In the following, Nippon Steel & Sumitomo Metal Corporation (“NSSMC”), its Head Office located at 6-1, Marunouchi 2-chome, Chiyoda-ku, Tokyo 100-8071, Japan, provides information on the processing of personal data in the context of activities of its European Office (Am Seestern 8, 40547 Düsseldorf, Germany) in connection with its relationship with existing and potential customers, trading companies, end users, goods and service suppliers, agents, advisors, research institutions, industrial organizations and other persons with whom NSSMC or any of its group company maintains or is considering to create a business relationship (each a “Business Partner”) pursuant to Art. 13 and 14 of the European General Data Protection Regulation (“GDPR”).
A. Categories and sources of personal data
In the context of NSSMC’s business relationship with a Business Partner, NSSMC may process the following personal data:
· Contact Information, such as full name, work position, work address, work telephone number, work mobile phone number, work fax number and work email address of a Business Partner who is an individual, or a contact person at a Business Partner (each shall be referred to as a “Business Partner Contact”);
· Further information processed in connection with the relationship between NSSMC and a Business Partner or voluntarily provided by a Business Partner Contact.
B. Intended purposes of processing and legal basis for processing
NSSMC processes the personal data indicated above in section A for the following purposes:
· Communicating with Business Partner Contacts about products and services of NSSMC, e.g. by responding to inquiries or requests, performing transactions and orders of products or services, providing technical support;
· Communicating with Business Partner Contacts about the products and services of Business Partners;
· Planning, performing and managing the business relationship with Business Partners;
· Solving disputes, enforcing agreements and/or to establish, exercise or defend legal claims;
· Complying with applicable laws and regulations, including cooperating with relevant authorities and regulators.
Where NSSMC processes personal data to take steps prior to entering into agreements at the request of Business Partner Contacts, the legal basis for such processing is Article 6 (1) (b) of the GDPR.
Where personal data is explicitly provided by Business Partners Contacts, the legal basis for the processing is the consent given by the Business Partner Contact (Article 6 (1) (a) of the GDPR).
Where NSSMC processes personal data to comply with a legal obligation, the legal basis for the processing is Article 6(1) (c) of the GDPR.
Otherwise, the legal basis for processing of personal data indicated above in Section A by NSSMC is Article 6 (1) (f) of the GDPR. The legitimate legal interest pursued by NSSMC is the transmission and receipt of information in order to conduct its business activities, including expanding and/building a business relationship with Business Partners.
C. Transfer and disclosure of personal data
For the purposes indicated under section B above, NSSMC may disclose personal data to the following recipients or categories of recipients:
· Directors, officers, employees and auditors (“Staff”) of NSSMC;
· External advisors such as attorneys, accountants and tax advisors (“Advisors”) of NSSMC;
· Group companies of NSSMC and their Staff and Advisors whom NSSMC needs to share the data with for the purpose of processing;
· Other Business Partners and their Staff whom NSSMC needs to share the data with for the purpose of processing;
· Courts and other dispute resolution bodies, law enforcement authorities and regulators if necessary to comply with applicable laws and regulations or to exercise or defend legal claims.
Recipients of personal data may be located in countries and areas outside of the European Economic Area (“Third Countries”), in which applicable laws may not offer the same level of data protection as the laws of the respective Business Partner Contact’s home country.
In such cases and unless permitted otherwise by applicable law, NSSMC transfers personal data to external recipients in Third Countries only in case: (i) the respective recipient entered into Standard Data Protection Clauses/Standard Contractual Clauses pursuant to Article 46 (2) (c) of the GDPR with NSSMC , (ii) in case of US recipients – the recipient is certified under the EU-US Privacy Shield, (iii) the Business Partner Contact explicitly consents to the transfer of his/her personal data, or (iv) another requirement under Article 49 of the GDPR is met. In case of (i), Business Partner Contacts can receive a copy of the Standard Data Protection Clauses/Standard Contractual Clauses by contacting NSSMC through the contact information in section F below.
D. Period for which personal data will be stored
Unless explicitly indicated otherwise at the time of the collection of Business Partner Contact’s personal data, NSSMC will endeavor to erase personal data as soon as possible when retention is no longer necessary for the purpose for which they were collected or otherwise processed, and retention is not required by applicable laws or regulations (such as tax or commercial laws) or for the exercise or defense of legal claims.
E. Rights of the data subject
I. Access, rectification, erasure, restriction, data portability
With regard to the processing of his/her personal data, a Business Partner Contact has the following rights within the limits set forth in the GDPR:
· Right to request NSSMC access to his/her personal data pursuant to Art. 15 GDPR.
· Right to request NSSMC rectification of his/her personal data pursuant to Art. 16 GDPR
· Right to request NSSMC erasure of his/her personal data pursuant to Art. 17 GDPR
· Right to request NSSMC restriction of processing pursuant to Art. 18 GDPR
· Right to data portability pursuant to Art. 20 GDPR
II. Right to object
A Business Partner Contact has the right to object on grounds relating to his/her particular situation, at any time to processing of his/her personal data which is based on Art. 6(1) (f) GDPR (see section B above), including profiling (if any) based on the same provision pursuant to Art. 21 (1) GDPR.
If personal data is processed for direct marketing purposes, a Business Partner Contact has the right to object at any time to processing of his/her personal data for such marketing, which includes profiling (if any) to the extent that it is related to such direct marketing pursuant to Art. 21 (2) GDPR.
III. Right to withdraw consent
Where the processing is based on his/her consent (Art. 6(1) (a) of GDPR), a Business Partner Contact has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
IV. Right to lodge a complaint
A Business Partner Contact has the right to lodge a complaint with a supervisory authority pursuant to Art. 57 (1) (f) GDPR.
F. Data Privacy Contact
If a Business Partner Contact has a question with regard to processing of his/her personal data or wants to exercise any of the above rights in section E above, he/she may contact NSSMC at:
In case of questions and complaints concerning the use of his/her personal data, a Business Partner Contact may also contact NSSMC’s Data Protection Officer below:
Mr. Hjalmar B. Hütte
Schaumainkai 69, 60596 Frankfurt
Tel: +49 69 247 561-20
NSSMC will endeavor to address and settle any requests or complaints brought to its attention. In addition to the above, there is a possibility of approaching the competent data protection authority with requests or complaints.
As of: 25.05.2018