Last Updated on July 31, 2021
Who is the Data Controller for personal customer data?
VELTRA Corporation, registered address at 9th floor, Sumitomo Corporation Mitoshiro Building, 1 Kanda Mitoshiro-cho, Chiyoda-ku, Tokyo 101-0053 Japan.
We (hereinafter referred to as the “Company”) collect personal data from our recipe site. The protection of personal data is very important to us in ensuring safe and convenient use through our websites. We handle personal data in compliance with the following regulations.
When the Company Collects Personal data
The Company collects personal data from its customers with their consent, when it is required by law, to the extent necessary to accomplish the purposes of use of the Company.
When the Company Uses Personal data
The Company uses personal data collected from its customers only for the purposes of use prescribed by the Company.
How the Company Saves and Stores Personal data
The Company saves and stores personal data, taking security of the system into account in order to prevent leakage of the information collected from its customers.
Deletion and Erasure of Personal data
Response to Inquiries from Customers
The Company accommodates requests from its customers for notification of the purposes of use, disclosure, correction, addition, removal, cessation of use, erasure, suspension of provision to third parties of Retained Personal Data and prohibition of discrimination in compliance with applicable laws.
Safety Control Measures etc.
The Company will educate all staff engaged in VELTRA service operations about the importance of protecting personal data, and will take necessary and appropriate measures to ensure the safety control of personal data.
1. Personal data the Company Collects and the Purposes of Use
The Company collects personal data only from the logfile and cookies described below. The Company will not collect Special-Care Required personal data without obtaining consent from its customers. In cases where the purposes of use of personal data have not been published at the time the information is collected from customers, the Company will give notices of such purposes of use to the customers or make such purposes public. The Company will not collect personal data from children under 16 years old without obtaining consent from their parents and/or guardians. The Company assumes that the customers providing personal data of those who are under 16 years old bear consent from their parents and/or guardians. In case where the Company becomes aware of no such consent existing, the Company will use the personal data only for the purposes of contacting the parents and/or guardians or actions related to such purpose.
The provision of the above personal data, where requested, is necessary for the adequate performance of the contract between its customers and the Company and to allow the Company to comply with the Company’s legal obligations. Without it, the Company may not be able to provide customers with all the requested services.
The Company collects certain information automatically and keeps it in a logfile. The information includes IP (Internet Protocol) address, browser type, ISP(Internet Service Provider), web pages that are seen or closed, operating system and time stamp. We use the information to detect unauthorized access to our site. We also conduct trend analysis of our customers to manage the site and track user behavior. However, we use the information in a way that is impossible to identify the individual, and never use obtained information for purposes other than as described above.
The types of cookies we collect are below.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us identify the pages that are the most and least visited and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If the user does not allow for Cookies the Company will not know when the user visited our site, and will prevent us from monitoring site performance.
On the legal basis of where customers give their consent:
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of user interests and show relevant adverts on other sites. They do not directly store personal information, but are based on uniquely identifying the user’s browser and internet device. If the user does not allow these cookies, the user will experience less targeted advertising.
On the legal basis of where customers give their consent:
If CCPA applies, personal data collected, disclosed or shared during the last 12-month period for business purposes are, from the categories set forth above, as follows:
With regard to the above categories of Personal Data, the party from which Personal Data is collected, commercial purpose of collection, and scope within which Personal Data is provided or shared are as follows:
|Category of Personal Data||Collected from||Purpose of collection||Provided to|
|Performance cookies||customers(visitors)||User behavior analysis||Google Analytics|
|Targeting cookies||customers(visitors)||Advertising||Google Adsense|
2. Provision of Personal Data to Third Parties
- The Company will not provide Personal Data to third parties except for the following situations:
- When the Company entrusts third parties with handling Personal Data to the extent necessary to accomplish the above-mentioned purposes.
- When the Company is required to do so by laws and regulations.
- When it is necessary for the protection of the life, body or property of a person, and it is difficult to obtain the consent of the customer.
- When it is especially necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the customer.
- When the data is needed by the national or local government in executing the affair prescribed by laws and regulations, and obtaining consent from the customer will likely impede the execution of such affairs.
3. Entrustment of Handling of Personal Data
When the company entrusts third parties with handling of personal data of its customers within the extent required for the achievement of the purposes of use of the Company according to the provisions in the preceding paragraph, the company will take necessary and appropriate measures regarding supervision of the entrusted data. When the entrusted party re-entrusts its operations to another party, the Company will, directly or indirectly, supervise whether the entrustee takes necessary and appropriate measures to supervise the party. The same will be applied to further entrustment.
4. Security Control Measures for Personal Data
The Company takes systematic, technical and physical security control measures to prevent leakage, plagiarism, misuse, unauthorized access, falsification or destruction of Personal Data. The Company also limits access to the server in which it stores Personal Data only to specific employees who have ID and password, and especially for certain Personal Data, the Company minimizes the number of employees who have access rights to manage it. Additionally, the Company distributes the Personal Data which contains credit card information in several secure data center environments. Furthermore, the Company introduces Secure Sockets Layer（SSL）into all its webpages related to transactions. Using SSL-capable browsers enables the maintenance of confidentiality of Personal Data and credit card information transmitted online.
The employees who handle customer Personal Data use monitors with a password-secure screen saver function which activates when the devices are not in use. The Company conducts education and training about the importance of protecting personal data every 6 months on a company-wide basis, but once a month in some departments, and records the minutes of such education.
5. What are the data protection rights of the customer and how can they be exercised?
5.1 Under the General Regulation (EU) 2016/679, of 27 April 2016, on Data Protection (GDPR), the following rights are recognized in relation to the processing of customer personal data:
- Right of access
To receive confirmation of the existence of customer personal data, access its content and obtain a copy.
