Last updated and effective as of 23rd May 2018.
For LINE Pay Corporation (hereinafter the “Company”) the protection of your privacy is a primary concern.
Please note that whilst the Company is not actively targeting persons within the European Union, its services are not blocked for persons in the European Union who may want to use the services offered and made available by the Company (including LINE Pay mobile and web applications) (hereinafter the “Company Services”).
If you are dissatisfied with any aspect of our Addendum for GDPR, you may have legal rights which we have described below where relevant.
2. Description of the Company’s activities
The Company’s commercial activity consists in providing you with payment services enabling you to make payments with a credit card registered with the Company at online and offline LINE Pay merchants.
3. Definitions & interpretation
In this Addendum for GDPR, unless the context otherwise requires:
• a reference to a document is a reference to that document as modified or replaced from time to time.
• a reference to a person shall include any company, corporation or any corporate body wherever incorporated.
• words importing the singular shall be treated as importing the plural and vice-versa.
• unless expressly stated otherwise, any heading, caption or section title contained in this Addendum for GDPR is inserted only as a matter of convenience and in no way defines or explains any section or provision hereof.
4. Data controller & data protection officer
The Company, a LINE Pay Corporation incorporated under the laws of Japan, whose registered office is at JR Shinjuku Miraina Tower 23rd Fl. 4-1-6 Shinjuku-ku, Tokyo, 160-0022, Japan is the legal entity responsible for the collection and processing of your Personal Data.
As regards the processing of Personal Data concerning persons within the European Union, the Company has designated the following representative in the European Union:
Representative: LINE BitOne Exchange S.A. (located in Luxembourg)
Contact details: firstname.lastname@example.org
The representative is mandated by the Company to be the recipient on behalf of the Company of all issues related to processing of Personal Data concerning persons within the European Union.
5. Categories of Personal Data collected and processed
5.1. Categories of Personal Data collected directly from you
5.2. Categories of Personal Data collected from other sources (LINE Corporation)
5.3. Cookies and Similar Technology
5.4 Possible consequences of a refusal to provide your Personal Data or to consent to the transfer of your Personal Data
A number of the personal data we collect from you are required to enable us to fulfil our contractual duties to you or to others. Other items may simply be needed to ensure that our relationship can run smoothly.
Depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue providing the Company Services.
Your refusal to give your express consent to the transfer of your Personal Data outside the European Union as detailed below in such a case where we will then be unable to provide you with the Company Services.
6. The purposes of the processing
7. Legal bases allowing to collect and process your Personal Data
7.1. The collection and processing of your Personal Data by the Company in relation to the Company Services is lawful as:
• it is necessary for the performance of a contract to which you are party or in order to take steps, at your request, prior to entering into such contract.
• you have, if expressly set forth, given your consent to the processing of your Personal Data for certain purposes outlined in the consent request.
• it is necessary for the purposes of the Company’s legitimate interests which are not overridden by your interests or fundamental rights and freedoms. The Company’s legitimate purposes consist in particular in the promotion of its economic activities and in the effective provision of the Company Services, as those will allow the Company to generate profits and to attract new customers.
8. Conditions applicable to your consent
Please note that you have at any time the right to withdraw your consent and we will cease to carry out that particular activity unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition. The withdrawal of your consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.
9. Age limit
The Company Services shall only be used by persons that are over 18 years old.
10. Keeping your Personal Data up-to-date
You shall ensure that all your Personal Data processed by the Company are accurate, complete, true, correct and up to date. Your failure to do so may result in you being unable to use the Company Services. The Company shall not be liable for keeping and processing inaccurate information in case that you did not respect your obligation to keep your Personal Data up-to-date.
11. Your data protection rights
To exercise your data protection rights outlined in this section, you can contact the Company by sending an email to email@example.com
Please make clear in your request which Personal Data you would like to:
• request the restriction of processing; or
• request erasure.
Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Please be aware that your data protection rights are not absolute and it remains that, in accordance with applicable data protection laws, your rights may be withheld. In such event, the Company will provide you with the reasons for not complying with your request.
The Company shall process your request as soon as reasonably practicable and the Company will provide you with information on actions taken without undue delay and in any event within one month of receipt of your request. This period may be extended by a further two months where necessary, taking into account the complexity and number of your request. In this event the Company will inform you of any such extension within one month of the receipt of your request, together with the reasons for the delay.
In the event that the Company decides to not comply with your request or has not processed your request within the aforesaid timeframe, you can lodge a complaint with the national supervisory authority (see below) and you can seek a judicial remedy against the Company’s decision.
11.2. Your right to access, rectification, restriction of processing and erasure of your Personal Data & your right to data portability
You have, if applicable and within the limits of applicable data protection laws, the ability to request access to your Personal Data as processed by the Company and to seek the rectification or erasure of your Personal Data or to request the restriction of their processing.
You have, within the limits of applicable data protection laws, the right to receive the Personal Data you have submitted to the Company in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller without hindrance. The Company will, where applicable and technically feasible, transmit your Personal Data directly to the data controller of your choice.
11.3. Your right to object
If applicable in accordance with applicable data protection legislation, you have the right to object, on grounds relating to your particular situation, at any time, to the processing of your Personal Data by the Company, unless:
(a) there exist compelling legitimate grounds for such processing which override your interests, rights and freedoms; or
(b) the processing is necessary for the establishment, exercise or defence of legal claims.
Notwithstanding the foregoing, please be aware that you have the right to object at any time to processing of your Personal Data for direct marketing purposes. In this event, you may opt-out of such processing by sending an email to firstname.lastname@example.org
12. International transfers of Personal Data
The Company's servers are located in Japan and South Korea, meaning that your Personal Data will be initially collected and stored in these locations.
