1.1 Responsible Yamato entities. Yamato Transport Europe B.V. (“Yamato EU”) and its mother company Yamato Holdings Co., Ltd. (“Yamato Holding”) are both involved with processing your personal data. These companies will together or separately also be referred to as “Yamato”, “we”, “our” or “us”. We are jointly responsible for how we handle your personal data. This means we are joint controllers for this processing.
1.2 Division of responsibility. Yamato EU and Yamato Holding are jointly responsible for processing your personal data. In principle, Yamato EU and Yamato Holding are both responsible for their own part of processing your personal data. However, Yamato EU is responsible – also on behalf of Yamato Holding – for informing you on how we handle your personal data and for dealing with your questions, comments or requests. For convenience’s sake, you may direct all your questions, comments and requests (e.g. your right to object) to Yamato EU, and not (also) to Yamato Holding. Yamato EU and Yamato Holding will arrange between themselves how to best deal with your questions, comments or requests that (also) relate to Yamato Holding.
1.3 Yamato EU and Yamato Holding as data processor. In principle, we control the processing of your personal data. However, in exceptional cases, we may process your personal data on behalf of another party. This may for instance apply if a customer of us requests us to process personal data about the recipients of packages in a specific way. This Privacy Statement does not regard that part of our processing activities. To such processing, the Privacy Statement of the relevant controller applies.
1.4 Compliant processing. We will only process personal data in accordance with the Applicable Privacy Legislation and as described in this Privacy Statement.
1.5 Third party references Website. The Website includes links to websites of third parties (for example hyperlinks, banners or buttons). We are not responsible for the content of these websites, services provided by these third parties, or their compliance with the Applicable Privacy Legislation.

2.1 Means of collection. We obtain your personal data in various ways:

a. Provided by you. We obtain information actively provided by you. For example, if you contact us, if you sign up for our newsletter or if you provide information to us in the course of our removal services. When you provide personal data to Yamato, please do not provide information that is irrelevant, not accurate and/or unnecessary for the services provided.
b. Automatically retrieved. We obtain some information automatically when you visit our website. For example, we automatically obtain information about you via cookies when you visit our Website. For more information on this, please see our Cookie Policy.
c. Third-party sources. We also obtain information from third parties. For example, we may request information about your company from the Trade Register of the Chamber of Commerce. We may also obtain information about you from professional social media sources like LinkedIn, or other websites.
d. Derived. We may perform analysis on personal data about you. The resulting data can also qualify as personal data about you. For example, we may analyse which webpages are visited most frequently, and from which previous website the website visitor was referred to such webpage.

2.2 Required provision. It may be that providing certain personal data to us is a statutory or contractual requirement, a requirement necessary to enter into a contract, or that you are otherwise obliged to provide the data to us. If that is the case, we will inform you thereof separately, and will also explain the possible consequences if you fail to provide such personal data to us.

3.1 Specifications per category. It depends on the processing activity, which personal data we process about you, for which purposes and based on which legal ground. If you click on the processing activities stated below, this further information will appear.

a. Website visitors and webshop expandcollapse

b. International removal service expandcollapse

c. Freight forwarding / logistics, parcel delivery and storage services expandcollapse

d. Small parcel expandcollapse

e. Custom consultancy expandcollapse

f. CCTV expandcollapse

3.2 Specification legitimate interests. If and insofar your personal data is processed on the basis of legitimate interests, information can be obtained by you as to the so-called balancing test that was carried out to allow us to rely on this processing ground. Please find our contact details below.
3.3 Further processing. It may be that we intend to further process your personal data for a purpose other than those for which the personal data have been collected, but compatible with the initial processing purpose. In such case, we will provide you with information about the(se) other purpose(s) and all relevant further information prior to that further processing.

We use cookies to ensure that the Website functions properly. Please be referred to our Cookie Policy for further information on this.

5.1 Conditions data sharing. We only share your personal data with trusted third parties if:

a. They need to know the information for the purposes of providing their services;
b. They agreed to comply with the Applicable Privacy Legislation or if our Privacy Terms and Conditions apply, in which this is required. This means for instance that such third party needs to put adequate security measures in place; and that where applicable, the transfer complies with any legitimization requirements for cross border transfer.

5.2 Parties with whom we share your personal data. For the provision of our services we share your personal data on a strictly need-to-know-basis with:

a. Entities of the Yamato Group (list of group companies);
b. Agents involved, operating on behalf of Yamato;
c. Subcontractors and service providers involved, such as: airlines, shipping lines, trucking companies, depots, auditing companies, consulting and law firms, insurance companies, other authorities and hosting and payment providers.
d. Persons authorized to this end, employed or engaged by a data processor of YTE or affiliated companies of YTE, involved in the processing of HR data, on a need-to-know basis (accounting and auditing firms, insurance and payroll companies and tax institutions);
e. Competent authorities, such as the police or the authorities of the country of transit or destination for customs clearance in as far as required by the laws of the respective country; and
f. Incidentally: other third parties, on a need-to-know basis.

