Privacy Policy for the NHK Video Bank

1. Purpose

The purpose of this policy is to communicate in a comprehensible manner the basic philosophy and guidelines concerning the protection of the “personal data” that NHK Enterprises, Inc. (hereinafter referred to as “NEP”) acquires through sales operations of broadcast materials to outside Japan (hereinafter referred to as the “Video Bank”) on this Site (which refers to the website for the NHK Video Bank and includes websites for the video distribution system; the same shall apply hereinafter).

2. NEP’s Name, Location and Representative

Please see the following page for NEP’s name, location and representative:
NHK Enterprises Corporate Profile

3. Definitions

(1) In this policy, the meanings of the terms “personal information,” “pseudonymously processed information,” “anonymously processed information,” “information relating to an individual,” “database-stored personal information” (kojin data) and “retained database-stored personal information” (hoyu kojin data) will be the same as those set forth in the Act on the Protection of Personal Information (hereinafter referred to as the “Personal Information Protection Act”) unless otherwise set forth herein.
(2) In this policy, “personal data” will mean “information about a living individual,” consisting of “personal information,” “pseudonymously processed information,” “anonymously processed information” and “information relating to an individual” as defined under the Personal Information Protection Act.

4. Application

(1) This policy applies to the handling of the personal data NEP has acquired through the Video Bank.
(2) The personal data NEP handles in accordance with this policy will include personal information, such as addresses, corporate names, department names, individuals’ names, telephone numbers, email addresses, etc., as well as personal data about the users NEP has acquired through the Video Bank, such as access logs to this Site.

5. Compliance with Relevant Laws, Guidelines, etc.

NEP will handle personal data in a proper manner in compliance with the Personal Information Protection Act, and other relevant laws and guidelines, as well as NEP’s internal rules, etc., concerning the handling of personal data.

6. Acquisition of Personal Data

NEP will acquire personal data by lawful and fair means in the following instances, etc.:
(i) When personal data is provided directly in writing, via the Internet, or other media; and
(ii) When NEP mechanically acquires personal data through a user’s visit to this Site.
In relation to (ii), it is noted that NEP uses Cookies on this Site. A Cookie is a small text file the webserver sends to a user’s browser. NEP also uses Google Analytics on
this Site. Please see this statement for further information on these matters.

7. Purpose of Use

(1) The following are the purposes for which NEP will handle personal data it acquires through the Video Bank:
(i) Purposes relating to the Video Bank:
a) to accept applications for use of services requiring log-ins, to check user identity, and to verify users;
b) to improve and newly develop the Video Bank;
c) to provide the Video Bank in a stable manner;
d) to identify the cause of any problem occurring with the Video Bank and resolve such problem;
e) to prevent an unauthorized or illegal use of the Video Bank;
f) to provide information and conduct other sales activities regarding the Video Bank;
g) to receive feedback or conduct other marketing activities regarding the Video Bank;
(ii) Purposes relating to business communications:
a) to facilitate business negotiation, information exchange, and other business communications with a company which acts as NEP’s customer, prospective customer, and business partner and to which the person concerned with personal data belongs;
(iii) Other purposes:
a) to respond to inquiries regarding NEP’s businesses and services, including the Video Bank;
b) to establish, exercise or protect NEP’s legal rights;
c) to take an action under laws and regulations;
d) for the provision to third parties as described in the next following section;
e) for other purposes NEP will separately notify or publicly announce.
(2) NEP will not handle any personal data beyond the scope necessary for achieving the specified purposes of use, excluding instances permitted under the Personal Information Protection Act.
(3) When analyzing personal data, etc., NEP will exercise care not to infer the attributes, etc., of the persons concerned, except in cases where it has their individual consent.

8. Provision to Third Parties

NEP may provide database-stored personal information to third parties based on the consent of the persons concerned or other legitimate grounds in accordance with the Personal Information Protection Act.

9. Entrustment to Another Entity

When the handling of personal data is being entrusted to another entity, NEP will select a contractor that can handle the said data in a proper manner and provide the necessary supervision to ensure that it exercises proper security management.

