ORIX Corporation Europe N.V. (“OCENV”) is a private company with limited liability incorporated in the Netherlands with trade register number 24272679 and registered office at Weena 850, 3014 DA Rotterdam, the Netherlands. OCENV is a financial holding company and owns several asset management companies worldwide. OCENV is a wholly owned subsidiary of ORIX Corporation, a publicly owned Tokyo-based international financial services company founded in 1964.
OCE Nederland B.V. (“OCENL”) is a private company with limited liability incorporated in the Netherlands under trade register number 68288026 and has the same registered office as OCENV. OCENL is a wholly owned subsidiary of OCENV and provides supporting services to OCENV and its employees to enable OCENV to function as a financial holding company.
About our Privacy Statement
This privacy statement (the “Statement”) is applicable to your relationship with OCENV and OCENL. In this Statement OCENV and OCENL will be collectively hereinafter referred to as (“we”/ “us”/ “our”/ “OCE”) and is addressed to you being (i) (the representative of) a current or potential business partner, acquisition target, acquired business or portfolio company, supplier or vendor (“Business Partner”); or (ii) an employee or job applicant. This Statement sets the context in which we may process your personal data and explains your rights and our obligations when we do so.
The protection of personal data is important to us. We therefore process any personal data entrusted to us in line with applicable data protection rules, including the EU General Data Protection Regulation 2016/679 (the “GDPR”).
Under the GDPR and in this Statement, unless we have entered into a different agreement with you, OCE will be what is known as the “controller” of the personal data that OCE processes about its employees and job applicants. That means that we are responsible for determining how we collect, store and use (i.e. “process”) your personal data. In relation to our Business Partners, please note that OCE will be acting as joint controller, together with ORIX Corporation, the parent company of OCE, incorporated under the laws of Japan, with registered office at 2-4-1 Hamamatsu-cho, Minato-ku, Tokyo, 105-5135, Japan, registered under No.0140-01006942. That means that OCE and ORIX are jointly responsible for determining how your data is collected, stored and used (i.e. processed). OCE and ORIX have set out their respective obligations in relation to the processing of your personal data in an agreement, including that OCE shall perform the obligations towards you in relation to the processing of your personal data in its own name and in the name and on behalf of ORIX, but with full consultation and coordination with ORIX to ensure compliance with the GDPR.
2. WHAT TYPES OF PERSONAL DATA DO WE PROCESS?
The types of personal data we process depend on your relationship with us. Set out below are the categories of personal data we may process, defined by the nature of our relationship to you.
The personal data we process if you are a Business Partner
If you are a Business Partner of OCE or an individual working for a Business Partner, we will process personal data about you for the purposes of performing and managing our business relationships and our agreements we have with our Business Partners and also to comply with our legal obligations, including the obligation to undertake identification checks and those under tax law. The types of personal data we may process include identity data (such as your full name, postal address, e-mail address, phone number, job title, the company you work for), and financial data (such as the Business Partner’s bank account details, billing contact address/email details and tax identification or VAT number).
The personal data we process if you are an employee or a job applicant
If you are an employee, job applicant or former employee of OCE including a temporary worker working under the direct supervision of OCE (e.g. independent contractor and trainee) and a (former) director of OCE, we process the following categories of personal data about you: identity data (such as your full name, postal address, e-mail address, phone number, age, gender, job title, the company you work for), financial data (such as your bank account details, email details and tax identification or VAT number) and human resources related data (such as CV, employment dates and history, salary and other remuneration, pension entitlements, insurance and other benefits, fiscal status, personal assessments, performance appraisal data and scores, development plans, promotions, position change, language skills, education, training, visas, work and residence permits, grievance and disciplinary information, social security or national insurance number/national ID or driving license number, passport information, employment contract, consent forms, unique employee ID, electronic identification data (e.g. login, access right, passwords, badge number, IP address, logs, access), and information about next of kin/dependents).
Insofar as necessary in the context of legal obligations or rights in connection with employment law, we may also need to process more sensitive types of personal data. For example, we may need to process information about your health in order to make reasonable adjustments to our recruitment process or employment practices, or to manage sick pay and health benefits. Further detail about the more sensitive types of personal data we may process in limited circumstances is set out in section 4 below.
3. HOW DO WE OBTAIN YOUR PERSONAL DATA?
We obtain your personal data in the following situations:
- when you provide us with your personal data, or when you interact with us by e-mail, phone or letter;
- through our job application and recruitment process if you apply for employment with us (when we collect information from you or a third party such as former employers, referees, job agencies, background check providers or credit reference agencies);
- through our employment relationship with you if you join our staff;
- when you enter into an agreement with us;
- when we carry out due diligence on you or your staff members as part of our Business Partner selection or onboarding process. We may collect information from publicly available sources, background check providers or credit reference agencies for those purposes, in compliance with applicable law;
- when we receive and process your invoices;
- when we collect personal data from other sources, such as local counsel, counterparties, the trade register, commercial databases or by using public sources.
4. WHY DO WE PROCESS YOUR PERSONAL DATA AND ON WHICH BASIS?
We will only process your personal data we can rely on a legal basis under the GDPR, and for the following purposes (which also describe our legitimate interests) (e.g.):
- process and respond to requests, enquiries or complaints received from you or from third parties about you;
- onboard you as a Business Partner (which may include appropriate due diligence, screening and background checks, in compliance with applicable law) and execute our services and supporting processes and systems required;
- manage and administer our relationship with you;
- comply with legal, tax, accounting, regulatory requirements, including the prevention of fraud and misuse of our products or services as well as the security of our IT systems, architecture and networks;
- provide services requested by you;
- communicate with you about our services;
- monitor, analyze, develop and improve our business processes and systems and our services (e.g. by using cloud platforms operated by third party suppliers);
- manage our job application and recruitment process;
- carry out personnel administration, compensation calculations, employee benefits training, development and performance management;
- meet our corporate and social responsibility objectives;
- carry out business development activities;
- identify, seek and defend claims;
- fulfil our internal and external financial and other reporting obligations, including the preparation of group consolidated accounts; and
- carry out legitimate internal administrative purposes relating to OCE and its shareholders.
