This Policy is effective from 25 May, 2018.
This Policy is issued by The Norinchukin Bank, 1-13-2 Yurakucho, Chiyoda-ku, Tokyo 100-8420 Japan (the corporation will be referred to as the “Bank” and its Tokyo headquarters will be referred to as “Head Office”) on behalf of the relevant Controllers identified in Section 5 below (such relevant Controllers will be referred to individually as “we”, “us” and “our”, in respect of the Controller that is Processing your personal information as data controller).
The Bank has its primary branch offices in New York, Singapore and London. Head Office, its branch offices, representative offices and wholly-owned subsidiaries will be referred to collectively as the “Group”.
This Policy is addressed to individuals outside our Group with whom we interact, including Personnel of our corporate customers, counterparties and suppliers, and other recipients of our services (together, “you”), such as the following categories of individuals:
Key relationship contacts: This means the individuals who are our business contacts at the corporate customers or potential corporate customer of the relevant Controller in respect of the trading arrangements, corporate lending and/or depositor related activities performed in the UK and the EEA, or individuals who are our business contacts at our suppliers or potential suppliers;
Directors and beneficial owners of corporate customers, counterparties and suppliers: This means individuals whose details are checked by the relevant Controller as part of their onboarding and ongoing administration processes, including those checks necessary for the detection and prevention of financial crime, in order for the relevant Controller to meet applicable legal obligations and regulatory expectations; and
Visitors to our offices: This means anyone whose image is captured on CCTV at our premises.
We also require that all corporate customers, counterparties and suppliers direct their Personnel to this Policy.
Other defined terms used in this Policy are explained in Section 6 below.
PLEASE READ THIS POLICY CAREFULLY AND REGULARLY CHECK THIS PAGE TO REVIEW ANY CHANGES WE MIGHT HAVE MADE TO THIS POLICY TO REFLECT CHANGES IN LAW OR REGULATION APPLICABLE TO US, OR TO REFLECT CHANGES FROM TIME TO TIME IN RESPECT OF THE WAY IN WHICH WE PROCESS PERSONAL INFORMATION
1 Processing your personal information
1.1 The meaning of “personal information”
“Personal information” has the same meaning as personal data (which is the term used in data protection laws applicable to us). Personal data means any information relating to an identified or identifiable natural person. This means any individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers (for example, IP addresses or MAC addresses – if they can be used to identify you), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. A natural person is distinct from a legal person (i.e. a corporate entity).
Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you.
Personal information also includes special categories of personal data (“sensitive personal information”). This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation (as relevant). In addition, it includes criminal convictions and offences personal data (as relevant).
1.2 Collection of personal information
We will collect your personal information from you directly. For instance when you speak to us on the telephone or send us an email. In addition, visitors to our offices will be captured on CCTV.
We will collect your personal information indirectly including from other people at our corporate customer (e.g. if your HR department sends us your details) and from other parts of our Group.
Certain aspects of this personal information is collected from publicly available sources, including where you have manifestly chosen to make the information public (for example on publicly visible social media pages). For instance, we may collect names and contact details of our key relationship contacts from the website pages of corporate customers. Likewise, details of directors and beneficial owners may be collected from publicly available sources such as the register at Companies House and work-related social media profiles, and their personal information may also be obtained from data feeds for Politically Exposed Persons (“PEPs”), sanctions and financial crime negative media.
1.3 Creation of personal information
In limited circumstances, and subject to applicable law, we may create personal information about you from our records of our interactions with you. For example, we may create personal information as a result of our call recording or through the monitoring of other business communications, such as email or chat, or screening of data; in each case, for the purposes of meeting the expectations of our regulators.
1.4 What types of personal information do we process?
The types of personal information that we process include:
(a) Key relationship contacts:
- your full name and job title;
- your work contact details (which means business postal address at the corporate customer, business e-mail address, employer/business and professional information, job title, telephone and fax numbers);
- transaction details (for example, where you are identified on the trade confirmation as the trader or dealer to who executed the transaction with us); and
- any other personal information which you or our corporate customer, counterparty or supplier may voluntarily provide(s) to us from time to time (for example, if you are a signatory to the mandate in place for management of the operational relationship that your employer has with us, your employer will provide us with evidence of your signature and may also provide us with authentication information).
