GMO Adam, Inc. (“we”, “our,” or “us”), as a Japanese corporation which processes the personal data of persons in the EU and the UK, complies with the General Data Protection Regulation (effective on May 25, 2018) prescribed by the European Commission (EU GDPR) and the UK GDPR which was adopted in the UK with effect from 1 January 2021. GMO Adam, Inc is the controller and responsible for your personal data.
- The types of data we collect
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, last name, username, date of birth, and identification card.
Contact Data includes address, country of residence, email address, telephone numbers, and SNS IDs.
Financial Data includes bank account and wallet address.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
Usage Data includes information about how you use our website, products, and Services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
- How we collect your data
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us through our website, phone, email, or otherwise:
- create an account on our website;
- buy and sell items through the Service;
- request marketing to be sent to you;
- give us feedback or contact us.
- Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
- Technical Data from the analytics providers such as Google based outside the UK and EU.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services such as GMO Payment Gateway, Rakuten Pay based outside the UK and EU.
- Identity and Contact Data from other platform operators or service providers based outside the UK and EU which use our API connect.
- Identity and Contact Data from SNS providers based outside the UK and EU when you use social login.
- Conditions for Processing of EU and UK Personal data
We may process EU and UK personal data when any one of the following cases is applicable, even if we have not obtained consents from customers and/or others concerned.
- When the processing is necessary for the execution of the contract where a customer or other subject concerned himself or herself is the contracting party.
Or when the processing is necessary in accordance with request from a customer or other subject concerned at the stage when the contract is not concluded yet.
- When the processing is necessary to comply with the legal obligation that we shall abide by; for example, when following information disclosure orders based on laws and regulations from government agencies etc.
- When the processing is necessary to protect serious interests of customers, other subjects concerned, or both.
- When it is deemed appropriate to investigate, prevent, or take measures against illegal acts or suspicious acts.
- When the processing is necessary for legitimate interests pursued by a third party or us, except where such interests are overridden by customer’s right, profit, and freedom concerning the privacy of a customer or other subject concerned.
- How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
Further explanation of these lawful bases are as follows:
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
We use personal information to the extent necessary to achieve the following usage purposes.
- To provide customers with the Service;
- To market and advertise the Service;
- To send customers newsletters, promotional materials, and information related to the Service, or goods and services of our group corporations or our partner corporations;
- To facilitate the creation of customers’ accounts, to help customers’ manage their accounts, to give customers notice regarding their accounts;
- To confirm, review, and respond to customers’ requests and inquiries regarding us or the Service;
- To develop, improve, and provide the Service by conducting research, analysis, and surveys;
- To exercise our rights and fulfill our obligations arising out of or in connection with any contracts between customers and us;
- To comply with the applicable laws and regulations;
- To provide certain services to third parties when processing personal data owned by such parties; and
- To operate, maintain, and manage the Service, and to improve the administration of the Service and quality of experience when customers use the Service.
- Rights of Customers and Other Subjects Concerned
Each customer or the other subject concerned has the following rights regarding EU and UK personal data about himself or herself.
- Right to access to his or her own EU and UK personal data and other information relating to his or her personal data
- Right to rectify inaccuracies of his or her EU and UK personal data without undue delay
- Right to erase his or her EU and UK personal data without undue delay
- Right to restrict processing of his or her EU and UK personal data
- Right to receive EU and UK personal data provided by customers or other concerned subjects by himself or herself in a general format that is readable on computers, and right to transfer (i.e., data portability) the EU and UK personal data to other organizations in order for them to manage without hindering transferring process
- Right to object to legitimate interest processing; and processing for direct marketing purposes
- Right not to be subjected to assessments conducted or decisions made through automatic processing such as profiling that have serious impact including legal effects on individuals
- Right to lodge a complaint with a supervisory authority
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.
Third party marketing
We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- Disclosures of your personal data
We may share your personal data with the parties set out below for the purposes set out above.
- Other companies in our GMO Internet Group in Japan
- Service providers acting as processors based in Japan who provide IT and system administration services.
