SHIMANO E-TUBE PROJECT Professional PC DATA PROTECTION NOTICE

Last Updated: June 2021

 

This Data Protection Notice (the "Notice") describes the data processing activities in connection with your use of the following Software developed and offered by Shimano Inc.

§  E-TUBE PROJECT Professional PC (the "Software").

This Notice also informs you about the most relevant aspects of the arrangement concluded between the Shimano entities responsible for the data processing activities in connection with the Software.

Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person ("Personal Data").

Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation (also referred to as "Sensitive Data").

You can find more information about how we process the Personal Data of California consumers by reviewing the “Additional Disclosures for California Consumers” section of this Notice below.

§  Shimano Inc. ("SIC")
3-77 Oimatsu-cho, Sakai-ku, Sakai City
Osaka 590-8577, Japan

is the entity responsible for the processing of your Personal Data in relation to the Software (referred to hereinafter as "we", "our" or "us").

We have appointed a group Data Protection Officer ("DPO") to manage all matters related to data protection and privacy. If you have any questions regarding the processing of your Personal Data, please contact our DPO at privacy@shimano-eu.com

Our Software offers you a variety of functionalities, services and features (the "Services") which require or allow you to provide us with Personal Data about you. Additionally, we automatically collect information about you, including Personal Data, upon use and login of the Software on your device.

When using our Software you have the option to enjoy our contents and Services which may require or allow you to provide us with Personal Data.

If certain information is required for us to be able to provide you with a specific service, we will for us mark it as such. Failure to provide us with the information results in the impossibility of providing you with the requested service.

§  User information (OEMs and distributors) and information about employees of users: corporate ID of user (including login password (encrypted)), names and email addresses of user or user’s employees; and

§  Bike and bike parts information: parts information (product name, serial number, firmware version, unit log (configuration, errors), gear teeth number, tire circumference, E-BIKE-destination, upper limit torque, etc.)

The Software offers you the option of using the Software without logging in. If you choose this option, we will only store the bike and bike part information together with the information listed under point 5.2.

When using our Software and Services we automatically collect Personal Data.

§  Device information: MAC address; and

§  Software usage log information: results of user operations and operation information based on the dialog display (regarding the malfunction of bicycle parts)

We process Personal Data of the following categories of data subjects:

§  Private end users

§  Professional users (such as dealers, OEMs and distributors, if these are natural persons)

§  Employees of professional users

We process your Personal Data only for specified, explicit and legitimate purposes and provided that we have a legal basis to rely on. Your Personal Data will not be processed for any purpose other than the one they were originally collected, unless the new purpose is compatible with the initial one or in the event you give us your consent.

We have summarized the purposes for which we process your Personal Data and the legal bases we justify the processing with in the list below:

§  User identification:

We use your Personal Data to enable you to register an account and to log into it, if you want to use the Software with login.

The processing of your Personal Data for this purpose is necessary for the performance of the contract concluded with you for the use of the Software, see Art. 6 (1)(b) General Data Protection Regulation ("GDPR").

§  Use of the Software:

The Software offers you the option of using the Software without logging in. In case of using the Software with user log-in (only possible for OEMs and distributors), the Software operates on the basis of the user profile you have created. We use your Personal Data to manage the bike and bike parts information associated with your user account. Our aim is to offer you a seamless experience by enabling you to access your data from any place and any device. We base the processing of your Personal Data for the above purposes on the performance of a contract to which you are party, see Art. 6 (1)(b) GDPR.

We rely on your consent to process any Personal Data you have freely chosen to provide us with, see Art. 6 (1)(a) GDPR. In case you withdraw your consent, for example, by updating your user profile, we will stop processing your Personal Data for this purpose.

§  Communication with you:

We use your Personal Data to contact you, either upon your request, or when you have allowed us to do so, for example, to obtain feedback from you in order to improve our Services and the products.

We base the processing of your Personal Data on your consent, as well as on the performance of a contract to which you are party and our legitimate interests to provide customer support, to improve the quality of our services and to grow as a business, see Art. 6 (1)(a), (b) and (f) GDPR.

§  Product development:

We process your Personal Data for quality improvement purposes, e.g. to detect and analyze problems in our products, to carry out predictive maintenance and calculate the necessary product replacement timing, to introduce new products and test their compatibility, etc.

We base the processing of your Personal Data on our legitimate interests to improve the quality of our products and services, for product development research and to expand and grow as a business, see Art. 6 (1)(f) GDPR.

§  Software user measurement and usage analysis:

We analyze the performance of our Software and Services content in order to understand how users interact with them and improve them accordingly.

We rely on your consent to process your Personal Data for this purpose, see Art. 6 (1)(a) GDPR. In case you withdraw your consent, we will stop processing your Personal Data for this purpose.

§  Detect and avoid misuse of the Software:

We analyze technical data gathered via the Software to detect and avoid misuse thereof, for example, by a breach of the terms of use of the software license agreement.

We base the processing of your Personal Data on the performance of a contract to which you are party, as well as on our legitimate interests in prosecuting any misuse of our Software which could affect Shimano and could have legal consequences, see Art. 6 (1)(b) and (f) GDPR.

Where the above purposes require or involve the processing of Sensitive Data, we will ask for your express consent, as required by law, see Art. 9 (2)(a) GDPR.

We share your Personal Data with the following recipients:

§  Service providers acting on our behalf. We engage service providers to assist us in our daily business such as IT support and maintenance providers, web server providers. All service providers are legally and contractually required to respect and comply with applicable data protection legislation. Our service providers include:
Sonix Co., Ltd, 7-9-5, Nishigotanda, Shinagawa-ku, Tokyo 141-0031, Japan (maintenance and data analysis provider)

The transfer of your Personal Data to recipients located in third countries outside of the European Economic Area ("EEA") is subject to the provisions set out in Section 8 below ("international data transfers").