Why do we collect this personal information: It is necessary for us to have basic personal information of this kind in respect of the Personnel of our corporate customers, counterparties and suppliers, and other recipients of our services, in order to carry out our normal day to day business activities of delivering services to corporate customer and counterparties, or receiving goods and services from suppliers (further details are set out in Section 1.5 below).
(b) Directors and beneficial owners of corporate customers, counterparties and suppliers:
In addition to the information above, as part of our onboarding and ongoing administration processes for the management of the contractual relationship with your employer, we may also process:
- proof of address and proof of identity documentation, such as copies of passports which include your date of birth, full name, home address and your photographic image, and (should you voluntarily include this information) pages which include details of family members/next of kin contacts. You should be aware that your special categories of personal information including your racial or ethnic origin may be visible in copies of your passport – see Section 1.6 below for more information about this;
- utility bills or bank statements which include your full name and home address;
- other Government-issued data such as tax identification number(s), visa or other evidence of right to work in a particular jurisdiction, or driving licence number(s); and
- signatures, photographs or other visual images and personal appearance (as these may appear of the documentation provided to us).
Why do we collect this personal information: It is a necessary for our legitimate interests of meeting applicable legal obligations and regulatory expectations for us to obtain this information in respect of these types of Personnel of our actual or potential corporate customers, counterparties or suppliers (further details are set out in Section 1.5 below).
(c) Visitors to our offices:
- your facial image; and
- personal appearance and behaviour,
as captured on CCTV cameras at our offices.
Why do we collect this personal information: It is necessary for our legitimate interest of meeting applicable legal obligations and regulatory expectations (for example, we have to know who accesses particular areas of our premises), to protect our premises from crime (such as theft), and to protect the personal safety of our employees and other staff (further details are set out in Section 1.5 below).
1.5 The lawful basis for our use and processing
Here are the legal grounds that are relevant to us (NB: For some processing more than one legal ground may be relevant and that is why some processing is described under more than one heading):
(a) The Processing is a necessary part of our legitimate interests or those of third parties, for the delivery of services to corporate customer and counterparties, or receiving goods and services from our suppliers (to the extent that on balance such legitimate interest is not overridden by your interests or fundamental rights and freedoms)
This lawful basis is relevant to the Processing which we undertake to set up, and to administer, the contractual relationship that we have with the corporate customer, counterparty or supplier for whom you work or at which you are a director or beneficial owner and to supply the products and services to that customer or counterparty (or receive the supply of goods or services from the supplier).
Our core business operations which are relevant to this are as follows: (a) we carry out trading activities with market counterparties; (b) we conduct lending to corporate borrowers, and (c) we receive goods and services from our suppliers. The relationship that we have with the organisation for whom you work or at which you are a director or beneficial owner will be in connection with one or more of these.
We will use your personal information to arrange and administer for these activities (including to communicate with you about the same if you are a key relationship contact).
As the services we provide to our corporate customers and counterparties require us to be authorised and regulated, we also have to Process the personal information as part of our fulfilment of the legitimate interest that we have in meeting the expectations of our regulators. As a result, we will also use your personal information for purposes such as:
- Compliance with our internal compliance requirements, policies and procedures;
- Fulfilling the expectations of our regulators in respect of the prevention of financial crime, including, for example, conducting identification and verification checks, and ongoing screening against Government, supranational and law enforcement data and sanctions lists, and against third party collated data in order to identify higher risk relationships;
- To protect our business information, our premises and our officers and employees at those premises and to know who goes in and out of our premises and who goes into different rooms at our premises (for example, we will use CCTV images of visitors to our premises for this purpose);
- To protect the health and safety of visitors to our premises;
- For management and audit of our business operations including annual external financial audits, and third party assurance reviews, management of our IT and communications systems and networks, and IT security audits;
- Making contact with you as a representative of your employer in order to review the service we are offering to our corporate customers and counterparties, to receive feedback on our services and, where relevant, in order to handle any complaints;
- Internal audit, compliance controls and other risk management purposes, including for example monitoring of communications for the purposes of detecting, investigating and preventing breaches of policy and criminal offences, in accordance with applicable law; and
- Establishing, exercising and defending legal rights.