- Professional advisers including lawyers, bankers, auditors, and insurers based in the UK, EU and Japan who provide consultancy, banking, legal, insurance and accounting services.
- Regulators and other authorities based in the United Kingdom, EU, and Japan who require reporting of processing activities in certain circumstances.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
- International Transfer of EU and UK Personal Data
Whenever we transfer your personal data out of the UK or the EU, we ensure a similar degree of protection is afforded to it as under the GDPR by ensuring at least one of the following safeguards are implemented:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. EU and UK personal data is transferred to us and our outsourcing contractors such as cloud provider and IT service vendor located in Japan; and may be stored in servers located in Japan. Japan has been recognized and determined as country providing adequate data protection by the European Commission, and we manage EU and UK personal data of customers and other subjects concerned appropriately.
- Where we use certain service providers, we may use specific contracts (such as standard contractual clauses) approved for use which give personal data the same protection it has under the GDPR.
- Transfer of EU and UK Personal Data
EU and UK personal data belonging to customers and other subjects concerned are transferred to our outsourcing contractors such as cloud provider and IT service vendor to which we have subcontracted our business operation to the extent necessary for service provision.
In addition, we request appropriate processing of the transferred EU and UK personal data to those outsourcing contractors, and manage EU and UK personal data of customers and other subjects concerned appropriately.
- Archiving, Deletion, Disposal of EU and UK personal data
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
After the defined retention period has expired or the purpose of use has been achieved, we delete EU and UK personal data of customers and other subjects concerned without delay. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
- About Cookies and Other Similar Technologies
A cookie is an information used to transmit information from this site to your browser. When you, as a customer or other visitor, visit this site again, the cookie helps you to use this site more conveniently and is stored in your personal computers/devices.
Furthermore, the stored information does not include information such as your name, your residential address, your phone number, and your email address which can be used to identify an individual.
Cookie also does not have negative effects on your computers/devices.
Cookie information that is collected from customers and other visitors will be transmitted to and stored in servers at our web servers and our outsourcing contractors such as cloud provider and IT service vendor.
We also obtain statistical data concerning access information such as the number of accesses and stay period for this site from stored data by using web analytics service and some other services.
It is possible to block cookies, if you, as a customer or other visitor, change the settings of your web-browser. In such cases, your ability to use some of the functions of this site may be restricted. Please make contact with the developer and/or distributor of the web-browser that you are using for its setting procedure.
- Group-wide Data Protection Officer and Group-wide Representative for EU and UK Personal Data
＜Group-wide Data Protection Officer for EU and UK Personal Data (G-DPO)＞
GMO Internet Group, Inc.,
Cerulean Tower 4-14F, 26-1 Sakuragaokacho, Shibuya-ku, Tokyo, 150-8512 , Japan.
Email address: firstname.lastname@example.org
＜Representative for EU Personal Data＞
JANSON BAUGNIET CVBA
E-mail address: email@example.com
＜Representative for UK Personal Data＞
Shakespeare Martineau LLP
60 Gracechurch Street
London EC3V 0HR
DX 700 London City
E-mail address: firstname.lastname@example.org
- Claims and Inquiries
You have the right to make a complaint at any time to the data protection supervisory authority in your country. The UK regulator for data protection issues is the Information Commissioner’s Office (www.ico.org.uk). The details of the relevant authorities in other EU countries can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance at the contact details above.
- Disclosure and other requests of EU and UK personal data
Requests for disclosure, correction, addition, deletion, suspension of use, suspension of provision of third party, transferring (data portability) shall be dealt with in the following manner.
Please be aware that we will not accept requests by email or by any method other than that laid out below.
Please print out our prescribed form and fill in necessary information.
After filling in, please enclose the necessary documents, and send them to the following address by certified mail.
GMO Adam, Inc.
SHIBUYA FUKURAS, 1-2-3, Dogenzaka, Shibuya-Ku, Tokyo, 150-0043, Japan
Disclosure and Other Requests Form is below,