- Right of rectification
To update, rectify and/or correct customer personal data.
- Right to erasure/right to be forgotten and right to restriction
To request the erasure of customer data or the restriction of customer data which has been processed in violation of the law, including cases when the storage of which is unnecessary in relation to the purposes for which the data was collected or otherwise processed; where the Company has made customers’ personal data public, customers also have the right to request the erasure of customers’ personal data and to take reasonable steps, including technical measures, to inform other data controllers which are processing the personal data that customers have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Right to data portability
To receive a copy of customer personal data provided to the Company for a contract or with customers’ consent in a structured, commonly used and machine-readable format (e.g. data relating to customers’ purchases) and to ask the Company to transfer that personal data to another data controller.
- Right to withdraw customer consent
Wherever the Company relies on customers’ consent, customers will always be able to withdraw that consent, although the Company may have other legal grounds for processing personal data for other purposes.
- Right to object, at any time
Customers have the right to object to the processing of personal data at any time in some circumstances (in particular, where the Company doesn’t have to process the data to meet a contractual or other legal requirement, or where the Company is using personal data for direct marketing).
Customer rights in relation to personal customer data may be limited in some situations. For example, if fulfilling the customer’s request would reveal personal data about another person or if the Company has a legal requirement or a compelling legitimate ground, the Company may continue to process customers’ personal data which customers have asked the Company to delete.
Customers may also have the right to make a complaint if the customer feels their personal data has been mishandled. The Company encourages customers to make a complaint to the Company in the first instance but, to the extent that this right applies to customers, customers are entitled to complain directly to the relevant Data Protection Supervisory Authority.
5.2 Under the CCPA, the following rights are recognized in relation to the processing of customer personal data:
If CCPA applies, individuals (including any employees to whom CCPA applies; the same applies hereinafter) who are “consumers'' under CCPA have the following rights. “Consumers” are able to exercise these rights by contacting the Company set forth in 10. below.
- Right to access to Personal Data
You have the right to access your Personal Data up to twice in a 12-month period. The Company will provide you with the information, free of charge, in a readily usable and portable format within 45 days of receiving customer request.
- Right of deletion of Personal Data
Unless any of the exceptions permitted under CCPA apply, if a “consumer” under CCPA definition, the customer has a right to request deletion of Personal Data that was collected by the Company. In such cases, if the Company provided such Personal Data to a service provider, we will instruct that service provider to make such deletion.
- Right not to be discriminated
Customers have the right not to be discriminated against because of exercising of any rights under CCPA.
- Right to opt-out of the sale of Personal Data
This is a right to direct the Company to stop selling Personal Data, or not to sell Personal Data in the future. The Company has not sold, and will not sell, Personal Data of a “consumer” to a third party.
If a “consumer” under CCPA requests disclosure of his/her Personal Data pursuant to 1 or 2 above, the Company will respond to such request within the period permitted under CCPA after verification that the request is being made by the customer himself/herself in a manner set forth below. In any of the following cases, the Company may request submission of information that is only possessed by the “consumer” himself/herself.
If a “consumer” is requesting disclosure of the categories of Personal Data that the Company has collected, verification will take the form of the Company asking two or more questions on Personal Data of the “consumer” that the Company considers appropriate for verification purposes, and receives correct answers to these questions.
If a “consumer” is requesting disclosure of a specific Personal Data, verification will take the form of the Company asking three or more questions on Personal Data of the “consumer” that the Company considers appropriate for verification purpose, and receives correct answers to these questions, and having the requestor sign and submit a signed declaration under penalty of perjury that the requestor is the “consumer” whose Personal Data is the subject to the disclosure request.
If, on the other hand, a “consumer” under CCPA requests deletion of his/her Personal Data pursuant to the above, the Company will respond to the request within the period required by CCPA upon verifying the request by a method that the Company considers appropriate according to the category of Personal Data being deleted. In such cases, the Company may request the “consumer” to provide information that only the “consumer” possesses.
Request by agent
A consumer under CCPA may exercise the right set forth in 5.2 through an authorized agent. In such cases, such consumers shall submit to the Company a power of attorney signed by him/herself. In addition, the Company will ask the authorized agent for identification verification in the same manner as set forth above.
6. International transfer of customer data
Personal customer data are processed at the Data Controller’s registered office and at the offices of other entities to which data may be provided in order to provide the services requested of the Data Controller.
Given the fact that the Company is an international travel agency, the Company also transfers customers’ personal data to:
non-European Economic Area (EEA) countries offering an adequate level of data protection in accordance with the “Adequacy decisions” of the EU Commission that recognizes some countries as providing adequate protection; non-European Economic Area countries where data protection laws may be less protective than the legislation in the EEA. This happens when:
The Company discloses customer data to involved companies such as operational tour organizers, travel agencies, transportation facilities, price settlement substituting traders, insurance companies etc. that might process the data outside the EEA in order to provide the customer with the requested services.
7. Request for Disclosure, Correction, and Suspension of Use etc.
The Company accommodates requests from its customers for notification of the purposes of use, disclosure, correction, addition and removal, cessation of use or erasure, suspension of provision to third parties of Personal Data and prohibition of undiscrimination (hereinafter referred as to “Disclosure etc.”) through the contact center written in article 10 below.
8. External Links
9th floor, Sumitomo Corporation Mitoshiro Building, 1 Kanda Mitoshiro-cho, Chiyoda-ku, Tokyo 101-0053 Japan
Data Protection Officer (DPO) at email@example.com.