All data collected the Software will be stored centrally in the European Union (“EU”). As data controller, SIC will have access to that database. Accordingly, your Personal Data will be transferred and/or disclosed to recipients located outside of the EEA in Japan which has been recognized by the European Commission in its adequacy decision (Commission Implementing Decision 2019/419 of 23 January 2019) as providing for an adequate level of data protection.

We will not process your Personal Data longer than necessary for the purpose for which it was originally collected.

Subject to statutory retention periods, we will delete your Personal Data:

§  after a period of 5 years after the last login; and/or

§  when you request the deletion.

Under applicable data protection law, you have certain rights with regard to the processing of your Personal Data by us:

§  Right of access to your Personal Data;

§  Right to rectification of inaccurate or incomplete Personal Data;

§  Right to erasure of your Personal Data;

§  Right to restriction of processing;

§  Right to data portability, when the processing of your Personal Data is based on your consent or on a contract, and the processing is carried out by automated means;

§  Right to withdraw consent with effect for the future

§  Right to lodge a complaint with a supervisory authority; and

§  Right to object to the processing of your Personal Data on grounds relating to your particular situation, and right to object to the processing of your Personal Data for direct marketing purposes.

We have implemented standard industry practices internally and with our service providers to maintain the security of your Personal Data depending on its sensitivity and to avoid disclosure of such Personal Data unpermitted under this Notice.

We do not knowingly process Personal Data from individuals under the age of 16 without parental or guardian consent. If you are the parent or the guardian of a child and you believe that we have processed Personal Data about him or her, please contact our DPO using the contact details described above in Section 3.

This Notice may be revised from time to time to reflect and comply with changes in applicable legislation. We will inform you about any updates in an appropriate manner, e.g. via email or a message in the Software. The date of the last update is available at the top of this Notice.

 

Additional Disclosures for California Consumers

These disclosures describe how we collect, use, process, and disclose Personal Data of California consumers in the context of our Software and Services (as defined above), as well as the rights you may have under California law. These disclosures are intended to supplement the Data Protection Notice with information required by the California Consumer Privacy Act (“CCPA”).

Personal Data We Collect

California law requires that we describe the Personal Data we collect about California consumers, including by identifying specific categories of data. We collect Personal Data directly from consumers, automatically when consumers use our Software and Services, and from other sources (such as from professional users (OEMs and distributors that provide us with information about their employees). As we describe in more detail above in the “Information We Collect” section of this Notice, we have collected the following categories of Personal Data in the past 12 months:

§  Identifiers (e.g., corporate ID of professional users (OEMs and distributers) and login password (encrypted), names and email addresses of professional users or their employees, unique device ID (such as MAC address))

§  Commercial Information (e.g., parts information (product name, serial number, firmware version, unit log (configuration, errors), gear teeth number, tire circumference, E-BIKE-destination, upper limit torque, etc.)

§  Internet Activity (e.g., Software usage log information (e.g., results of user operations and operation information based on the dialog display (regarding the malfunction of bicycle parts)))

For information about our business or commercial purpose(s) for collecting, or possibly sharing, your Personal Data, please refer to the “Purposes and Legal Bases” section of the Notice above.

How We Share Personal Data

We may share your Personal Data with third parties as described in the “Recipients of Personal Data” section of the Notice above. We do not sell Personal Data. California law also requires that we provide you with information about certain disclosures of Personal Data to third parties, where the disclosures are made for “business purposes”, such as disclosures to service providers. We disclose the following types of Personal Data for our business purposes:

Category of Personal Data

Recipient

Identifiers

IT support and maintenance providers

Commercial Information

IT support and maintenance providers

Internet Activity

IT support and maintenance providers

California Rights

California law grants certain rights to California consumers. These include the rights to:

§  Access specific pieces of Personal Data (“Right to Access”)

§  Learn about how we process and share Personal Data (“Right to Know”)

§  Request deletion of Personal Data we collected from you (“Right to Request Deletion”)

§  Opt out of “sales” of Personal Data, as that term is defined under California law

§  Not to be denied goods or services for exercising these rights

To exercise the Right to Access, Right to Know, or Right to Request Deletion: please contact us at privacy@shimano-eu.comor +1-800-423-2420. Only you or a person that you authorize to act on your behalf may make a request related to your Personal Data. A request to exercise any of these rights must (1) provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Data (or an authorized representative of that person); and (2) describe your request with sufficient detail that allows us to understand, evaluate, and respond to your request. We will verify your identity by sending email to your registered email address and confirming reply from your email address. In certain cases, we may need to ask for more information. We may not be able to respond to your request or provide you with the information you requested if we are unable to verify your identity (or establish the authority of an authorized agent acting on your behalf). Authorized agents wishing to exercise rights on behalf of a California consumer should submit requests to privacy@shimano-eu.com along with a copy of the consumer’s signed authorization designating you as their agent. If you do not have an account with SHIMANO, while you may contact us atprivacy@shimano-eu.com with questions or concerns, we may not be able to respond to requests to exercise your rights under the CCPA, including the right to know or delete your Personal Data. Because we only collect limited data about individuals without an account, we are unable to verify requests from non-accountholders to the standard required by the CCPA.

Additionally, under California Civil Code Section 1798.83, California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories of personal data that a business has disclosed to third parties during the immediately preceding calendar year for the third parties’ direct marketing purposes and (b) the names and addresses of such third parties. To exercise this right, please contact us at privacy@shimano-eu.com

Contact Us

If you have any questions regarding the processing of your Personal Data, please contact us at privacy@shimano-eu.com