Global Policy on Privacy Protection
As ASICS Headquarters we wish to present a clear guideline as to our opinion on privacy protection. ASICS includes ASICS Corporation, its subsidiaries and its affiliates.
From our corporate philosophy and the values, it is clear that leakage and abuse of Private Information is not tolerated.
Leakage and abuse of Private Information is harmful to business and society. It deprives people of trust and confidence in the company.
Privacy is important to the modern state, because grounded in it is the individual’s physical and moral autonomy. For this reason, it is worthy of constitutional protection. The exact contents of a local privacy statement will depend upon the applicable laws and may need to address requirements across geographical boundaries and legal jurisdictions.
It is our policy and conviction to ensure that we do business according to the highest standards and that our practices comply with all applicable laws, in any country we operate in through directly related companies or third parties.
This policy should be considered as complementary to local policies or statements on privacy protection in place. In case of conflict between this policy and the local privacy protection policy, the local privacy protection policy shall apply. In case of absence of such local policy, this policy will be applicable.
ASICS operates a zero tolerance approach to leakage and abuse of Private Information, in any way or form and wherever in the world.
Private Information is defined as recorded information which can be anything used to identify an individual, not limited to, but including information regarding; name, address including email address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where you travel and intentions to acquire goods and services, phone number, race, nationality, ethnicity, origin, color, religious or political beliefs or associations, sex, sexual orientation, family status, finger prints, blood type, inherited characteristics, educational, financial, criminal, employment history, others’ opinion about individuals etc..
Data Subject is defined as any person who can be identified, directly or indirectly, by one or more factors belonging to the category of Private Information specific to his or her identity for example, by reference to an identification number.
Personal Data is defined as any information related to an identified or an identifiable Data Subject. For example, a Data Subject’s home address, e-mail address and/or phone number, personnel file or benefits information would constitute Personal Data. Personal Data may be processed by any means including but not limited to electronic means and systematically accessible paper-based filing systems.
General Business Purpose is defined as the purpose for any activity related to the commercial operations of ASICS’ worldwide organization. This could include but is not limited to its sales, marketing and research and development activities, protection of intellectual properties, the provision of services or internal operations.
Processor is defined as a natural or legal person or any other entity that processes Personal Data on behalf of ASICS and under its control. In this context, a Processor may be a company that works on behalf of ASICS and under its control. ASICS requires Processors to protect the privacy, confidentiality and security of Personal Data that are kept by ASICS.
Processing of Personal Data is defined as any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
Third Party is defined as any natural or legal person, public authority, agency or any other entity other than Data Subjects, ASICS, Processor and the persons who, under the direct authority of ASICS or Processor, are authorized to process the Personal Data.
Business Partners is defined as ASICS’ suppliers, (sub) contractors, intermediaries, commercial agents, consultants and other service providers.
Processing Personal Data
Processing of Personal Data without its Data Subject’s consent is prohibited unless it is permitted under applicable laws.
In case of doubt, please contact the department in charge of privacy protection at the company or administrating (controlling or parental) company.
Handling of Personal Data
ASICS will take reasonably possible steps that Personal Data are:
a) Obtained, where possible, directly from Data Subject to whom the Personal Data relates;
b) Obtained and processed fairly and lawfully for General Business Purposes;
c) Relevant to and no more revealing than is necessary for General Business Purposes; and
d) Kept up-to-date to maintain data accuracy, while data are under the control of ASICS and kept only for so long as is reasonably necessary.
Promptly after the applicable retention period has ended, the Personal Data shall be securely deleted or destroyed, de-identified or transferred to an Archive (unless prohibited by applicable law or retention policy).
Personal Data should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable General Business Purpose
Privacy Notice and Rights of Individuals
ASICS shall inform Data Subject of the following items with respect to his/her Personal Data through a privacy notice:
a) The business purposes for which Personal Data are Processed;
b) Which ASICS Company is responsible for the Processing;
c) Other relevant information (nature and category of Personal Data);
d) Which Personal Data ASICS collects; and
e) How the collected Personal Data is used and whether it may be temporarily transferred to others to provide the products and services requested.
Data Subject has the right to request an overview of their Personal Data processed by or on behalf of ASICS. Where reasonably possible, the overview shall contain information regarding the source, type, purpose and categories of recipients of the relevant Personal Data.
Data Subject has the right to object to the Processing of his/her Personal Data on the basis of compelling grounds related to his/her particular situation.
Within a reasonable period after ASICS receiving the request or the objection, the department in charge of privacy protection at the company or administrating (controlling or parental) company shall inform to Data Subject in writing ASICS’ position with regard to the request or the objection and any action ASICS has taken or will take in response. ASICS’ response shall be made within a reasonable period.
ASICS shall transfer Personal Data to a Third Party only as necessary to serve the purposes for which Data Subject has provided consent or as permitted or required by applicable laws.
