Kyocera Cloud Information Manager: Privacy Statement

KYOCERA Document Solutions Europe Management B.V. (“KYOCERA”, “we” or “us”), located at Beechavenue 27, 1119 RA Schiphol-Rijk, The Netherlands, issued this Privacy Statement (“Statement”) to inform you, the user of Kyocera Cloud Information Manager (“KCIM”), about the processing of your personal data when your organization uses KCIM. 

INTRODUCTION

KCIM is a cloud-based document management system that enables organizations to store and easily retrieve the organisation’s documents with the help of KCIM’s indexing and advanced search capabilities. Organizations can classify their uploaded documents and assign the proper attributes for indexing. Organizations can then easily search and retrieve these documents by typing some text, which either relates to a part of the document’s content or the document’s metadata.

The organization using KCIM qualifies as data controller within the meaning of GDPR, and as such is responsible for the processing of your personal data. KYOCERA provides KCIM as a data processor and processes personal data according to our Data Processing Terms and Conditions, available at www.kyoceradocumentsolutions.eu

In this Statement, we will explain in detail the following:

• For which purposes we are processing your personal data;
• On what legal basis we are processing your personal data;
• With whom we share your personal data;
• To which countries we transfer your personal data;
• Third party services or products;
• For how long we keep your personal data;
• Which technical and organizational measures we have taken;
• What your legal rights are concerning us processing your personal data;
• How you can contact us and other important information.

1. FOR WHICH PURPOSES ARE WE PROCESSING YOUR PERSONAL DATA?

• User account management. KYOCERA processes a user’s first and last name, username and email addresses either directly from you or indirectly from a KYOCERA customer (probably your employer or organization) so that we can set-up and manage a user account for you.
• Provision of KCIM. In order to enable the user to use KCIM as agreed, KYOCERA processes metadata related to the files such as file name, document classification, viewing history, log files  and the content of the respective files.
• Remote maintenance. A KYOCERA service engineer may access your personal data, which is processed within the local administrator’s account for bug fixing or trouble shooting purposes. 
• Hosting. KYOCERA uses Google Cloud Platform, Belgium, as a cloud storage provider.

2. ON WHAT LEGAL BASIS ARE WE PROCESSING YOUR PERSONAL DATA?

KYOCERA processes personal data for the purposes mentioned above in order to perform its contractual rights and obligations as agreed with its customers, Article 6(1)(b) GDPR. To the extent that you as a data subject are not party to agreement between Kyocera and its customers, Kyocera processes your personal data based on its legitimate interests, Art. 6(1)(f) GDPR, which is Kyocera’s contractual obligations to perform KCIM-related services.

We have made a careful assessment of your fundamental rights and freedoms and our legitimate business interests and are continuously monitoring the balance. Should you however wish to object to the processing of your personal data please see the section ‘Your rights’ below. Since the processing of personal data is necessary for Kyocera to provide KCIM, please note that your objection to the processing make the use of KCIM impossible for you. 

3. WHO ARE WE SHARING YOUR PERSONAL DATA WITH?

Your personal information shall only be shared with:

• Google Cloud Japan G.K. (Google data center in Belgium), for cloud hosting services.
• KYOCERA Document Solutions Development America, Inc. (CA, USA) for remote maintenance services only in case of emergency;
• KYOCERA Document Solutions, Inc., Japan for remote support services;
• KYOCERA Document Solutions Europe Management B.V., Branch Office Germany, for remote support services
• OPTIMAL SYSTEMS GmbH (Germany) for remote support services
  
• To the extent we are required by law, regulation or court order to disclose your personal data, we may have to share your personal data in compliance with that law, regulation, or court order.
  

4. INTERNATIONAL TRANSFERS

Where we transfer (see above to whom we are sharing your personal data with) your personal data to a service provider which is based in a country that does not provide an adequate level of protection by domestic law according to the European Commission, we have ensured this adequate level of protection by agreeing on additional appropriate safeguards with that group company or third party through the conclusion of Standard Contractual Clauses as adopted by the European Commission and supplementary measures. A list of countries that have ensured an adequate level of protection according to the European Commission can be found here. You may request a copy of the Standard Contractual Clauses by sending us an email, motivating your request. 

Alternatively, we may ask you for your explicit consent to the proposed transfer.

5. THIRD PARTY SERVICES OR PRODUCTS

If you sign into a service or product offered by a third party with your KCIM account, third party user terms and privacy terms will apply.

The terms of use of MS365

https://www.microsoft.com/en-us/microsoft-365/business/international-availability

The terms of the MS365 integration feature of KCIM

https://learn.microsoft.com/ja-jp/microsoft-365/cloud-storage-partner-program/legal/cspp-terms

6. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Where possible, we have set specific retention periods for keeping your personal data. These specific retention periods are stated below, or we shall communicate these to you at or before we start processing your personal data.