6.1 Transfer outside the EEA and UK. Parties involved with processing your personal data may be located outside of your jurisdiction. We also share personal data of you within the Yamato Group, including but not limited to the Yamato Holding. This will involve transferring your data to countries outside the EEA and UK (‘Third Countries’), such as Japan. See this link for an overview of the EEA countries. Any data transfer shall always take place in compliance with Chapter V of the GDPR and additional recommendation or decision issued in this regard by the European Data Protection Board (‘EDPB’), European Commission (‘EC’) or other competent authority or body under the Applicable Privacy Legislation.

6.2 Legitimization of transfer outside the EEA and UK.

Transfers of your personal data to a country outside the EEA may in the first place be legitimized on the basis of a so-called adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. See this link for the current list of adequacy decisions. An example of transfers of Yamato based on an adequacy decision is transfer of your personal data to Japan.  The transfer of your data from the UK to a third party outside the UK can in the first place be legitimized based on an adequacy regulation of the UK government. See this link for an overview of the applicable adequacy regulations.

If and insofar as we transfer personal data to Third Countries to which no adequacy decision or adequacy regulation applies, we will conclude the applicable version of the model clauses to safeguard data protection as published by the European Commission, so called standard contractual clauses (‘Transfer SCCs’). If deemed required under the Applicable Privacy Legislation, additional measures will be taken. This may concern technical, organizational and/or contractual measures. Where the UK GDPR is applicable, a UK Addendum will be added to the Standard Contractual Clauses mentioned above, as required by UK laws and regulations.

Further information on our legitimization of data transfers to Third Countries will be provided upon your request. Please use our contact details to make such a request, as stated below.

7.1 Security measures. We take appropriate organizational and technical security measures to protect your personal data and to prevent misuse, loss or alteration thereof. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who need to have access in view of their work/services. Also, the aforementioned persons involved are bound by a confidentiality obligation, either in their employment agreements or (data processing) agreements.

7.2 Technical security measures. Examples of technical security measures taken by us are:

a. Logical and physical security (e.g. safe, doorman, firewall, network segmentation);
b. Technical control of the authorizations (as limited as possible) and keeping log files;
c. Management of the technical vulnerabilities (patch management);
d. Keeping software up-to-date (e.g. browsers, virus scanners and operating systems);
e. Making back-ups to safeguard availability and accessibility of the personal data;
f. Automatic erasure of outdated personal data;
g. Encryption of personal data;
h. Applying hashing or (other) pseudonymization methods to personal data; and
i. Provide secure storage facilities for end-users (e.g. file server storage).

7.3 Organizational security measures. Examples of organizational security measures taken by us are:

a. Assign responsibilities for information security;
b. Promote privacy and security awareness among new and existing employees;
c. Establish procedures to test, assess and evaluate security measures periodically;
d. Check logfiles regularly;
e. Using a protocol for handling data breaches and other security incidents;
f. Conclude confidentiality, data processing and data protection agreements;
g. Assess whether the same objectives can be achieved with less personal data;
h. Provide access to personal data to as few people within the organization as possible; and
i. Define the decision-making and underlying considerations per processing.

7.4 Security policies. We have internal security policies in place in which it is further described how we ensure an appropriate level of technical and organizational security measures. We also have a data breach policy in place in which it is described how we deal with a (possible) data breach. We will for example notify the relevant supervisory authority and the data subjects involved if required under Applicable Privacy Legislation.

8.1 Main rule. In principle, we do not store your personal data any longer than is strictly necessary for the purposes for which we process your personal data. Yamato has put in place a Retention Policy to ensure that your personal data are deleted after a reasonable period.

8.2 Exception: shorter retention. If you or another person successfully exercises one of your privacy rights, it can be that the relevant personal data may no longer be retained. In such cases, we may process your personal data for a shorter period, than as stated under the ‘main rule’. Please be referred to the ‘Your Rights’ section below, for more information on this.

8.3 Exception: longer retention. In exceptional cases, we may process your personal data longer. In such cases we may process your personal data longer than as stated under the ‘main rule’. This is the case if we need to process your personal data for a longer period in view of:

a. A longer minimum statutory retention period that applies to Yamato or other specific statutory obligation;
b. Practicality: in order to practically be able to act in line with the Retention Policy, some retention periods have been categorized and for the various Yamato locations within Europe some periods have been integrated;
c. A legal procedure;
d. The right to freedom of expression and to information;
e. A task carried out in the public interest or in the exercise of official authority vested in the controller; or
f. Public health.