The controller of Third Party’s Personal Data (other than public authorities) may Process Personal Data obtained in connection with their relationship with ASICS only if they have a written contract with ASICS.
As appropriate, ASICS shall seek to contractually protect the privacy of impacted Data Subject(s). All such contracts shall be drafted in consultation with legal department of the company or administrating (controlling or parental) company.
ASICS shall not transfer, sell, lease or rent business contact information in bulk or separately to any persons or entities including controller of Third Party’s Personal Data without Data Subject’s consent except as permitted or required under applicable law and to the extent such transfer, sale, lease or rent serves a legitimate General Business Purpose.
Transfer of Personal Data to a Third Party located in a country that is not considered to provide an ‘adequate level of protection’ for Personal Data may only be made after prior written approval of the department in charge of privacy protection at the company or administrating (controlling or parental) company.
The Department in Charge of Privacy Protection
ASICS has appointed a department in charge of privacy protection at the company or administrating (controlling or parental) company to ensure compliance to local laws and procedures.
They are responsible for:
a) Supervising compliance with this policy;
b) Providing period reports to the Local Board of Directors and the ASICS Corporation Board of Directors, on data protection risks and compliance issues;
c) Coordinating official investigations or inquiries into the Processing of Personal Data by a public authority;
d) The development of policies, procedures and system information;
e) Planning training and awareness programs;
f) Collecting, investigating and resolving privacy inquiries, concerns and complaints; and
g) In close cooperation with HR Department of the company or administrating (controlling or parental) company, determining and updating appropriate sanctions for violation of this policy.
This policy applies to ASICS Corporation, its subsidiaries and its affiliates.
ASICS establishes a business relationship exclusively with Business Partners who comply with the applicable laws with respect to privacy protection.
Responsibility of Employees and Management
All ASICS’ directors and employees worldwide must read and understand this policy thoroughly and comply with it at all times. Any questions or doubts should be forwarded to the department in charge of privacy protection at the company or administrating (controlling or parental) company in accordance with chapter Record-Keeping and Reporting sub b).
It is the responsibility of Management to communicate this policy and ensure that all employees and external parties working on behalf of ASICS, within their area of responsibility, understand and comply with this policy.
It is the responsibility of Management to provide relevant training to employees with the aim of helping them understand and deal with dilemmas regarding Private Information.
ASICS expects its directors, employees, and Business Partners to maintain the trust placed in ASICS by those Data Subjects who provide Personal Data to ASICS.
It is vitally important that Business Partners not engaged in violation of privacy laws, in order to obtain business with ASICS or to obtain services on behalf of ASICS. Rigorous due diligence should be applied to high-risk areas and compliance with this policy should be a condition of doing business with ASICS and included in agreements where relevant.
ASICS may be held responsible for the conduct of our Business Partners. It is therefore important that we know our Business Partners and make sure that they do not violate privacy laws (allegedly) on ASICS’ behalf.
Violations of this policy may trigger severe sanctions against ASICS which includes, but are not limited to, the followings:
a) Authorities may impose substantial fines on ASICS;
b) ASICS may be forced to redesign a system or retro-fitting solutions;
c) Criminal sanctions may lead to imprisonment and/or fines for directors and employees;
d) Compensation claims from individuals; and/or
e) Allegations of violating privacy laws against ASICS may lead to substantial reputational damage and may impact our business and stock price.
Consequences of Violations
The consequences for violating this policy will depend upon the facts of each situation and may lead to disciplinary action which may include termination of employment.
Record-Keeping and Reporting
a) All accurate records shall be kept regarding the exact nature of recorded business transactions in accordance with the related internal policies. All these records shall be clear and transparent
b) All directors, employees and Business Partners are expected to report any violation of privacy laws made by or on behalf of ASICS. If you become aware of any actual or suspected breach, you must raise your concerns as soon as possible. This can be done by contacting the department in charge of privacy protection at the company or administrating (controlling or parental) company through an ordinary reporting line or the Global Whistlelowing Line. Reporters to the Global Whistleblowing Line can remain anonymous if they wish. How to contact the Global Whistleblowing Line is shown in Global Policy on Protected Disclosure (Whistleblowing), and all the reports to the Global Whistleblowing Line should be treated in accordance with Global Policy on Protected Disclosure (Whistleblowing).
c) It is the policy of ASICS to report illegal acts to the appropriate authorities and to fully cooperate in any subsequent investigation.
d) All concerns raised directly to those mentioned under b) of this chapter will be reviewed and, if warranted, investigated.
e) It is recommended that, before reporting, reporters gather as much information, evidence or relevant documentation as possible, taking one’s personal risk into consideration, so that the concern can be effectively evaluated.
Communication and Training
Communication and training are being implemented so that this policy is fully understood.
Monitoring and Review
The effectiveness of the implementation of this policy will be monitored and reviewed regularly considering its suitability, adequacy and effectiveness.