(b) The Processing is necessary for compliance with a legal obligation or is otherwise for reasons of substantial public interest or as is necessary to protect the vital interests of any individual
This lawful basis is relevant to the Processing which we undertake in order to comply with a legal obligation (including, for example, the obligations which apply to us because of our status as an authorised and regulated firm). In some circumstances, it may also be necessary in order to protect the vital interests of any individual (which could be you yourself or other individuals).
Examples of the type of Processing which we might undertake for these purposes are:
- Appropriately responding to the exercise by you of your rights under data protection laws;
- Activities relating to the prevention, detection and investigation of crime including to process information about a crime or offence and proceedings related to that;
- Activities relating to the identification and verification of our customers (as such term is defined in applicable law), including for example: conducting identification and verification checks, and ongoing screening against Government, supranational and law enforcement data and sanctions lists, and against third party collated data in order to identify higher risk relationships;
- Cooperation with law enforcement agencies and Governmental or regulatory bodies under powers and rights imposed by law or as might be necessary to protect the vital interests of any individual;
- Cooperating with external auditors and other third party bodies who are authorised by law to conduct independent assessments of our business, or parts of our business operations, from time to time;
- Cooperation with Courts and to other organisations where that is necessary for the administration of justice, or to otherwise protect the vital interests or any individual;
- Undertaking health and safety assessments in respect of visitors to our premises; and
- Fulfilling record keeping requirements relating to legal obligations (including those imposed from time to time by regulators, law enforcement agencies or Courts).
(c) With your prior consent
Although we would normally Process your personal information for the lawful reasons explained in (a) and (b) above, in some exceptional circumstances (where no other lawful reason applies) we might obtain your prior consent in order to undertake Processing which is entirely voluntary on your part. If such circumstance were to arise, and your prior consent was freely given by you, the lawful reason for our Processing of your personal information would be reliance on that consent, but only for the Processing in respect of which that consent given.
1.6 Processing your sensitive personal information, and the lawful basis for this
We would only process your sensitive personal information as part of meeting legal obligations and regulatory expectations applicable to us, where you have manifestly made this information public, or where the processing is necessary for the establishment, exercise or defence of legal rights.
For example, ethnicity may be apparent from your passport, and criminal convictions and offences personal information, including any actual or suspected fraud, money laundering or other crime(s) if this data may be revealed as part of our checks, processes and controls for the detection or prevention of financial crime.
As a result we will be able to process your personal information because it would be necessary for compliance with legal obligations, for reasons of substantial public interest and/or our legitimate interests. In each case, in a manner which is proportionate to the aim, and in accordance with suitable measures designed to safeguard your interests and fundamental rights.
1.7 Automated decision-making
We do not carry out any automated individual decision-making using your personal information. As our relationship is with the organisation for whom you work, we are unlikely to make any decisions about you at all, but if we were to make a decision which could have a negative impact on you (the data subject), any such decision would be made by a human being and not a computer.
1.8 Direct marketing
We do not undertake any direct marketing using your personal information.
2 Disclosure of personal information to third parties
2.1 How we might disclose your personal information to others
We may disclose your personal information within the Bank and to other entities within the Group for legitimate business purposes (including, for example, the provision of loan finance to the organisation for whom you work) in accordance with applicable law.
We may also disclose your personal information to other organisations and businesses who provide services to us, for example:
- back up and server hosting providers, IT software and maintenance providers, mobile telephone management providers, document storage providers and suppliers of other back office functions (such as brokers or dealing platform providers for our trading activities with market counterparties for whom you work or on whose behalf you execute such trades);
- our legal and other professional advisors (including our auditors and financial advisors), subject to legal (including contractual) confidentiality obligations or duties;
- Governmental, legal, regulatory or similar authorities, ombudsmen, or Governmental agencies, or those acting on their behalf (including for the purposes of reporting any actual or suspected breaches of applicable law or regulation);
- any relevant claimant, complainant or other third party enquirer, law enforcement agency, ombudsman, regulatory authority or Court, for the establishment, exercise or defence of our legal rights;
- any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (including for the purposes of safeguarding the vital interests of any individual, such as the prevention of threats to public security);
- any third party buyers or their professional representatives as part of any restructuring or sale of our business or assets; and
- third party Processors (such as payment service providers).
Although it is extremely unlikely in practice, there may be circumstances in which we are also required to disclose your personal information to anti-fraud services or credit reference agencies as part of our legal obligations, to the extent that your personal information is required to be disclosed as part of a required disclosure relating to the organisation for whom you work.