Where it is not possible for us to use set retention periods, we have stated below the criteria that we use to determine the retention periods. 

Specific retention periods

Purpose (A) and (B). We shall keep your personal information related to your user account as long as you have an active user account with us. If you don’t activate your user account within 7 days of creation of the account, we shall erase it. Further, we delete your user account when your organization ceases to use KCIM. Your personal data may be stored after the deletion of your account in case your organization uses your personal data to tag documents.

Your organization determines how long it stores the uploaded files in the system. Once an organization’s KCIM account is deactivated, all data is deleted within 24 hours.

Purpose (C) Remote maintenance. For remote maintenance and support services, KYOCERA may have access to personal data. Personal data that is processed for remote maintenance services will be deleted 7 days after completion of the services.

Criteria for determining retention periods

In any other circumstances, we use the following criteria to determine the applicable retention period:

• The assessment of your fundamental rights and freedoms;
• The purpose(s) of processing your personal data. We shall not keep your personal data longer than is necessary for the purpose(s) we collected it for.
• Any relevant industry practices or codes of conduct on keeping personal data;
• The level of risk and cost associated with keeping your personal data (accurate and up-to-date);
• Whether we have a valid lawful basis to keep your personal data;
• The nature, scope and context of processing of your personal data and our relationship with you;
• Any other relevant circumstances that may apply.

In any case, we shall keep your personal data in compliance with applicable legal requirements and we make periodical reviews of the personal data we hold.

7. WHICH TECHNICAL AND ORGANIZATIONAL MEASURES WE HAVE TAKEN

We take the security of your personal data very seriously and take all reasonable efforts to protect your personal data from loss, misuse, theft, unauthorized access, disclosure or modification. 

For more information regarding IT-Security measures, please read the KCIM Security Whitepaper

8. YOUR RIGHTS

You have certain legal rights that we wish to inform you of. The processing of personal data is necessary to achieve the above-mentioned purposes for KYOCERA to comply with its contractual obligations towards its customers. Where KYOCERA processes your personal data as Data Processor, KYOCERA is obliged to liaise with your organization before realizing your request.

Access. You have the right to be informed on whether we process your personal information or not and to related information on that processing.

Rectification. You have the right to have your personal information rectified or completed by us without undue delay. If you have set up an account with us, you have the possibility to rectify or complete your personal information yourself.

Right to be forgotten. You have the right to have your personal information erased by us without undue delay. This right is limited to specific grounds, for example if you have withdrawn your consent, or if you object and there are no overriding legitimate grounds for us to maintain the processing. If you have an account with us, you have the option to erase your personal data yourself, in which case all your personal data is permanently deleted. In order to prevent that the user account will be deactivated, alternative contact details shall be provided.

Restriction of processing. You have the right to request that we restrict the processing of your personal information based on specific grounds. These are (1) the time for us to verify the accuracy of your personal information on your request; (2) instead of erasure of unlawful processing, you request restriction of use instead; (3) you need personal information in legal proceedings; or (4) we are verifying whether our legitimate grounds override your objection to the processing.

Right to object. You have the right to object at any time to our processing of your personal information if such processing is (1) based on our legitimate interest (including us making a profile of you based on your consent); (2) for direct marketing purposes; or (3) necessary for the performance of a task carried out in the public interest or exercise of official authority vested in us. We shall cease to process your personal information based on your objection, unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms or if we need your personal information in legal proceedings.

Data portability. We are required to inform you of your right to receive your personal information from us so that you can transmit that personal information to another service provider.

Consent withdrawal. If you have supplied us with your personal information based on your consent, you have the right to withdraw such consent at any time. You may do so by unsubscribing from the service that you have subscribed to if applicable. You may also do so by sending us an email to the applicable privacy email address as stated below. We shall then permanently remove your personal information from our database.

Lodging a complaint. You have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, about our processing of your personal information. You can find a complete list of supervisory authorities here.

9. EXERCISING YOUR RIGHTS AND CONTACTING US

At KYOCERA we have a network of privacy professionals available, including Data Protection Officers, to assist you with your queries. If you wish to exercise any of your rights, or you have a question about this document, please contact us via email, or send us a letter to:

KYOCERA Document Solutions Europe Management B.V.
Attn.: Data Protection Officer
Beechavenue 27
1119 RA Schiphol-Rijk
Netherlands

e: privacy@deu.kyocera.com

Or use our data subjects’ request form available at https://www.kyoceradocumentsolutions.eu/en/footer/data-request.html

10. CHANGES TO THIS DOCUMENT 

In the event that we modify this document, we will publish it on our website with a revised publication date and, if applicable, notify you of the changed document via your user account.