Effective Date:31/3/2025
Revision Date:31/3/2025
If you are accessing this website from other than the EEA or the UK, please read our general privacy policy here.
1.About this Privacy Policy
This privacy policy (hereinafter referred to as the “Policy”) is for our customers residing in the European Economic Area (“EEA”) or the United Kingdom (“UK”). This Policy explains how we collect, use and protect your personal data in accordance with the EU and UK General Data Protection Regulation (the “GDPR”) in relation to our operation for Biwako Kisen cruise.
2.Controller
Biwako Kisen Co., Ltd. (hereinafter referred to as the “we,” “our” and “us”) is the controller in the meaning of the GDPR and we are responsible for the processing of your personal data as described below. Our contact details:
Biwako Kisen Co., Ltd.
Address: 5-1-1 Hamaotsu, Otsu City, Shiga, Japan 520-0047
TEL: +81-77-522-4118 FAX: +81-77-521-3900
Email: ka.sugie@biwakokisen.co.jp
3.How and From Whom We Collect Your Personals Data
We collect your personal data either directly from you or indirectly from our travel agencies through which your booking is made.
4.Purposes and Legal Bases for Processing Personal Data
We process the following categories of your personal data for the respective purpose with the respective legal basis as described below.
| Purpose | Categories of Your Personal Data We Process | Legal Basis |
|---|---|---|
| (1) To provide passengers with our services, including verification of the contracting party and handling cancellations | Your basic information, including your name, e-mail address, telephone number, country of residence, and purchased boarding tickets, etc. | The necessity of processing for the performance of the shipping service contract with the data subject. |
| (2) To analyze and improve our website | Information obtained through device identifiers (e.g. cookies), including browser identification information, and website browsing history. | the consent of data subjects. |
| (3) To establish, exercise and/or defend our rights. | Personal data including your basic information necessary for this purpose. | The necessity of processing for our legitimate interest in asserting, proving, or defending our rights. |
You may choose not to provide your personal data; in such cases, however, we may not be able to offer cruise service to you.
5.Sensitive Personal Data
We will not collect your personal data that is classified as sensitive personal data under GDPR.
6.Security Measures to Protect Personal Data
We will take the following security measures in managing your personal data.
-
1. Formulation of the basic policy
We have formulated the Basic Policy (the Personal Data Management Regulations) to ensure our compliance with relevant laws and regulations and to respond to complaints and inquiries in handling personal data.
-
2. Establishment of rules for handling personal data
We have established the rules and regulations to ensure the protection of personal data at each stage of the collection, use, storage, provision, deletion and disposal of personal data, setting out the methods of handling, responsible persons and persons in charge and their duties.
-
3. Organisational security measures
We have appointed the Chief Privacy Officer as our chief officer in charge of personal data protection, and the Chief Personal Information Protection Managers and Personal Information Protection Managers in each department who handles personal data. The Chief Privacy Officer limits the number of persons who can access personal data, manages the access privileges, prepares a record to monitor the status of personal data processing, and conducts periodic self-inspections. In addition, we have appointed the Chief Audit Officer to carry out audits on our handling of personal data. We have also established a system to respond to any possible data leakages.
-
4. Security measures regarding personnel
We provide our employees with regular education and training on information security, including precautions regarding the handling of personal data. In addition, we require all employees who handle personal data to sign a confidentiality pledge.
-
5. Physical security measures
Regarding the offices where equipment handling personal data is installed, we have implemented controls such as locking and restricting access to it only to the relevant persons.
-
6. Technical security measures
We limit the persons who can access to personal data and personal information databases they can handle by setting and managing access privileges, and we take measures such as encrypting personal data where necessary.
-
7. Understanding of foreign legal environments
We implement security measures based on our research and understanding of relevant laws and regulations concerning the protection of personal data in countries where your personal data is stored.
7. Retention Period of Personal Data
We will retain your personal data for as long as it is necessary for the purposes described in Section 4. When the retention period of personal data has expired, we will delete or anonymize it within a reasonable period in a secure manner.
8. Disclosure of Personal Data to Third Parties
We may disclose your personal data to third parties for as long as necessary for the purposes described below. If our processing of personal data goes beyond the scope of the legal basis specified in Section 4, we will obtain your consent or complete other necessary procedures to conform with GDPR before disclosing it.
| Categories of personal data to be disclosed | Recipients | Purposes of disclosure |
|---|---|---|
| Categories listed in Section 4 (1) above | Our reservation site system providers | Purposes (1) in Section 4 above |
| Categories listed in Section 4 (2) above | Advertising technology companies | Purposes (2) in Section 4 above |
| Categories listed in Section 4 (3) above | Court or other dispute resolution organizations, attorneys, etc. that we use to execute our contracts with you and to assert, prove, or defend our rights in legal disputes | Purposes (3) in Section 4 above |
9. Cross-Border Transfer of Personal Data
Our disclosure of your personal data to third parties may constitute cross-border transfer of personal data. When we transfer your personal data to a country or region other than the EEA member countries or the UK, we either rely on adequate decisions made by the European Commission or the UK government, use the Standard Contractual Clauses (SCCs) adopted by the European Commission, the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission's SCCs approved by the UK Parliament, or take other necessary measures to protect your personal data.
10. Your Rights
You have the following rights set out in the GDPR with the processing of your personal data by us. You may exercise the rights by contacting us via the Point of Contact below. We generally respond to you within one month after receiving your request and verifying your identification unless there are any of the exceptions set out in the GDPR and applicable laws and regulations.
- (1) Withdrawal of consent: You can revoke at any time previously given consent to our processing of your personal data.
- (2) Right of access (we disclose information including purposes to process, categories of personal data, recipients to disclose, retention period, sources to collect): You have the rights to make an inquiry, to review and to request us for copies of your personal data we hold.
- (3) Right to rectification: You have the right to request us to correct any of your personal data we hold which you believe is inaccurate. You also have the right to request us to complete your personal data we hold which you believe is incomplete.
- (4) Right to erasure: You have the right to request that we erase your personal data, under certain conditions.
- (5) Right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
- (6) Right to object to processing: You have the right to object to our processing of your personal data, subject to certain conditions as set out in Section 11.
- (7) Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
11. Right to Object to Processing
You have the right to object at any time to the processing of your personal data on the basis of our legitimate interests. Please contact us if you wish to exercise this right.
12. Lodging Complaint with Data Protection Authority
In accordance with the GDPR, you have the right to lodge complaints about how we process your personal data with competent data protection supervisory authority. However, we appreciate the opportunity to address your concerns before you lodge a complaint to the data protection supervisory authority. We kindly request that you consider contacting us through the Point of Contact below in Section 13.
13. Point of Contact
We have appointed DataRep as our data protection representative in the EEA and the UK. Please contact the representative by either of the following channels. Please visit this URL for information on how to contact the representative.
Email: datarequest@datarep.com
Webform: www.datarep.com/data-request
Postal mail: Please mail your inquiry to the representative at the address listed on this URL, whichever is most convenient for you.
14. Update of this Policy
We may update this Policy to comply with amendments to the GDPR and applicable laws and regulations. If we update this Policy, we will post it on our website without delay and announce the revision date.