10. Retention Period

During the period specified by NEP pursuant to applicable laws and regulations, NEP will retain personal data only to the extent necessary for the purposes described in Section 7 above. Upon the expiration of any prescribed retention period or when the use of the specified data is no longer required, NEP will delete such personal data without delay in accordance with applicable laws and regulations and procedures prescribed by NEP.
Additionally, in specifying the retention period, NEP will take into consideration (a) its duty of retention under laws and regulations; (b) necessity to take actions from the practical point of view; (c) necessity for legal procedures; (d) each individual’s rights to freedom of expression and to information; and (e) necessity for the public interest.

11. Opt-out

NEP will allow the individual to opt-out by a prescribed method some of the personal data that is obtained mechanically through the Video Bank.

12. Security Management Measures

(1) NEP will take necessary and appropriate security control measures for managing personal data,
including the prevention of leakage, loss or damage.
(2) NEP will, in particular, take the following security management measures for database-stored personal information among personal data:
(i) Establishment of regulations concerning the handling of database-stored personal information:
Internal rules will be established concerning the method of handling database-stored personal information, responsible persons and persons in charge, and their responsibilities, etc.
(ii) Organizational and technical security management measures:
NEP acquired the ISMS Certification on August 9, 2010 and established the management system for the protection of database-stored personal information as required by the ISO/IEC27001 standards, and NEP takes appropriate organizational, physical and technical security control measures for managing database-stored personal information, including the prevention of unauthorized access to, and leakage, loss or damage of, database-stored personal information. Furthermore, NEP recognizes the importance of the protection of database-stored personal information and takes human security management measures, including the efforts intended to provide training to, and raise awareness among, officers, employees, etc., who handle database-stored personal information, for the protection of database-stored personal information.

13. Requests, etc. for the Disclosure of Retained Database-Stored Personal Information

Requests for disclosure, modification (including addition and deletion), suspension of use (including removal and suspension of provision to third parties), and notification of purpose of use in respect of retained database-stored personal information under the Personal Information Protection Act will be accepted at the following point of contact:
NHK Enterprises, Inc.
Contact Point for Personal Information
4-14, Kamiyama-cho, Shibuya-ku, Tokyo
https://nhkvideobank.com/contact_form.html

14. Point of Contact for Questions and Complaints

Questions and complaints concerning NEP’s handling of personal data will be accepted at the point of contact indicated in the preceding section.

15. Changes to this Policy

NEP will change this policy as needed. In the event that this policy is changed, NEP will publicly announce the effective date and content of the changed policy on the NEP website or by other appropriate means.

16. Regulation by Foreign Laws

Of the personal data held by NEP, information subject to foreign laws regarding its handling will be handled in compliance with the relevant foreign laws.

17. Additional Information for those Residing in the EEA, the United Kingdom and Switzerland

Those residing in the member countries of the EEA (European Economic Area), the United Kingdom and Switzerland are advised to note the following matters pursuant to General Data Protection Regulation (hereinafter referred to as “GDPR”; except that, for the United Kingdom and Switzerland, the term GDPR is replaced with relevant provisions in the Data Protection Act 2018 / UK GDPR of the United Kingdom or the FADP in Switzerland, respectively). The terms used in this Section 17 have the same meanings as those defined in GDPR. Furthermore, if there is any discrepancy between this Section 17 and other provisions of this policy, this Section will prevail to the extent of such discrepancy for those residing in the EEA member countries, the United Kingdom and Switzerland.

(1) Legal basis of processing personal data:
NEP is the controller of personal data under this policy.

(2) Types of personal data to be collected and used:
NEP will collect and use the following types of personal data in the event of Section 6 above.
(i) name, email address, postal code, address, nationality and telephone number;
(ii) company or organization to which an individual belongs, and such individual’s title;
(iii) business communications with NEP;
(iv) access logs of communications with this site (information included in HTTP requests, such as access source IP addresses).

(3) Legal basis:
NEP relies on the legal basis set forth below for the respective purposes of use of personal data described in Section 7 of this policy.

