring, etc. of the outsourcing conditions.

Corporate Affiliates and Corporate Reorganizations

SBRG may share Employees’ personal data with all corporate affiliates. In the event of a merger, corporate reorganization, civil rehabilitation, acquisition, joint venture, assignment, transfer, sale or disposition of all or any portion of our business (including in connection with any bankruptcy or similar proceedings), SBRG may transfer any and all Employees’ personal data to the relevant third party.

Legal Compliance and Security

It may be necessary for SBRG – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside the Data Subject’s country of residence – to disclose personal data. We may also disclose personal data if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

SBRG may also disclose Employees’ personal data if SBRG determines in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our internal regulations, investigate fraud, or protect our operations or users.

Transferring data

Disclosures or sharing of personal data as described above may involve transferring personal data out of the EEA. For each of these transfers SBRG makes sure that SBRG provides an adequate level of protection to the data transferred, in particular by entering into Standard Contract Clauses as defined by the European Commission decisions 2001/497/EC, 2002/16/EC, 2004/915/EC and 2010/87/EU.

5. ​Our records of data processes

SBRG handles records of processing of Employees’ personal data in accordance with the obligations established by the GDPR (Article 30), where SBRG might process personal data. In these records, SBRG reflects all the data necessary in order to comply with the GDPR and cooperate with the supervisory authorities in accordance with the GDPR (Article 31).

6. Security measures

SBRG processes Employees’ personal data in a manner that ensures such data undergoes appropriate security (including protection against unauthorized or unlawful processing and against accidental loss, destruction damage, etc.) using appropriate technical or organizational measures to achieve this (Articles 25(1) and 32 of the GDPR).

7. ​Notification of data breaches to the competent supervisory authorities

In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Employees personal data transmitted, stored or otherwise processed, SBRG has the mechanisms and policies in place in order to identify it and assess the details of the breach promptly. Depending on the outcome of our assessment, SBRG will make the necessary notifications to the supervisory authorities and communications to the affected data subjects (Articles 33 and 34 of the GDPR).

8. ​Processing likely to result in high risk to Employees’ rights and freedoms

SBRG has mechanisms and policies in place in order to identify data processing activities that may result in high risk to Employees’ rights and freedoms (Article 35 of the GDPR). If any such data processing activity is identified, SBRG will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational protective measures are in place in order to proceed with it. In case of doubt, SBRG will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 of the GDPR).

9. Rights

Employees of SBRG have the rights on Employees’ personal data collected and processed by SBRG bellow. However, there is a possibility that some requests or constraints are imposed.

  • Right to obtainment: Employees of SBRG have the right to obtain all of data relating to data processing of Employees’ personal data(Article 13 and 14 of the GDPR).
  • Right of access: Employees of SBRG have the right to obtain as to whether or not Employees’ personal data is being processed, and if that is the case, access to the data (Article 15 of the GDPR)
  • Right to rectification and erasure: Employees of SBRG have the right to rectify inaccurate Employees’ personal data and erase the data without undue delay(Article 16 of the GDPR). In the event of certain specific requirements applied, they have the right to erase the data without undue delay(Article 17 of the GDPR).
  • Right to restriction of processing: In the event of certain specific requirements applied, Employees of SBRG have the right to restrict processing Employees’ personal data(Article 18 of the GDPR).
  • Right to object: In the event of certain specific requirements applied, Employees of SBRG have the right to object at any time to processing of Employees’ personal data with reason of specific situations.
  • Right to data portability: In the event of certain specific requirements applied, Employees of SBRG have the right to receive Employees’ personal data, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from SBRG(Article 20 of the GDPR).
  • Right not to be a target to a decision based solely on automated processing: In the event of certain specific requirements applied, Employees of SBRG have the right not to be a target to a decision based solely on automated processing which produces legal effects or similarly significantly affects on them(Article 22 of the GDPR).

If Employees of SBRG exercise such rights, please contact us at the address set forth section 11 below. They are not satisfied with the way in which SBRG has proceeded with any request, or if they have any complaint regarding the way in which SBRG processes Employees’ personal data, they may file a complaint with a Data Protection Supervisory Authority.

10. Update to privacy policy

SBRG may change this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy via the Website. If SBRG makes changes which SBRG believes are significant, SBRG will inform the Data Subject through the Website to the extent possible and seek for the Data Subject’s consent where applicable.

11. Contact

For any questions or requests relating to this Privacy Policy, contact us as follows:

E-mail

SBRGRP-privacy@g.softbank.co.jp

Service hours

10:00 – 17:45 (excluding Saturdays, Sundays and National Holidays)