If we engage a third party Processor to Process your personal information, the Processor will be subject to binding contractual obligations which include: (a) an obligation to have in place measures to protect the confidentiality and security of personal information, and (b) an obligation to only Process the personal information in accordance with our prior written instructions.
2.2 International transfers of personal information
As we are a Japanese-headquartered Group with international business operations, we may need to transfer your personal information within the Group and to third parties in connection with the purposes described above in this Policy. For example, our business email services are provided by the Bank, in Japan.
Additionally, there may be some circumstances in which you are yourself transferring your personal information internationally, rather than us making that transfer; for example, if you send an email to one of our employees on their .or.jp email address you are clearly emailing a Japanese email account, rather than a UK email account.
When your personal information is Processed within the UK, the European Union, or other parts of the EEA it is protected by European data protection standards. Some countries outside the EEA do not have adequate protection for personal information. In such circumstances, such transfer of your personal information may be to other countries that have different data protection laws, regulations and compliance requirements; and some of these might be to a lower standard than those applicable to the country in which you or we are located.
Where we transfer your personal information to other countries, we do so on the basis of:
- adequacy decisions (or equivalent measures such as the US Privacy Shield – see https://www.privacyshield.gov/welcome);
- suitable Standard Contractual Clauses (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en);
- Binding Corporate Rules (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en); or
- other transfer mechanisms permitted under the data protection laws applicable to us as the relevant Controller (https://ec.europa.eu/info/law/law-topic/data-protection_en).
3 The steps we take to safeguard your personal information
3.1 Data minimisation and accuracy
We take reasonable steps to ensure that:
- the personal information that we Process is limited to that which we reasonably require in connection with the lawful reason described in Section 1.5; and
- the personal information that we Process is accurate and, where necessary, kept up-to-date.
3.2 Data security
We have implemented appropriate technical and organisational measures designed to protect your personal information against:
- loss or unauthorised disclosure;
- unauthorised access;
- alteration; accidental destruction or unlawful destruction; and
- any other unlawful or unauthorised Processing;
in accordance with applicable law.
3.3 Data retention or storage
We take reasonable steps to ensure that your personal information is only Processed for the minimum period necessary. We will store or retain your personal information by applying the following criteria:
- for as long as we retain an ongoing relationship with you (for example, for as long as you are on the mandate or a key relationship contact for the organisation for whom you work);
- for as long as is necessary for us to fulfil, or in connection with, the lawful reason described in Section 1.5 (for example, where you are named in or a signatory to a contract between us and the organisation for whom you work, or provide identification or verification information as part of the implementation and ongoing management of that contractual relationship, for as long as we have a legitimate interest in processing the data for the purpose of operating our day-to-day business in performance of that contract, or where we have a legal obligation to retain your personal information arising out of the delivery or existence of that contract);
- for as long as is required by a data retention obligation or data destruction prohibition under applicable law or as expected by our regulators or by other applicable or relevant standards or guidance;
- for as long as is required under any applicable legal limitation period (for example, the period during which a legal claim could be brought in respect of which your personal information might be relevant). Where a relevant legal claim is brought, we may continue to Process your personal information for such additional period as is necessary in connection with that claim;
whichever is the greater of such of the above as are applicable to the information in question and the purpose for which it was Processed.
4 Your rights
4.1 Rights which may apply generally
Depending which of the lawful reasons described in Section 1.5 apply to the Processing of your personal information, you may have a number of rights regarding the Processing of your personal information.
- The right to be informed. This notice is designed to fulfil this right;
- The right to obtain access to any personal information that we hold about you and certain prescribed information about how we process it – this is more commonly known as submitting a “data subject access request” or “DSAR” – the purpose of this right is to enable you to obtain confirmation that your personal information is being Processed, access to your personal information, and other supplementary information about how it is processed, all this is to ensure you can be aware of and can verify the lawfulness of the processing;
- The right to obtain from us without undue delay the rectification of inaccurate personal information concerning yourself and to have incomplete personal information completed in certain circumstances;
- The right to obtain from us the erasure of personal information concerning yourself without undue delay in certain circumstances (also known as the “right to be forgotten”) – this right is not absolute – it applies only in particular circumstances and where it does not apply any request for erasure will be rejected, circumstances when it might apply include where the personal information is no longer necessary in relation to the purpose for which it was originally collected/Processed, or where you object to processing and there is no overriding legitimate interest for continuing the processing, if the personal information is unlawfully processed, or if the personal information has to be erased to comply with a legal obligation. Such request will be refused where lawful and permitted under applicable law, for instance where the personal information has to be retained to comply with legal obligations or to exercise or defend legal claims;
- The right to obtain a restriction of Processing of your personal information, for instance where you contest it as being inaccurate (until the accuracy is verified); where you consider that the processing is unlawful and where this the case; and where you request our use of it is restricted; or where we no longer need the personal information.
