Privacy Policy for the General Data Protection Regulation

Sanrio Company, Ltd. (“Sanrio”) may have occasion to collect and process Personal Data (as defined below). This Privacy Policy (this “Policy”) applies to the processing of Personal Data concerning data subjects in the European Economic Area (“EEA”) in accordance with the General Data Protection Regulation (the “GDPR”).

1. Personal Data

In this Policy, Personal Data means any data relating to an identified or identifiable natural person (“Personal Data”). Sanrio may acquire and process Personal Data, including the name, address, telephone number, gender, nationality, occupation, job title, and email address of a natural person in the EEA.

2. Use of Personal Data

Sanrio acquires and processes Personal Data for the following purposes:

• Providing services to relevant clients;
• Legitimate business interests, such as undertaking business research and analysis or managing the operation of the business
• Public relations, such as responding to inquiries
• Engaging in marketing and business development activities in relation to the services. This may include sending client newsletters, marketing communications and other information that may be of interest to them;
• Defense of certain rights or interests;
• Compliance with legal and regulatory obligations that Sanrio has to discharge; and
• Managing customer relationships

 

Sanrio relies on the following legal grounds to process Personal Data:

• The data subject’s consent expressly given to process his/her Personal Data in such manner. The data subject may withdraw his/her consent to this processing at any time; however, this will not affect the lawfulness of any processing carried out before withdrawal of the consent;
• Entering into a contract with a data subject or performing obligations under a contract with a data subject;
• Legitimate interests, some examples of which are given above; and
• Compliance with applicable laws or regulations

3. Disclosure to Third Parties

Sanrio may supply or disclose Personal Data, without the data subjects’ prior consent, to Sanrio’s group companies and other third parties that are Sanrio’s service assignees. Sanrio may also supply or disclose Personal Data to third parties when it is necessary for some other justifiable reason permitted by the laws and regulations.

4. Cross-Border Transfer

Personal Data may be transferred to entities in countries or jurisdictions outside the EEA, such as Japan, if required for the purposes as described above. Please note that such countries or jurisdictions may not have the same data protection laws as the EEA and will not afford many of the rights conferred upon data subjects in the EEA. Sanrio will ensure that any such international transfers are made subject to appropriate and suitable safeguards as required by the GDPR or other relevant laws. When doing so, Sanrio will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of Personal Data.

5. Retention of Personal Data

Sanrio will retain Personal Data for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.

6. Rights of Data Subjects

Data subjects have the right to access, request correction of, request deletion of, request the limitation of processing of, object to the processing of, and request the data portability of their Personal Data retained by Sanrio. When Sanrio receives a request based on the right specified above, Sanrio shall conduct any necessary investigation without delay and provide data subjects or nominated third parties with Personal Data or respond to such rights without delay.

 

While there will not generally be any detrimental effects for the data subjects if they fail to provide their Personal Data, Sanrio may need to collect Personal Data to process data subjects’ instructions or perform contracts with them. In such case, Sanrio may have to cancel the engagement or contract such data subjects have with Sanrio, and will notify them thereof at that time.

7. Right to Lodge Complaint with Data Protection Authority

Data subjects have the right to lodge a complaint with the local data protection authority if they have a complaint with regard to Sanrio’s processing of their Personal Data.

8. Contact

For any questions about this Policy, Sanrio’s privacy practices or your rights described in “Section 6. Rights of Data Subjects”, please contact us at the following:

Enacted as of 8 February, 2023