Throughout this policy the following terms have the following meanings:

• ‘consent’ means any freely given, specific, informed and unambiguous indication of an individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• ‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
• ‘data processor’ means an individual or organisation which processes personal data on behalf of the data controller;
• ‘personal data’ means any information relating to an individual who can be identified, such as by a name, an identification number, location data or an online identifier. Please refer to the section below regarding what comprise “personal data” within the scope of JAC’s services;
• ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
• ‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

All of these definitions are italicised throughout this policy to remind the reader that they are defined terms.

Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, telephone number, postal address, e-mail address, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

JAC Recruitment (JAC) processes personal data in relation to its own staff and candidates and is a data controller for the purposes of the Data Protection Laws.
JAC will only process personal data where it has a legal basis for doing so:

• Consent
  JAC requires that you give your consent to the processing of your personal data in relation to JAC’s recruitment services. We believe this explicit consent is essential for both JAC and you and ensures both parties clearly understand their rights and the intentions of all involved in the consultation process. This basis for processing is in accordance with Article 6(1)(a) of the GDPR, which states “[you] have given consent to the processing of his/her personal data for one or more specific purposes”
• Legitimate Interests
  As a recruitment consultancy, it is in both JAC’s interest and yours, as a candidate, for JAC to process your information in order to provide you with the most effective and efficient service. This basis for processing is in accordance with Article 6(1)(f) of the GDPR, which states "processing is necessary for the purposes of the legitimate interests pursued by [JAC] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data."
• Contract
  Whilst JAC does not require a formal contract to be signed by you, the candidate, we believe that there is an agreement between you and JAC for JAC to provide you with recruitment services. This agreement is made explicit after you provide JAC with your personal information for the purposes of JAC providing you with recruitment services and after you provide your consent for JAC to hold and process your information. As such, in accordance with Article 6(1)(b) of the GDPR, JAC processes your personal information “for the performance of a contract to which the [you] are party or in order to take steps at the request of [you] prior to entering into a contract”.

JAC is an international company, headquartered in Japan. Our databases are located in Singapore and Tokyo and as such, upon receipt of your personal information, it will be transferred quickly (and securely) to our systems hosted in either of those two countries.
Further, in order to ensure that your data is secure, when we transfer data, we will only transfer to those locations where the target location is compliant with data protection legislation and by means of transfer which have adequate safeguards applied.
In addition, consultants in our Japan office may offer to share your information with consultants in another country. In such an event, a Japan consultant will contact you to confirm that you consent to having your information shared with another JAC branch.

Under GDPR, the data subject has certain important rights. These include (but are not limited to) the following:

The right for access to data and data portability

• You have the right to receive your personal data, which you have provided to us previously, in a structured, commonly used and machine-readable format. Further you have the right to request us to transmit your personal data to another data controller in circumstances where:
  • The processing is based on your consent or a contract; and
  • The processing is carried out by automated means
• Where feasible, JAC will send the personal data to a named third party upon your request.

The right to have data rectified

• You may request JAC to rectify any inaccurate or incomplete personal data concerning yourself. If JAC has given your personal data to any third parties we will tell those third parties that we have received a request to rectify your personal data unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold. However, JAC is not in a position to audit those third parties to ensure that the rectification has occurred.

The right to “be forgotten”

• This refers to your right to have your personal data deleted from our database, including from any third parties who may have access to that data. Further, the request to “be forgotten” must be as easy as it was to give consent.
• You may request, at any time, to have your personal data deleted completely from all JAC’s databases. Upon receipt of such a request, we will ask you whether you want your personal data to be removed entirely or whether you are happy for your details to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). We cannot keep a record of individuals whose data has been erased completely so you may be contacted again by JAC should we come into possession of your personal data at a later date.
• If JAC has given the personal data to any third parties, it will tell those third parties that we have received a request to erase the personal data, unless this proves impossible or involves disproportionate effort. Those third parties should also erase the personal data they hold. However, JAC is not in a position to audit those third parties to ensure that the erasure has occurred.
• It should be noted that where there are legal requirements for JAC to store data for a certain period of time, related to our business, which includes elements of your personal data, we will not be able to delete that data until after the statutory retention period.

The right to restrict the processing of your data

• You have the right to ask JAC to restrict its processing of your personal data where:
  • You challenge the accuracy of the personal data we are storing;
  • The processing is unlawful but you oppose its erasure;
  • JAC no longer needs your personal data for the purposes of the processing, but your personal data is required for the establishment, exercise or defence of legal claims; or
  • You have objected to processing (on the grounds of a public interest or legitimate interest) pending the verification of whether the legitimate grounds of JAC override those of the individual.

• If JAC has given your personal data to any third parties we will tell those third parties that we have received a request to restrict the personal data, unless this proves impossible or involves disproportionate effort. Those third parties should also restrict the personal data they hold. However, JAC is not in a position to audit those third parties to ensure that the restriction has occurred.

The right to lodge a complaint

• You have the right to object to your personal data being processed based on a public interest or a legitimate interest. You also can object to the profiling of your data based on a public interest or a legitimate interest.
• Upon receiving a claim from you, JAC shall cease processing unless it has compelling legitimate grounds to continue to process the personal data which override the individual’s interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
• You also have the right to object to your personal data being used for direct marketing

The right to object to automated decision making

• JAC will not subject individuals to decisions based on automated processing that produce a legal effect or a similarly significant effect on the individual, except where the automated decision:
  • Is necessary for the entering into or performance of a contract between the data controller and the individual
  • Is authorised by law; or
  • The individual has given their explicit consent.
• JAC will not carry out any automated decision-making or profiling using the personal data of a child.

The right to receive compensation in the event of a breach of regulations

• Under the GDPR, should there be a breach of the regulations and it is judged that that breach has occurred due to causes within the control of the data controller or data processor, and that the breach has caused material damage, the data subject may be due to receive compensation.