You also have the right to lodge complaints with a Data Protection Authority regarding the Processing of your personal information by us or on our behalf.
4.2 Rights which apply where consent is the lawful reason for the Processing
Although we are unlikely in practice to Process your personal information on the basis of your prior consent, were we to do so, you may also have the following rights, in addition to those described above, in respect of the personal information to which the consent relates:
- The right to withdraw, limit or modify your consent;
- The right to obtain from us the erasure of personal information concerning yourself without undue delay in certain circumstances (also known as the “right to be forgotten”) – as mentioned above, this right is not absolute but the circumstances when it might apply include when consent is withdrawn.
4.3 Other rights which might apply
Although the following rights are unlikely to apply in practice, because (a) we do not undertake any direct marketing, profiling or other forms of automated decision making in relation to your personal information, and (b) we do not have a direct business relationship with you, we have set out the additional rights which might apply in some circumstances, for your information:
- The right to object in certain circumstances to processing of your personal information (as relevant) – this right allows individuals in certain circumstances to object to Processing relating to direct marketing (including profiling) and processing for purposes of statistics, or where the Processing otherwise goes beyond the scope of a particular lawful reason;
- Rights relating to automated decision making about you including profiling (as may be the case) if this has a legal or other significant effect on your as an individual – this right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken without human intervention; and
- The right to data portability in certain circumstances including where the personal information is processed by us based on a consent or on a contract and by automated means (as relevant) – this right allows individuals to obtain and reuse their personal information for their own purposes across different services without hindrance to usability; it is important to understand that this right is different from the right of access (see above) and this means that the types of data that you can receive through the right of portability are different to the types you could receive under the right of access; under data portability you can only receive personal information concerning yourself which has been provided to a data controller (either direct or via a third party) and that is processed based on your consent (where relevant) or explicit consent in the case of special categories of personal information (again, where relevant), or processing that is happening based on it being necessary for performance of a contract with the relevant Controller to which you are a party (or in order to take steps at your request prior to entering into a contract with the relevant Controller), and where the processing is carried out by automated means; in summary this means that you are not able to obtain through the data portability right all of the personal information that you are able to obtain through the right of access.
4.4 Exercise of your rights
To exercise one or more of these rights, please use the contact details provided in Section 5 below.
5 Relevant Controllers
For the purposes of this Policy, the relevant Controllers are:
|Controller entity||Contact details|
The Norinchukin Bank, London Branch
155 Bishopsgate, London EC2M 3YX
If you need or want to contact us about any of the information in this Policy or any other matters relating to our Processing of your personal information, please contact your normal business contact or by writing to us at the above address and marking your correspondence “UK & EMEA Privacy”.
6 Defined terms
the entity that has decision-making ability (whether by itself or jointly with others) over the purpose for the Processing of the personal information or for which they have independent obligations in respect of the personal information
|Data Protection Authority||
an independent public authority that is legally tasked with overseeing compliance with data protection laws. In the UK, for example, the Data Protection Authority is the Information Commissioner’s Office, or ICO:
has the meaning described in Section 1.1
any prospective, current or former employee, officer, worker, contractor, secondee or other personnel of any kind (and whether temporary or permanent, paid or voluntary)
|Process, Processes, Processed or Processing||
anything done with any personal information (whether active or passive, manual or automated), including: collection, organisation or structuring, recording, retention or storage, use, alteration, retrieval, disclosure, dissemination, transfer or transmission, restriction, erasure or destruction
a person or entity that offers or provides a service to the data controller relating to the personal information (for the avoidance of doubt, this does not include Personnel of the data controller)
|sensitive personal information||
special categories of personal data (as described in more detail in Section 1.1) and data relating to criminal convictions or offences