Privacy Policy for European Economic Area(EEA) citizens

Kirin Holdings Company, Limited and its subsidiaries provided as following (collectively the “Company”), as a data controller, hereby adopts this Privacy Policy with regard to the personal data of customers within the European Economic Area (the “EEA”), which data is treated in connection with the Company’s websites (the “Website”). This Privacy Policy informs customers (“Data Subject”) of the Company’s way of collecting and using the personal data, the categories of personal data that the Company processes, the purposes and legal basis for such processing, as well as the rights and options that the Data Subject retain as for their personal data.

  • Subsidiaries
    • Kirin Brewery Company, Limited
    • Mercian Corporation

1. Collection and use of personal data

  1. The Company shall process the personal data lawfully and fairly.
  2. The Company may obtain the following personal data:
    • Names, positions, user names, addresses, telephone numbers, email addresses, company information and other registration information, etc., which are entered onto the Website using its comment posting function, inquiry function, etc.;
    • Names, nationalities, addresses, telephone numbers, email addresses, which are entered onto the Website using online form to apply for the Company’s service etc.;
    • Log files and device information at the time of the customer’s visit to the Website, including, but not limited to their IP address, the date and time of request, the requested URL, the access status/HTTP status code, the range of transmitted data, the referrer-URL, the type and language setting of browsers; and
    • Information obtained from the Cookies at the time of the customer’s visit to the Website.
  3. When the customer determines to provide the Company with his or her personal data (that is, his or her entering the form displayed on the Website), the Company may directly collect the personal data.
    When the customer’s personal data is provided for the Company through his or her electric communication terminals or Internet browsers, the Company may indirectly collect the personal data.

2. Legal basis for processing the personal data

  1. The Company shall handle the personal data solely for the purposes which are compatible with the GDPR (General Data Protection Regulation) and the EEA Member States' laws on data protection.
  1. The Company shall generally process the personal data depending on the following legal bases, including:
    • In the case that the customer has given consent to the processing of their own personal data for one or more specific purposes;
    • In the case that the processing of personal data is required for the performance of a contract to which the customer is a party or in order to take steps at the request of the customer prior to entering into a contract;
    • In the case that the processing of personal data is required for compliance with a legal obligation to which the controller is subject;
    • In the case that the processing of personal data is required in order to protect the vital interests of the customer or other natural persons;
    • In the case that the processing of personal data is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
    • In the case that the processing of personal data is required for the purposes of the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the customer’s interests or fundamental rights and freedoms.

3. Purposes of the processing

Unless permitted as an exception by the GDPR (General Data Protection Regulation) and the EEA Member States' laws on data protection, the Company may collect and process the customers’ personal data for the following purposes:

Beneficial communication with customers and the Company’s business execution

If a customer inquires of the Company for general questions regarding the Company and the Company’s products, notifies the Company of the issues with the products or applies for services provided by the Company, the Company will save and process the customer’s personal data transmitted along with the said inquiry, notification or application.
The Company uses the customers’ personal data for executing its business such as the response to their inquiries or applications for the services or any other communication with the customer or the performance of the Company’s obligations under the agreement between the customers and the Company.
In addition, the Company uses the customers’ personal data in order to provide, improve and create the Company’s products and services by precisely grasping the Company’s business on the basis of the specific understanding of the customers’ request for the Company’s service or marketing.

Provision, improvement, development and security of the Website:

In order that the customers may use the function of Website, the Company uses the log files and device information, which are the customers’ personal data. Additionally, the Company uses the information and data to optimize the Website and to ensure the security of the Company’s IT system.

Cookies

Some pages of the Website use the technology called “Cookie” to improve the user’s usability. Cookie includes a variety of data, such as the information regarding the Website which the customers accessed, the frequency of the Website viewing, and the customers’ actions on the Website. For more details about the way of the Company’s use of the Cookie and its related technologies, please see our Cookies Policy.

4. Withdrawal of Consent

A Customer shall have the right to withdraw his or her consent at any time subject to Article 9 of this Privacy Policy. The withdrawal of consent shall not affect the lawfulness of processing or transferring based on the consent before its withdrawal. If the customer wishes to withdraw his or her consent, please contact the Company’s inquiry desk.

5. Statutory or contractual requirement, or a requirement necessary to enter into a contract

When the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, the Company separately informs the customer whether the Data Subject are obliged to provide their personal data and of the possible consequences of failure to provide such data.

