In the following, Nippon Steel & Sumitomo Metal Corporation (“NSSMC”), its Head Office located at 6-1, Marunouchi 2-chome, Chiyoda-ku, Tokyo 100-8071, Japan, provides information on the processing of personal data in the context of activities of its European Office (Am Seestern 8, 40547 Düsseldorf, Germany) in connection with its relationship with existing and potential customers, trading companies, end users, goods and service suppliers, agents, advisors, outside auditors, research institutions, industrial organizations and other persons with whom NSSMC or any of its group company maintains or is considering to create a business relationship (each a “Business Partner”) pursuant to Articles 13 and 14 of the European General Data Protection Regulation (“GDPR”).
A. Categories and sources of personal data
NSSMC may process the following personal data:
· Profile and contact information, such as full name, work position, work address, work telephone number, work mobile phone number, work fax number and work email address of a Business Partner who is an individual, or a person working for a Business Partner (each shall be referred to as a “Business Partner Contact”);
· Further information processed in connection with the relationship between NSSMC and a Business Partner or voluntarily provided by a Business Partner Contact.
B. Intended purposes of processing and legal basis for processing
NSSMC processes the personal data indicated above in section A for the following purposes:
· Communicating with Business Partner Contacts about products and services of NSSMC, e.g. by responding to inquiries or requests, entering into or executing transactions for products or services, providing technical support;
· Communicating with Business Partner Contacts about the products and services of Business Partners;
· Planning, performing and managing the business relationship with Business Partners;
· Solving disputes, enforcing agreements and/or to establish, exercise or defend legal claims;
· Complying with applicable laws and regulations, including cooperating with relevant authorities and regulators.
When processing of personal data is necessary for the performance of a contract to which a Business Partner Contact is party or in order to take steps at the request of a Business Partner Contact prior to entering into a contract, the legal basis for such processing is Article 6 (1) (b) of the GDPR.
When personal data is explicitly provided by a Business Partners Contact, the legal basis for the processing is the consent given by the Business Partner Contact (Article 6 (1) (a) of the GDPR).
When processing of personal data is necessary to comply with a legal obligation, the legal basis for the processing is Article 6 (1) (c) of the GDPR.
Otherwise, the legal basis for processing of personal data indicated above in Section A by NSSMC is Article 6 (1) (f) of the GDPR. The legitimate legal interest pursued by NSSMC is the transmission and receipt of information in order to conduct its business activities, including but not limited to expanding or building a business relationship with Business Partners.
NSSMC generally does not seek to collect or otherwise process special categories of personal data of Business Partner Contacts, such as those revealing religious or philosophical beliefs, in the ordinary course of its business. Where it becomes necessary to process such special categories of personal data for any reason, NSSMC relies on the following legal bases depending on the circumstances: (i) explicit consent of the Business Partner Contact has been given (Article 9 (2) (a) of the GDPR), (ii) the personal data are manifestly made public by the Business Partner Contact (Article 9 (2) (e) of the GDPR), (iii) processing is necessary for the establishment, exercise or defense of legal claims (Article 9 (2) (f) of the GDPR).
C. Transfer and disclosure of personal data
For the purposes of processing indicated in section B above, NSSMC may disclose personal data to the following recipients or categories of recipients:
· Directors, supervisory board members, senior advisors, advisors, executive officers, fellows, executive counsellors, employees (including employees undergoing their probationary employment period), temporary employees, and any persons who correspond to such positions (“Staff”) of NSSMC;
· External advisors such as attorneys, accountants and tax advisors (“Advisors”) of NSSMC;
· Group companies of NSSMC and their Staff and Advisors with whom NSSMC needs to share the data for the purpose of processing;
· Other Business Partners and their Staff and Advisors with whom NSSMC needs to share the data for the purpose of processing;
· Governmental agencies, boards, commissions, officers, officials or entities exercising legislative, judicial, regulatory or administrative functions.
Recipients of personal data may be located in countries and areas outside of the European Economic Area (“Third Countries”). NSSMC transfers personal data to external recipients in Third Countries only in case: (i) the respective recipient is located in a country or area which has received an adequacy decision from the European Commission, (ii) the respective recipient entered into Standard Data Protection Clauses/Standard Contractual Clauses pursuant to Article 46 (2) (c) of the GDPR with NSSMC , (iii) in case of US recipients – the recipient is certified under the EU-US Privacy Shield, (iv) the Business Partner Contact explicitly consents to the transfer of his/her personal data, or (v) another requirement under Article 49 of the GDPR is met. In case of (ii), Business Partner Contacts can receive a copy of the Standard Data Protection Clauses/Standard Contractual Clauses by contacting NSSMC through the contact information in section F below.
D. Period for which personal data will be stored
Unless indicated otherwise, NSSMC will retain personal data for as long as is necessary for the purpose for which they were collected or otherwise processed (including as required by applicable law or regulation or for the exercise or defense of legal claims).
E. Rights of the data subject
I. Access, rectification, erasure, restriction, data portability
With regard to the processing of his/her personal data, a Business Partner Contact has the following rights within the limits set forth in the GDPR:
· Right to request from NSSMC access to his/her personal data pursuant to Article 15 of the GDPR.
· Right to request from NSSMC rectification of his/her personal data pursuant to Article 16 of the GDPR;
· Right to request from NSSMC erasure of his/her personal data pursuant to Article 17 of the GDPR;
· Right to request from NSSMC restriction of processing pursuant to Article 18 of the GDPR; and
· Right to data portability pursuant to Article 20 of the GDPR.
II. Right to object
A Business Partner Contact has the right to object on grounds relating to his/her particular situation, at any time to processing of his/her personal data which is based on Article 6 (1) (f) of the GDPR (see section B above), including profiling (if any) based on the same provision pursuant to Article 21 (1) of the GDPR.
If personal data is processed for direct marketing purposes, a Business Partner Contact has the right to object at any time to processing of his/her personal data for such marketing, which includes profiling (if any) to the extent that it is related to such direct marketing, pursuant to Article 21 (2) of the GDPR.
III. Right to withdraw consent
Where processing is based on his/her consent (Article 6 (1) (a) or Article 9 (2) (a) of the GDPR), a Business Partner Contact has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
IV. Right to lodge a complaint
A Business Partner Contact has the right to lodge a complaint with a supervisory authority pursuant to Article 57 (1) (f) of the GDPR.
F. Data Privacy Contact
If a Business Partner Contact has a question with regard to processing of his/her personal data or wants to exercise any of the above rights in section E above, he/she may contact NSSMC at:
In case of questions and complaints concerning the use of his/her personal data, a Business Partner Contact may also contact NSSMC’s Data Protection Officer below:
Mr. Hjalmar B. Hütte
Schaumainkai 69, 60596 Frankfurt
Tel: +49 69 247 561-20
NSSMC will endeavor to address and settle any requests or complaints brought to its attention. In addition to the above, there is a possibility of approaching the competent data protection authority with requests or complaints.
Last updated: 24.01.2019