We process your personal data on one or more of the following legal bases:
- in order to perform the contract we may enter into or have entered into with you;
- where it is necessary for legitimate interests pursued by us (i.e. for the effective and lawful operation of our businesses, and the specific legitimate interests described above), provided those interests are not overridden by your interests or fundamental rights and freedoms;
- in order to comply with a legal or regulatory obligation of the European Union or one of its Member States;
- with your consent (where applicable); or
- where it is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection.
If you do not provide certain personal data when requested, it may impede our ability to perform any contract we have entered with you.
We will only process more sensitive personal data (e.g. information on your health) in limited circumstances, and only when the applicable law of the European Union or one of its Member States allows us to. We may process sensitive personal data for the following purposes and on the following legal bases (e.g.):
- carry out necessary due diligence or background checks (which, depending on the nature of your role or our business partnership, may require us to carry out criminal checks) in order to comply with regulatory requirements, protect the public from dishonesty and for fraud prevention purposes;
- ensure health and safety in the workplace;
- comply with our legal obligations or exercise rights in connection with employment, such as anti-discrimination or equal opportunities law;
- register the protected status of employees who are trade union members;
- protect the vital interests of employees.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.
5. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, tax, regulatory or reporting requirements, and any contractual obligations we may have with you. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax or accounting requirements.
6. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
Where necessary for the above purposes, we share your personal data with other ORIX Group Companies (i.e. ORIX Corporation and its subsidiaries, joint ventures and affiliates effectively controlled directly or indirectly by ORIX Corporation). We also transfer (or may grant access to) your personal data to the following third parties:
- service providers and contractors for the performance of any agreement we conclude
with them (such as our (IT) systems, cloud service, storage and database providers);
- any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
- any third party in connection with a proposed reorganization, merger, sale or other form of corporate transaction or process;
- any national or international governmental or judicial authority or arbitral tribunal, where we are required to do so by applicable law or regulation or at their request, in compliance with applicable laws;
- entities processing personal data on behalf and on instruction of OCE, including but not limited to: payroll, employee benefits providers (including pension scheme providers and insurers), IT, archiving, courier, and training service providers; and
- professional advisers such as accountants, financial services providers, legal advisers and medical professionals.
In that context, your personal data may be transferred and processed outside of the European Economic Area (“EEA”), including in Japan, which has been recognized as offering an adequate level of protection by the European Commission.
Your personal data may also be transferred to other jurisdictions outside of the EEA, where the privacy and data protection laws may not be as protective as those in your jurisdiction. In this case, we will implement a safeguard or rely on a derogation as set out in the GDPR to validate such data transfer. In particular, together with our shareholders and certain other ORIX Group Companies, we have entered into EU Standard Contractual Clauses (the “SCC”).
In other cases where we share your personal data with third parties located outside of the EEA, we will only do so if (i) such transfer is to a jurisdiction in respect of which an adequacy decision has been granted by the European Commission; (ii) the receiving party has certified to the EU-US Privacy Shield; or (iii) the transfer of data is governed by the SCC.
7. HOW DO WE PROTECT YOUR PERSONAL DATA?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant supervisory authority of a breach where we are legally required to do so.
8. WHAT ARE YOUR RIGHTS REGARDING OUR PROCESSING OF YOUR PERSONAL DATA?
You have the following rights under the GDPR which rights are personal rights and are exercisable only by you as the individual person concerned. You may (i) request access at any time to the personal data we hold about you and obtain a copy thereof, (ii) request correction of any incorrect, incomplete or obsolete data, (iii) request restriction of the processing of your personal data, (iv) request erasure of your personal data, (v) object to the processing of your data and (vi) request that a copy of your personal data be transmitted in a structured, commonly used machine-readable format, where technically feasible, to another controller, provided that you exercise the above rights within the limits of applicable law including the GDPR.
If you would like to exercise these rights or understand if these rights apply to you, please contact us by one of the means set out at the end of this Statement. We may charge a reasonable fee if a request in relation to your personal data, is manifestly unfounded, excessive (in particular because of their repetitive character). We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or exercise any other of your rights). This is another appropriate measure to ensure that personal information is not disclosed to any person who has no right to receive it.
In circumstances where you may have provided consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us by one of the means set out at the end of this Statement. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, but this withdrawal will not affect the lawfulness of processing based on the consent before withdrawal thereof.
9. DATE AND CHANGES TO THIS STATEMENT
Effective date of this Statement is May 18, 2020. This Statement may be updated if developments so require. Any material change to this Statement which is relevant to or impacts you or your personal data, will be notified to you in advance by email. In this way, you will have an opportunity to consider the nature and impact of the change and exercise your rights under the GDPR in relation to that change as you see fit.
10. QUESTIONS OR COMPLAINTS
Contact Us. If you have any questions or complaints relating to this Statement, please contact us at:
Post mail: ORIX Corporation Europe N.V.
Attn. Secretariat/privacy matters Weena 850
3014 DA Rotterdam the Netherlands
Supervisory Authority. We are committed to complying with the terms of the GDPR and to the processing of personal data in a fair, lawful and transparent manner. If, however, you believe that we have not complied with our obligations under the GDPR, you have the right to lodge a complaint with your local data protection regulator, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-
de-ap and https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us