Skip to main content

Data Handling Principles

Main body

SmartHR, Inc. (hereinafter referred to as "SmartHR") handles personal data entrusted to it by its Users (as defined in Article 2, Paragraph 1 of the SmartHR Terms of Service) in connection with providing the services offered under the name "SmartHR" and any related services (hereinafter collectively referred to as the "Services").

This page describes SmartHR's current data handling practices, including its security control measures. Please note that the contents of this page are subject to change at SmartHR's discretion without prior notice.

1.Security Control Measures

As detailed in Appendix 1, SmartHR shall implement necessary and appropriate measures to ensure the secure management of personal data entrusted to SmartHR by Users and to prevent unauthorized disclosure, loss, or damage of such data (hereinafter referred to as "Security Control Measures"). As detailed in Appendix 1, these Security Control Measures include:

  • Measures to pseudonymize or encrypt personal data.
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of SmartHR's systems and services.
  • Measures to restore the availability of and access to personal data in a timely manner following a technical incident.

2.Supervision of Employees and Sub-Contractors

SmartHR shall implement the following measures to ensure confidentiality:

  • Grant access to personal data entrusted to SmartHR by Users to employees and sub-contractors only to the extent necessary to follow instructions.
  • Implement appropriate procedures to ensure that employees and sub-contractors comply with security measures applicable to their scope of work.
  • Require all persons authorized to handle personal data entrusted to SmartHR by Users to undertake confidentiality obligations or place them under an appropriate statutory obligation of confidentiality.

3.Sub-Processing

(1)Consent to Sub-Processing

  • Users consent to SmartHR entrusting the handling of personal data to sub-contractors for the purpose of providing the Services.

(2)Requirements for Engaging Sub-Contractors

  • SmartHR shall conclude written contracts with sub-contractors and impose conditions on them that ensure a level of personal data protection equivalent to or higher than that of SmartHR.
  • SmartHR shall remain responsible for the compliance of the sub-contractors it engages and for any breach of SmartHR’s obligations under the SmartHR Terms of Service caused by the acts or omissions of such sub-contractors.

4.Rights of Individuals

  • If SmartHR receives a direct request from an individual concerning personal data entrusted to SmartHR by a User, SmartHR shall promptly notify the User and advise the individual to submit the request to the User. The User shall be solely responsible for responding to such inquiries or requests from individuals.
  • Taking into account the nature of the processing of personal data, SmartHR shall, to the extent possible, assist the User by means of appropriate security control measures in enabling the User to fulfill its obligations under applicable data protection laws and regulations to respond to requests from individuals.

5.Assistance for Security Control Measures

  • Taking into account the nature of the processing of personal data, SmartHR shall assist Users in ensuring the implementation of security control measures required under applicable data protection laws by implementing and maintaining its own Security Control Measures.

6.Notification of Data Breaches

  • If SmartHR becomes aware of an unauthorized disclosure of data or similar incident (hereinafter referred to as a "Data Breach") concerning personal data entrusted to SmartHR by Users, SmartHR shall promptly take reasonable measures to minimize damage and protect the data. SmartHR shall notify the User affected by the Data Breach promptly and without undue delay.
  • Notification of a Data Breach shall be made via means selected by SmartHR, including email. Users are solely responsible for maintaining accurate contact information and ensuring secure communication at all times.
  • Users are solely responsible for complying with their own obligations regarding Data Breaches under applicable data protection laws, including fulfilling any notification obligations to third parties.
  • SmartHR's fulfillment of its obligation to provide Data Breach notifications or other related duties shall not be construed as an admission of fault or liability regarding the incident.

7.Deletion or Return of User's Retained Personal Data

  • Upon termination or expiration of the Services, SmartHR shall return or delete the User's retained personal data in accordance with applicable data protection laws and the procedures defined in these Principles.

8.Audits

  1. (1) To verify the adequacy of SmartHR's Security Control Measures, SmartHR shall have its data handling practices audited by qualified auditors selected by SmartHR.

    • Audits shall be conducted at least once a year.
    • Audits shall be conducted at SmartHR's expense.

  2. (2) To enable the User to supervise SmartHR as a contractor under Japan’s Act on the Protection of Personal Information (hereinafter referred to as “APPI”), SmartHR shall provide, including through Appendix 1 and other means selected by SmartHR, the information necessary for the User to understand how SmartHR handles personal data.

  3. (3) SmartHR does not permit on-site inspections by Users.

9.Data Transfer

  • In accordance with the APPI, when transferring personal data entrusted to SmartHR by Users to a third party outside of Japan, SmartHR shall, in principle, only transfer such data to countries recognized by the rules of the Personal Information Protection Commission as having personal information protection frameworks at a level equivalent to Japan for the protection of individual rights and interests.
  • If SmartHR transfers personal data entrusted to SmartHR by Users to a country other than those specified in the preceding paragraph, SmartHR shall ensure that the transfer complies with the APPI by confirming that the third party has established a framework that meets the standards prescribed by the rules of the Personal Information Protection Commission.

Appendix 1: Implementation of Security Control Measures

SmartHR implements the following security control measures in accordance with the Guidelines on the APPI (General Rules Edition).

1.Establishment of Basic Policies

SmartHR has established and disclosed a Privacy Policy to ensure the proper handling of personal data as an organization.

2.Establishment of Rules for Handling Personal Data

To prevent the unauthorized disclosure of personal data and ensure its secure management, SmartHR has established specific rules for its handling. These rules include, but are not limited to, the security control measures described below. To maintain security, these internal rules are not made public.

3.Organizational Security Control Measures

SmartHR implements the following organizational Security Control Measures:

  • An organizational structure for the handling of personal data.
  • Operation in accordance with rules governing the handling of personal data.
  • Methods for confirming the status of personal data handling.
  • A system for responding to incidents such as unauthorized disclosures.
  • Assessment of the status of personal data handling and review of Security Control Measures.

4.Personnel Security Control Measures

As a personnel Security Control Measure, SmartHR ensures that employees are properly instructed on the handling of personal data and provides them with appropriate training.

5.Physical Security Control Measures

SmartHR has implemented the following as physical security control measures:

  • Control of areas where personal data is handled.
  • Prevention of theft of equipment and electronic media.
  • Prevention of unauthorized disclosure when carrying electronic media.
  • Deletion of personal data and disposal of equipment and electronic media.

6.Technical Security Control Measures

SmartHR has implemented the following as technical security control measures:

  • Access control.
  • Identification and authentication of persons with access.
  • Prevention of unauthorized access from external sources.
  • Prevention of unauthorized disclosure associated with the use of information systems.

7.Assessment of the External Environment

When SmartHR handles personal data outside Japan, it assesses the relevant personal information protection frameworks and other relevant circumstances in the country concerned, and then takes necessary and appropriate measures to ensure the secure management of that personal data.