Hitachi Systems Trusted Cyber Management Inc. and its subsidiaries respect and take your privacy and the protection of your personal data very seriously (collectively, "the HSTCM Group", "we", or "our").
This privacy and personal data protection policy (the "Policy") applies to all processing of personal data carried out by the HSTCM group on data subjects, with the exception of employees.
In order to offer quality services to our clients and to ensure the smooth running of the company, we need to have access to some of your personal data. It is our intention to protect all personal data in our possession or under our control.
We have adopted this Policy to inform you of the way we collect, use and disclose the personal data we need to fulfill our professional responsibilities and operate our business.
We make sure to manage your personal data with all the necessary discretion and rigor in accordance with the applicalbe legal and regulatory requirements. The practices described in this Policy reflect requirements imposed by federal and/or provincial laws in force in Canada, Europe, the United States, and India, and endorse the privacy principles adopted by Hitachi Ltd.
By "Personal Data" we mean any information relating to an identifiable natural person or that, individually or in combination with other data, allows an individual to be identified.
By "Data Subject" we mean an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
By "Processing" we mean all operations relating to personal data, including but not limited to: collection, use, disclosure, sharing, deletion, etc.
By "Purpose of processing" we mean the main purpose of the processing of personal data. The data is collected for a well-defined and legitimate purpose and is not further processed in a way that is incompatible with this initial purpose.
By "Controller" we mean the natural or legal person that which, alone or jointly with others, determines the purposes and means of the processing of personal data.
By "Processor" we mean the natural or legal person that processes personal data on behalf of the controller, e.g., in the course of providing a service or performance.
The personal data we collect about you is processed for specific purposes determined prior to collection. These purposes are the following:
The HSTCM group strives to limit the collection of Personal Data to what is strictly necessary to accomplish the purposes for which it is collected. Rest assured that we will not disclose or use your Personal Data for purposes other than those originally intended, unless justified by an applicable legal basis, such as obtaining your consent or as provided by law.
In addition, as you will see in the Security Measures for Personal Data section, we limit access to your personal data to those who have the need and responsibility to access it for such a specific purpose.
The HSTCM group processes Personal Data which may be collected in two ways:
For the purposes identified above, we need to collect Personal Data about you as a Controller and Processor, to the extent that is appropriate:
As a general rule, we will obtain the necessary Personal Data directly from you, with your consent, subject to the exceptions provided for in the applicable law[1] such as a legal obligation, the existence of a contractual relationship or HSTCM group companies’ legitimate interest.
Under the same conditions, we may also collect Personal Data from third parties as permitted by applicable laws, or if we have obtained your consent.
You have the right to refuse to provide us with personal data that is not required for identified processing activities.
You also have the right, subject to reasonable notice and applicable legal or contractual restrictions, to withdraw your consent to the use of Personal Data already collected by contacting our Data Protection Officer (contact information available in section Requests, Complaints and/or Comments).
As part of our activities, we could disclose your Personal Data:
The Personal Data provided is then limited to the information necessary for them to perform their services and the above-mentioned processing activities. All recipients are requested to protect your Personal Data in order to preserve its confidentiality.
At no time will we sell or trade your Personal Data. We will seek your consent if we wish to use or disclose your Personal Data for new business purposes. We may not seek consent if the law permits (for example, the law permits organizations to use personal information without consent for debt collection purposes).
Your Personal Data is retained only as long as necessary for the purposes set out in the Policy and to ensure compliance with applicable laws and instructions from our clients.
In addition, depending on the entity of the HSTCM group with which you do business, your Personal Data may be stored in different locations, including Canada, the European Union and Switzerland or Japan and India. In any cases, we ensure that the adequate security measures and contractual agreements are in place to protect your Personal Data.
We strive to apply the necessary and appropriate security measures to ensure the protection of Personal Data in our possession. To this end, we follow accepted standards in the industry such as ISO/IEC 27001 and SOC 2 Type II.
These measures are implemented, taking into account the sensitivity and risks relating to the protection of Personal Data, and fall into three (3) main categories:
HSTCM group companies use service providers located in Canada, Switzerland, the European Union, the United States, India and other countries around the world to perform specific mandates in the normal course of business. As a result, some of your Personal Data may be transferred to another country and be subject to the laws of that country.
We have taken appropriate safeguards to ensure that the Personal Data we process is protected in accordance with our privacy policies and practices when transferred to a third country, by requiring our service providers to undertake to comply with their obligation to preserve the confidentiality and security of the Personal Data entrusted to them. This includes the obligation to implement effective security measures, but also the prohibition to disclose your Personal Data to third parties.
If you have any questions or require further information regarding international data transfers, please contact the Data Protection Officer (contact information available in the Requests, Complaints and/or Comments section).
You can request access to your Personal Data, or information on how we process your Personal Data. You can also ask that the data held by the HSTCM group companies be rectified if they were inaccurate, ambiguous, or incomplete.
You have the right to obtain from HSTCM group companies the erasure of your Personal Data as soon as possible. The right to erasure will not apply to the extent that the processing is necessary, in particular:
You have the right to obtain from HSTCM group companies, the restriction of processing where one of the following applies:
Where processing has been restricted, Personal Data is only processed, with the exception of storage, with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of a public authority empowered by law.
You have the right to receive the Personal Data you have provided to HSTCM group companies, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without us impeding it. This right applies when the processing is based on your consent and the processing is carried out using automated processes.
You can object, at any time, for reasons related to your particular situation, to the processing of your Personal Data. The HSTCM group companies will no longer process your Personal Data unless they can demonstrate that there are legitimate reasons for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You may request not to be subject to a decision based exclusively on automated processing, including profiling, unless the decision is:
To submit a request for access or rectification, exercise any applicable right, file a complaint, obtain information about our Policy or send us comments, we invite you to contact our Data Protection Officer for the HSTCM Group:
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Hitachi Systems Security Inc. and Hitachi Systems Security Europe SA. have appointed European Data Protection Office (EDPO) as their GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
Pursuant to Article 27 of the UK GDPR, Hitachi Systems Security Inc. and Hitachi Systems Security Europe SA. have appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
Processing of Personal Data may be modified by the HSTCM Group at any time. Therefore, this Policy may be subject to change from time to time in the future. We recommend that you review it each time you visit our website to stay informed about how we handle personal data.
Update: 2023.09.25
[1] European Union: Art. 6 and 7 of the RGPD; Switzerland: Art. 34 and 36 of the nFADP; Quebec: Art. 18 and following of the Private Sector Act; India: Art. 4 of the DPDPA