8.4 Contact. Please contact us via our contact details displayed below, should you wish to be further informed on how long we process your personal data.

9.1 In relation to our processing of your personal data, you have the below privacy rights. For more information on your privacy rights, please be referred to this webpage or this webpage of the European Commission or this webpage of the UK Information Commissioner’s Office.

a. Right to withdraw consent. In so far as our processing of your personal data is based on your consent (see above), you have the right to withdraw consent at any time.
b. Right of access. You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will then also provide you with further specifics of our processing of your personal data.
c. Right to rectification. You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
d. Right to erasure. You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services. We do not have to honour your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defence of legal claims.
e. Right to object. You have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see above). Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honour your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.
f. Right to restriction. You have the right to request restriction of processing of your personal data in case: (i) the accuracy of the personal data is contested by you, during the period we verify your request, (ii) the processing is unlawful and restriction is requested by you instead of erasure, (iii) we no longer need the personal data but they are required by you for the establishment, exercise or defence of legal claims, or (iv) in case you have objected to processing, during the period we verify your request. If we have restricted the processing of your personal data, this means that we will only store them and no longer process them in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defence of legal claims, (iii) for the protection of the rights of another natural or legal person, (iv) or for reasons of important public interest
g. Right to data portability. You have the right to request to transfer of your personal data to you or to a third party of your choice (right to data portability). We will provide to you, or such third party, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if the our processing ground for such processing is your consent or the performance of a contract to which you are a party (see above).
h. Automated decision-making. You have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
i. Right to complaint. In addition to the above mentioned rights you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence or the UK, place of work or of an alleged infringement of the GDPR at all times. Please be referred to this webpage for an overview of the supervisory authorities in the EU and their contact details, and to this webpage for the supervisory authority in the UK. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us beforehand.

9.2 How to exercise your rights. The exercise of the abovementioned rights is free of charge and can be carried out by phone or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.

9.3 Verification of your identity. We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.

9.4 Follow-up of your requests. We will provide you with information about the follow-up to the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The Applicable Privacy Legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

10.1 Contact Yamato EU. For any questions, comments or requests, you may contact us via . Please let us know by e-mail if you prefer to have further contact over the phone and indicate your preferred language, provided that this is the national language of an EEA country, or Japanese. Yamato will then provide you with the relevant phone number.

10.2 Contact DPO. Yamato EU has appointed a Data Protection Officer. The DPO can be contacted via . Please let the DPO know by e-mail if you prefer to have further contact over the phone and indicate your preferred language, provided that this is the national language of an EEA country, or Japanese. The DPO will then provide you with the relevant phone number.

10.3 Contact Yamato Holding. You also have the right to exercise your rights in respect of Yamato Holding. You can contact Yamato Holding for those matters, and any other questions relating to your privacy, via . However, for your convenience’s sake, you may also direct all your questions, comments and requests (e.g. your right to object) to Yamato EU, and not (also) to Yamato Holding. Yamato EU and Yamato Holding will arrange between themselves how to best deal with your questions, comments or requests that (also) relate to Yamato Holding.

11.1 Deletion of your personal data by us. Yamato is entitled at all times to delete your personal data without notice. In such a case, Yamato owes no compensation to you as a result of the termination of the account.

11.2 Changes to the Privacy Statement. Yamato reserves the right to change this Privacy Statement on a regular basis. Where required, Yamato will inform you of updates made to this Privacy Statement. The current version is always available on our website www.yamatoeurope.com. This Privacy Statement was last amended and revised in April 202021.

12.1 In this Privacy Statement, the following definitions apply:

Applicable Privacy Legislation	All applicable privacy legislation, including the General Data Protection Regulation (“GDPR”) and the relevant national implementation acts.
Privacy Statement	This present privacy statement.
Yamato EU	Yamato Transport Europe B.V. Capronilaan 22 1119 NS SCHIPHOL-RIJK The Netherlands Chamber of Commerce number: 24172596
Yamato Holding	Yamato Holdings Co., Ltd. 2-Chome 16-10 Ginza, Chuo-Ku, Japan Chamber of Commerce number: 0199-01-034964
Website	www.yamatoeurope.com

12.2 Other terms that are defined in the Applicable Privacy Legislation, such as ‘personal data’, ‘(joint) controller’, ‘processor’, ‘data subject’ and ‘processing’ will have the meaning as described in the Applicable Privacy Legislation.