Please be aware that South Korea and Japan have not been certified by the European Commission as ensuring an adequate level of protection under European data protection law for your Personal Data.
Considering the absence of an adequate level of protection for your Personal Data in South Korea and Japan, the Company will enter into standard data protection clauses approved by the European Commission to protect your Personal Data whenever it is being transferred between entities located outside of the European Union.
13. Disclosure and Sharing of Personal Data
The Company may disclose and/or share your Personal Data with the following categories of recipients:
• LINE group entities;
• Tax, audit, or other authorities, when we believe that the law or other regulation requires us to share this data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
• Third party service providers who perform functions on our behalf (including technical support functions and IT consultants carrying out testing and development work on our business technology systems);
• Third party outsourced IT providers where we have an appropriate data processing agreement (or similar protections) in place; and
• If a LINE entity merges with or is acquired by another business or company in the future, we may share your personal data with the new owners of the business or company (and provide you with notice of this disclosure).
14. Security of Personal Data
The Company protects your Personal Data by using appropriate administrative, technical and organisational security measures to reduce the risks of loss, theft, misuse, unauthorised access, disclosure, destruction and alteration of your Personal Data including:
• The Company stores critical Personal Data using encryption;
• The Company encrypts with SSL, HTTPS, and TLS protocols;
• The Company regularly scans the Company website and Company mobile application to detect vulnerabilities and security issues. The Company implements security measures to address identified security issues as soon as possible;
• The Company regularly performs internal and external penetration testing to validate security levels;
• The Company operates a 24x7 CSIRT (Computer Security Incident Response Team) to monitor security events;
• The Company operates a Risk Management team to monitor any suspicious or potentially fraudulent activities connected with Company Services;
• The Company conducts security awareness training for employees on an annual basis;
• The Company has a security policy in order to secure the confidentiality, integrity, and availability of Personal Data;
• Access to Personal Data is granted with approval and is based on a “need-to-know” policy; and
• The Company has obtained and maintains ISO/IEC27001(Information Security Management System) and PCI-DSS (Payment Card Industry Data Security Standard) certifications.
The Company security measures will be reviewed regularly in light of relevant legal and technical developments. Please be, however, aware that today no processing, transmission or storage of data, including Personal Data – even in high security environments and notwithstanding any appropriate security measure – ensures an absolute protection and can for example be subject to hacks and/or attacks.
If you have reason to believe that your Personal Data is no longer secure, you shall immediately notify such risk to the Company by contacting us at email@example.com
15. External Websites
Occasionally, the Company Services may provide references or links to, or facilitate access to other websites or other online services, including applications (hereinafter "External Websites or Apps").
The Company does not control such External Websites or Apps or any of their content.
The Company shall in no way be responsible or liable for such External Websites or Apps to which the Company makes reference or provides a link thereto, whether directly or indirectly. The Company shall in particular be in no way responsible or liable for External Websites' or App’s content, any information displayed thereon, policies, privacy standards, failures, promotions, products, any practice, services or actions and/or any damages, losses, failures or problems caused by, related to, or arising from those sites.
Please be aware that the inclusion of a link or any other reference within the Company Services does not imply endorsement of an External Website or App by the Company and it remains that such External Websites or Apps have separate and independent privacy policies. The Company consequently encourages you to review the policies, rules, terms, privacy practices and regulations of each site that you visit.
The Company seeks to protect the integrity of the Company Services and thus welcomes any feedback about External Websites or Apps referred to within the Company Services.
16. Storage of your Personal Data
Without prejudice to the Company’s right to further process your Personal Data for purposes that are not incompatible with the initial purpose, and subject to the Company’s own legal and regulatory obligations, the Company retains your Personal Data only for as long as necessary to fulfil the purposes described in the Policies, or as required by the laws of Japan.
After the storage of your Personal Data is no longer necessary, including for our record keeping obligations, the Company shall proceed to the erasure of your Personal Data in a secure manner.
17. Updates to this Addendum for GDPR
The Company reserves the right to revise, change, modify, update, supplement, add or remove portions of the EU Privacy Documentation, at any time, in an exercise of its sole discretion. When the Company makes such changes to the EU Privacy Documentation, the Company will notify such changes to you by making the amended EU Privacy Documentation available on the Company website and the Company mobile application (“amended EU Privacy Documentation”). It is your responsibility to review the amended EU Privacy Documentation.
Your continued use of The Company subsequent to the notification of such changes, or the absence of any objection thereto within thirty days from the date the amended EU Privacy Documentation have been made available on the Company Website and the Company mobile application, constitutes your acknowledgement of the amended EU Privacy Documentation.
18. Merger/Corporate Acquisition
If the Company merges with another company or entity, of whatsoever form, or is partially or entirely acquired by such company or entity, the acquiring company or entity shall have access to all your Personal Data in the Company’s possession. Without prejudice to the right to update the present Addendum for GDPR, the acquiring company or entity shall be bound by this Addendum for GDPR.
19. Questions or complaints
If you have questions or concerns about the EU Privacy Documentation or seek additional information about the processing activities carried out by the Company when providing the Company Services, you can contact us using the contact details below:
If you do not feel satisfied with the response given or actions taken, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or of the place of the alleged violation.
20. Applicable law & jurisdiction
This Addendum for GDPR shall be governed by and construed in accordance with the laws of Japan, excluding to the largest extent legally permitted by law any provisions of Japanese private international law as well as any provision of law that would result in the application of the law of a different jurisdiction. This shall be without prejudice to the protection of the mandatory provisions of the law of another Member State of the European Union that would be applicable in the absence of the present paragraph.
Any disputes arising from this Addendum for GDPR shall be subject to the exclusive jurisdiction of the Courts of Japan.