Shangri-La, LLC (the “Company”, “we”, “us”) respects the importance of personal information and, in order to ensure protection of personal information, complies with applicable laws and regulations regarding the protection of personal information and sets the following privacy policy (this “Policy”). By using our services, you are consenting to the practices described in this Policy.
- Compliance with Relevant Laws and Guidelines
The Company shall handle personal information in a lawful and proper manner in compliance with the Personal Information Protection Law, other relevant laws and regulations, guidelines established by Personal Information Protection Commission, and this Policy. - Collection of Personal Information
The Company collects personal information through legal and appropriate means. - Purpose, etc. of Use of Personal Information
The Company shall identify the purpose of use of the personal information we obtain as much as possible, and our employees with authority in accordance with specific operations shall handle the personal information appropriately to the extent necessary to achieve such purpose. The Company will also take steps to ensure that no unintended use is made. The types of personal information and the purpose of use are as follows.
(1) The types of personal information that the Company is expected to collect are as follows:
① Name, address, and contact information (phone number and mail address)
② Occupation, place of work, date of birth, gender
③ Other information collected according to the purpose of use
(2) The Company uses personal information for the following purposes:
① Personal information collected through inquiriesTo respond to customer’s comments and inquiries
② Personal information collected in recruitment applications
For selection of applicants and communication to applicants
④ Personal information collected from customers using our services(ombus5 service)
・ To grant the certification mark
・ To contact and respond to customers regarding the certification mark(Internet service)
・ To contact and respond to customers
・ To provide our services to our customers
・ To inform the customer of information related to our company services
⑤ Information collected by us as a result of its acceptance of consignment
For the performance of entrusted business
- Entrustment of Personal Information
The Company may outsource the handling of personal information to a subcontractor in order to facilitate business operations and provide better services to the extent necessary to achieve the above purposes of use. However, the personal information to which handling is entrusted shall be limited to the minimum information necessary for performing the entrusted business.
- Provision of Personal Information to Third Parties
The Company will not provide personal information to third parties (excluding subcontractors) except with the prior consent of the principal or as permitted by laws and regulations. - Management of Personal Information
(1) Ensuring the accuracy of information
The Company shall make an effort to keep personal information accurate and up to date to the extent necessary to achieve the purpose of use, and to delete personal information when it is no longer necessary to use it.
(2) Security management measures
The Company will take necessary and appropriate measures to prevent the leakage, loss or damage of personal information and other security management.
(3) Supervision of employees
When having employees handle personal information, the Company ensures that all employees are fully aware of the proper handling of personal information, provides appropriate education, and conducts necessary and appropriate supervision.
(4) Supervision of the contractor
When the Company entrusts the handling of personal information to the contractor, we shall select a subcontractor that has implemented appropriate security management measures and supervise the contractor in a necessary and appropriate manner. - Inquiry about Personal Information
(1) If a principal or an agent requests a notification of the purpose of use of collected personal data, the notification will be made without delay except in the following cases.
① Cases where the purpose of use of retained personal data identifying the principal is clear;
② Cases where there is a risk of harming the life, body, property, or other rights and interests of the principal or a third party;
③ Cases where there is a risk of prejudice to the rights or legitimate interests of the Company; or
④ Cases where it is necessary to cooperate in the execution of affairs prescribed by laws and regulations by a national organ or a local public entity and where there is a risk of hindering the execution of said affairs.
(2) If the principal or agent requests disclosure of retained personal data, we will notify you without delay except in the following cases.
① Cases where there is a risk of harming the life, body, property, or other rights and interests of the principal or a third party;
② Cases where there is a risk of causing significant hindrance to the proper conduct of the Company’s business; or
③ In case of violation of laws and regulations.
(3) In the event of a request for correction, addition or deletion of retained personal data from the principal or his/her agent, we will conduct an investigation without delay and take appropriate measures based on the results.
(4) If a principal or an agent requests the suspension or deletion of the use of retained personal data and the request is found to have a reason, the Company will take appropriate measures.
(5) If you wish to request any of the items listed in the preceding 4 sections, please contact us by e-mail at the address listed in Section 13 below. The personal information contained in the e-mail will be used for the purpose of responding to your request and will be kept securely. - Collection and Use of Anonymously Processed Information
To the extent permitted by law, the Company may produce and provide anonymously processed information (including, but not limited to, browsing history) to third parties, taking appropriate safeguards to prevent the identification of specific individuals and the restoration of personal information used in the production. The Company shall handle anonymously processed information appropriately in accordance with laws and regulations to the extent necessary to achieve the purpose of use specified above. - Continuous Improvement
The Company will make continuous efforts to improve the handling of personal information. In addition, we will reflect the improvements in this Policy as needed. - Revisions of this Policy
The Company may revise this Policy without notice except as otherwise provided by law or otherwise. - Contact Information for Personal Information
Personal Information Desk
Shangri-La LLC
Email address: info@ombus5.com - Special Provisions on the GDPR
This section applies only to the processing of personal data by the Company to the extent that the GDPR (EU General Data Protection Regulation, “GDPR” in isolation and together with the domestic laws of EU or EU Member States as “GDPR etc.”) applies.
(1) The Company recognizes the importance of protecting personal data and will comply with the provisions and obligations set out in the GDPR etc. and other regulations when processing personal data.
(2) The Company is entrusted with the processing of personal data only to the extent necessary to provide our services, etc., and will not use it for any other purpose.
(3) If the Company processes personal data for the provision of our services, etc., we will comply with the obligations set out in Article 28 (3) of the GDPR.
① Personal data shall be processed only on the basis of written instructions from you (including instructions under this Policy and by electromagnetic means), unless required by EU or EU Member State law. The Company will immediately notify you if we determine that your instructions violate the GDPR, etc. In addition, if the Company is required by EU or EU Member State law to do so, we shall inform you of such legal requirements before proceeding, unless notification is prohibited by such EU or EU Member State based on the important public interest.
② The number of officers and employees handling personal data shall be kept to a minimum and a confidentiality agreement shall be concluded with them.
③ The Company shall take appropriate technical and organizational measures for the protection of personal data, as provided for in Article 32 of the GDPR, and shall specify the details of such measures.
(4) You consent to the Company assigning other processors (“Sub-processor”.) to specific processing tasks. In this case, if the Company adds or changes a Sub-processor, we will notify you in the manner prescribed by us. You may object in writing within 14 days of such notice, and if you do not object within such period, the Company may use the Sub-processor to perform a specific processing operation
(5) To the extent possible, the Company will assist you with appropriate technical and organizational measures, taking into account the nature of the processing, in order to fulfil the obligations of the controller to deal with requests to exercise the rights of data subjects. The Company shall immediately notify you when we receive a request to exercise a data subject’s rights.
(6) Taking into account the nature of the processing and the information available to the Company, we will assist you to fulfil your obligations under Articles 32 (Security of processing), 33 (Notification of a personal data breach to the supervisory authority), 34 (Communication of a personal data breach to the data subject), 35 (Data protection impact assessment) and 36 (Prior consultation) of the GDPR.
(7) Except as required by the laws of the EU or any EU Member State, after the termination of our services, the Company shall delete or return all personal data at your option and delete any copies that exist. If you do not notify the Company in writing of your choice to delete or return within five (5) business days prior to our service’s end date, we will assume that you have chosen to delete all personal data. Data must be backed up by you and not returned by us.
(8) The Company discloses all information on our systems that you need to conduct security and compliance audits. In addition, the Company will promptly respond to requests for audits from supervisory authorities such as Personal Information Protection Commission.
Date: September 1, 2022