Purpose of Processing Personal Data	Legal Basis
(i) Purposes relating to the Video Bank:
a) to accept applications for use of services requiring log-ins, to check user identity, and to verify users;	Performance of a contract
b) to improve and newly develop the Video Bank;	Legitimate interest (for the purpose of assessing the usage status of the service and conduct necessary analysis and review in order to enhance user experiences)
c) to provide the Video Bank in a stable manner;	Legitimate interest (for the purpose of assessing the usage status of the service or website and opering them in a stable manner)
d) to identify the cause of any problem occurring with the Video Bank and resolve such problem;	Legitimate interest (for the purpose of identifying the cause of a failure or defect on the service or website and considering improvement measures)
e) to prevent an unauthorized or illegal use of the Video Bank;	Legitimate interest (for the purpose of detecting and protecting against a malicious act on the service or website or an unauthorized act such as an attack on the system and then taking appropriate security measures)
f) to provide information and conduct other sales activities regarding the Video Bank;	Legitimate interest (for the purpose of providing existing customers with information relating to the service such as new contents and new functions and planning and executing other sales activities)
g) to receive feedback or conduct other marketing activities regarding the Video Bank;	Legitimate interest (for the purpose of providing information relating to the service such as new contents and new functions and conducting survey and analysis intended to enhance user satisfaction)
(ii) Purposes relating to business communications:

a) to facilitate business negotiation, information exchange, and other business communications with a company which acts as NEP’s customer, prospective customer, and business partner and to which the person concerned with personal data belongs;	Legitimate interest (for the purpose of continuously facilitating business negotiation, or contractual negotiation, and other communications with representatives of corporate customers, business partners, etc.)
(iii) Other purposes:
a) to respond to inquiries regarding NEP’s businesses and services, including the Video Bank;	Legitimate interest (for the purpose of expeditiously and appropriately responding to inquiries and support requests relating to the business or service)
b) to establish, exercise or protect NEP’s legal rights;	Legitimate interest (for the purpose of establishing, exercising or protecting NEP’s legal rights)
c) to take an action under laws and regulations;	Compliance with a legal obligation
d) for the provision to third parties as described in the next following section;	Legitimate interest (for the purpose of sharing data with data processors within the scope of the purpose of use)
e) for other purposes NEP will separately notify or publicly announce.	Legal basis to be indicated separately

Where the legal basis is the data subject’s consent, the data subject may withdraw the consent at any time. A request for such withdrawal may be made to the point of contact in (8) below.

(4) Provision of Personal Data to Data Processor
In relation to the provision and operation of NEP’s services, NEP may entrust part of the handling operations to external outsourcees (data processors).
Such outsourcees will handle personal data in accordance with NEP’s explicit instructions under the agreement with NEP and will not use such data for their own purposes.
(a) Categories of the outsourcees
The main categories of outsourcees NEP will use are as follows:
cloud service providers;
parties entrusted with customer service operations (operations such as order acceptance, delivery, billing, customer notification, and customer support);
data analysis and marketing support vendors.
(b) Security management measures and agreements
NEP executes a Data Processing Agreement with each such processor pursuant to Article 28 of GDPR and ensures the security of personal data by taking appropriate technical and organizational measures.
Furthermore, NEP conducts assessment and monitoring on a regular basis in order to prevent inappropriate handling of personal data on the part of the processor.
(c) Transfer Beyond EU:
As stated in the next following section.

(5) Cross-border Transfer of Personal Data
Provision of personal data to outsourcees entrusted with the handling of personal data (namely, processors under GRPR) and to third parties may be regarded as cross-border transfer of personal data. When NEP transfers personal data to outside the member countries of the EEA or the United Kingdom, NEP will rely on the adequacy decision made by the European Commission or the government of the United Kingdom, or otherwise execute Standard Contractual Clauses (SCC) adopted by the European Commission, International Data Transfer Agreement (IDTA) approved by the parliament of the United Kingdom, or International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses approved by the parliament of the United Kingdom, and take other necessary measures, thereby protecting personal data appropriately.