6. Transfers of personal data

  1. The Company shall comply with the applicable laws and regulations and shall, for the purposes stipulated in this Privacy Policy, share the personal data of the Data Subject with the Company’s group companies and its affiliates.
  2. The Company may provide the personal data to its service providers which process the personal data on behalf of and under the instruction of the Company. Such service providers shall, under contracts or other legally binding instruments, bear the obligations concerning the appropriate safeguards of data processing.
  3. In the event of a merger, reorganization, acquisition, joint venture, transfer, spin-off, assignment, or either sale or disposition of all or part of the Company’s business (including those in connection with any bankruptcy or similar proceedings), the Company may transfer any and all relevant personal data to any third parties.
  4. The Company may be required to disclose the personal data by law, legal procedures, litigations, and/or requests from public and governmental authorities within or outside the residence country of the Data Subject. The Company may disclose the personal data if the Company determines it to be necessary or appropriate to disclose the personal data for the purposes of national security, law enforcement, or under other important public interests.
  5. The Company may disclose the personal data if the Company determines that the disclosure is reasonably required in order to protect the Company’s rights, pursue the available remedies, enforce the Company’s terms and conditions, investigate misconducts, or protect the Company’s operations or users.
  6. The Company may transfer the personal data to any third parties other than its affiliates, etc. and such third parties may be located outside the EEA. Such third parties include the cloud service vendors and the service providers.
    Transfers of the personal data into Japan are based on either an adequacy decision regarding the transfer of cross-border data obtained by Japan or the Standard Contractual Clauses. For more information on the content of the adequacy decision, please refer to the European Commission’s document below.
    Document: Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information (Text with EEA relevance)
    Transfers of personal data into third countries other than Japan and the EEA, excluding the countries and regions that have acquired adequacy decisions, are ensured to be adequately protected under the binding and enforceable commitments of contracts or other legally binding instruments such as Standard Contractual Clauses. In the event of concluding the Standard Contractual Clauses, the Company will provide the details of such safeguards as a response to the customer’s inquiry using contact details at the end of this Privacy Policy.

7. The period for which the personal data will be stored

The Company will not store the personal data of the Data Subject beyond the period required in connection with the purpose of processing the personal data. The specific storage period shall be determined, taking into account the purposes of acquiring and processing the personal data, the nature of personal data, and the legal or operational necessity of retaining the personal data.

8. Security

  1. The Company shall make efforts to ensure the accuracy of personal data and, if necessary, keep the personal data up to date.
  2. The Company shall implement the technical and organizational measures in order that the personal data should be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  3. The Company shall cause its employees to recognize the importance of personal data or the risk of breaching the rules for handling the personal data, and shall supervise their adequate management and treatment of personal data.

9. Customers’ rights

Customers shall have the following rights regarding the processing of personal data:

  • Right to withdraw his or her consent at any time (Article 7 of the GDPR);
  • Right to obtain all the information of customers necessary for the Company’s data processing (Article 13 and 14 of the GDPR);
  • Right to access to the personal data and its related information (Article 15 of the GDPR);
  • Right to rectify the inaccurate personal data without undue delay (Article 16 of the GDPR);
  • Right to erase the inaccurate personal data without undue delay, under certain conditions (Article 17 of the GDPR);
  • Right to restrict the processing of personal data, under certain conditions (Article 18 of the GDPR);
  • Right regarding the data portability (Article 20 of the GDPR);
  • Right to object to the processing of personal data concerning the Data Subject, under certain conditions (Article 21 of the GDPR); and
    Right not to be subject to a decision based solely on automated processing including profiling, under certain conditions (Article 22 of the GDPR).

10. When the customer desires to exercise his/her rights

If a customer desires to exercise his/her rights, please inquire using the contact details at the end of this Privacy Policy. If dissatisfied with the processing of his/her personal data, the customer may lodge a complaint with a data protection supervisory authority of his or her habitual residence, place of work, or of the EEA member states where his/her personal data is breached. (Article 77 of the GDPR)

11. Conditions applicable to children

The Company shall intentionally neither collect nor process the information regarding a child below the age of 16 years, unless the consent is given or authorized by the holder of parental responsibility over the child. (Article 8 of the GDPR)

12. Modification of this Privacy Policy

The Company may modify this Privacy Policy from time to time. In substantially or materially modifying this Privacy Policy, the Company informs customers through the Website and requests the consent of them, as the case may be.

13. Contact Details

As for any questions or inquiry about this Privacy Policy, please contact the Company or its representative set out below.

The Company
Kirin Holdings Company, Limited
NAKANO CENTRAL PARK SOUTH
10-2, Nakano 4-chome, Nakano-ku, Tokyo 164-0001, Japan
Please contact the inquiry desk via the contact form of the Website.

The Representative
Kirin Europe GmbH
Berliner Allee 26
40212 Dusseldorf
kirineurope@kirin.de