KYOCERA Document Solutions Europe B.V. (“KYOCERA”, “we” or “us”), located at Beechavenue 27, 1119 RA Schiphol-Rijk, The Netherlands, issued this Privacy Statement (“Statement”) to inform you, the user of Kyocera Cloud Information Manager (“KCIM”), about the processing of your personal data when your organization uses KCIM.
KCIM is a cloud-based document management system that enables organizations to store and easily retrieve the organisation’s documents with the help of KCIM’s indexing and advanced search capabilities. Organizations can classify their uploaded documents and assign the proper attributes for indexing. Organizations can then easily search and retrieve these documents by typing some text, which either relates to a part of the document’s content or the document’s metadata.
The organization using KCIM qualifies as data controller within the meaning of GDPR, and as such is responsible for the processing of your personal data. KYOCERA provides KCIM as a data processor and processes personal data according to our Data Processing Terms and Conditions, available at www.kyoceradocumentsolutions.eu
In this Statement, we will explain in detail the following:
KYOCERA processes personal data for the purposes mentioned above in order to perform its contractual rights and obligations as agreed with its customers, Article 6(1)(b) GDPR. To the extent that you as a data subject are not party to agreement between Kyocera and its customers, Kyocera processes your personal data based on its legitimate interests, Art. 6(1)(f) GDPR, which is Kyocera’s contractual obligations to perform KCIM-related services.
We have made a careful assessment of your fundamental rights and freedoms and our legitimate business interests and are continuously monitoring the balance. Should you however wish to object to the processing of your personal data please see the section ‘Your rights’ below. Since the processing of personal data is necessary for Kyocera to provide KCIM, please note that your objection to the processing make the use of KCIM impossible for you.
Your personal information shall only be shared with:
Where we transfer (see above to whom we are sharing your personal data with) your personal data to a service provider which is based in a country that does not provide an adequate level of protection by domestic law according to the European Commission, we have ensured this adequate level of protection by agreeing on additional appropriate safeguards with that group company or third party through the conclusion of Standard Contractual Clauses as adopted by the European Commission and supplementary measures. A list of countries that have ensured an adequate level of protection according to the European Commission can be found here. You may request a copy of the Standard Contractual Clauses by sending us an email, motivating your request.
Alternatively, we may ask you for your explicit consent to the proposed transfer.
If you sign into a service or product offered by a third party with your KCIM account, third party user terms and privacy terms will apply.
The terms of the MS365 integration feature of KCIM
Where possible, we have set specific retention periods for keeping your personal data. These specific retention periods are stated below, or we shall communicate these to you at or before we start processing your personal data.
Where it is not possible for us to use set retention periods, we have stated below the criteria that we use to determine the retention periods.
Specific retention periods
Purpose (A) and (B). We shall keep your personal information related to your user account as long as you have an active user account with us. If you don’t activate your user account within 7 days of creation of the account, we shall erase it. Further, we delete your user account when your organization ceases to use KCIM. Your personal data may be stored after the deletion of your account in case your organization uses your personal data to tag documents.
Your organization determines how long it stores the uploaded files in the system. Once an organization’s KCIM account is deactivated, all data is deleted within 24 hours.
Purpose (C) Remote maintenance. For remote maintenance and support services, KYOCERA may have access to personal data. Personal data that is processed for remote maintenance services will be deleted 7 days after completion of the services.
Criteria for determining retention periods
In any other circumstances, we use the following criteria to determine the applicable retention period:
In any case, we shall keep your personal data in compliance with applicable legal requirements and we make periodical reviews of the personal data we hold.
We take the security of your personal data very seriously and take all reasonable efforts to protect your personal data from loss, misuse, theft, unauthorized access, disclosure or modification.
For more information regarding IT-Security measures, please read the KCIM Security Whitepaper
You have certain legal rights that we wish to inform you of. The processing of personal data is necessary to achieve the above-mentioned purposes for KYOCERA to comply with its contractual obligations towards its customers. Where KYOCERA processes your personal data as Data Processor, KYOCERA is obliged to liaise with your organization before realizing your request.
Access. You have the right to be informed on whether we process your personal information or not and to related information on that processing.
Rectification. You have the right to have your personal information rectified or completed by us without undue delay. If you have set up an account with us, you have the possibility to rectify or complete your personal information yourself.
Right to be forgotten. You have the right to have your personal information erased by us without undue delay. This right is limited to specific grounds, for example if you have withdrawn your consent, or if you object and there are no overriding legitimate grounds for us to maintain the processing. If you have an account with us, you have the option to erase your personal data yourself, in which case all your personal data is permanently deleted. In order to prevent that the user account will be deactivated, alternative contact details shall be provided.
Restriction of processing. You have the right to request that we restrict the processing of your personal information based on specific grounds. These are (1) the time for us to verify the accuracy of your personal information on your request; (2) instead of erasure of unlawful processing, you request restriction of use instead; (3) you need personal information in legal proceedings; or (4) we are verifying whether our legitimate grounds override your objection to the processing.
Right to object. You have the right to object at any time to our processing of your personal information if such processing is (1) based on our legitimate interest (including us making a profile of you based on your consent); (2) for direct marketing purposes; or (3) necessary for the performance of a task carried out in the public interest or exercise of official authority vested in us. We shall cease to process your personal information based on your objection, unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms or if we need your personal information in legal proceedings.
Data portability. We are required to inform you of your right to receive your personal information from us so that you can transmit that personal information to another service provider.
Consent withdrawal. If you have supplied us with your personal information based on your consent, you have the right to withdraw such consent at any time. You may do so by unsubscribing from the service that you have subscribed to if applicable. You may also do so by sending us an email to the applicable privacy email address as stated below. We shall then permanently remove your personal information from our database.
Lodging a complaint. You have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, about our processing of your personal information. You can find a complete list of supervisory authorities here.
At KYOCERA we have a network of privacy professionals available, including Data Protection Officers, to assist you with your queries. If you wish to exercise any of your rights, or you have a question about this document, please contact us via email, or send us a letter to:
KYOCERA Document Solutions Europe B.V.
Attn.: Data Protection Officer
1119 RA Schiphol-Rijk
Or use our data subjects’ request form available at https://www.kyoceradocumentsolutions.eu/en/footer/data-request.html
In the event that we modify this document, we will publish it on our website with a revised publication date and, if applicable, notify you of the changed document via your user account.