(6) Rights of the Data Subject
The data subject has the rights set forth below as prescribed in GDPR with respect to the use of his or her personal data by NEP.
⚫Right to withdraw consent: Where NEP acquires, uses or provides personal data on the basis of the data subject’s consent, the data subject may withdraw such consent at any time.
⚫Right of access: The data subject may inquire, confirm and request a copy with respect to the personal data held by NEP.
⚫Right to rectification: If the personal data held by NEP is inaccurate, the data subject may request rectification. Also, if the personal data held by NEP is incomplete, the data subject has the right to request to have it completed.
⚫Right to erasure: Under certain conditions prescribed in Article 17 of GDPR and comparable laws and regulations, the data subject may request erasure of the personal data concerning the self without unreasonable delay.
⚫Right to restriction of processing: Under certain conditions prescribed in Article 18 of GDPR and comparable laws and regulations, the data subject may request that the handling of the personal data be restricted.
⚫Right to object: Under certain conditions prescribed in Article 21 of GDPR and comparable laws and regulations, the data subject may file an objection with respect to the handling of the personal data.
⚫Right to data portability: Under certain conditions prescribed in Article 20 of GDPR and comparable laws and regulations, the data subject has the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from NEP.
⚫Automated individual decision: Under certain conditions prescribed in Article 22 of GDPR and comparable laws and regulations, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling.
If you wish to exercise these rights, or if you have any questions about these rights, please contact NEP in accordance with (8) below.

(7) Filing of Complaint to the Data Protection Authority
With regard to the handling of personal data by NEP, the data subject may file a complaint to the competent data protection authority in the area of his or her residency. The contact information of the competent data protection authority can be found on the following websites:
EEA: https://edpb.europa.eu/about-edpb/aboutedpb/members_en
United Kingdom: https://ico.org.uk/
Switzerland: https://www.edoeb.admin.ch/edoeb/en/home.html

(8) Inquiries
NHK Enterprises, Inc., which processes the personal data of individuals in the European Union, European Economic Area and UK, in either the role of ‘data controller’ or ‘data processor’, has appointed DataRep as its Data Protection Representative for the purposes of GDPR* in the EU/EEA and The Data Protection Act 2018 / UK GDPR (as amended) in the UK, and FADP** in Switzerland.

If NHK Enterprises, Inc. has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR/FADP in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the national Data Protection Authority in your country, the European Commission in the EU (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en) or the Federal Data Protection and Information Commission in Switzerland (https://www.edoeb.admin.ch/edoeb/en/home.html).

NHK Enterprises, Inc. takes the protection of personal data seriously, and has appointed DataRep as their Data Protection Representative in the European Union and Switzerland so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Area (EEA) and Switzerland, so that NHK Enterprises, Inc.’s customers can always raise the questions they want with them.

If you want to raise a question to NHK Enterprises, Inc., or otherwise exercise your rights in respect of your personal data, you may do so by:
•sending an email to DataRep at datarequest@datarep.com quoting < NHK Enterprises, Inc.> in the subject line,
•contacting us on our online webform at www.datarep.com/data-request, or
•mailing your inquiry to DataRep at the most convenient of the addresses in the subsequent pages.

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’
and not ‘NHK Enterprises, Inc.’, or your inquiry may not reach us. Please refer clearly to NHK Enterprises, Inc. in your correspondence. On receiving your correspondence, NHK Enterprises, Inc. is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

If you have any concerns over how DataRep will handle the personal data we will require to undertake our services, please refer to our privacy notice at www.datarep.com/privacy-policy.

Signed on behalf of the Representative:



Tim Bell, Managing Director
* The General Data Protection Regulation, EU 2016/679
** Federal Act on Data Protection, AS 2022 491


Please ensure request is addressed to ‘DataRep’ and not NHK Enterprises, Inc.

Country	Address
Austria	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium	DataRep, Rue des Colonies 11, Brussels, 1000
Bulgaria	DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia	DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus	DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic	DataRep, Platan Office, 28. Října 205/45, Floor 3&4, Ostrava, 70200, Czech Republic
Denmark	DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia	DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland	DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France	DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany	DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece	DataRep, Ippodamias Sq. 8, 4th floor, Piraeus, Attica, Greece
Hungary	DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland	DataRep, Laugavegur 13, 101 Reykjavik, Iceland
Ireland	DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy	DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia	DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania	DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg	DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta	DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands	DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway	DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland	DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal	DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania	DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
Slovakia	DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia	DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain	DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden	DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden
Switzerland	DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland
United Kingdom	DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom