Privacy Policy
Scope Of Application
Hitachi Systems Trusted Cyber Management Inc. and its subsidiaries respect and take your privacy and the protection of your personal data very seriously (collectively, “the HSTCM Group”, “we“, or “our“).
This privacy and personal data protection policy (the “Policy“) applies to all processing of personal data carried out by the HSTCM group on data subjects, with the exception of employees.
Objectives
In order to offer quality services to our clients and to ensure the smooth running of the company, we need to have access to some of your personal data. It is our intention to protect all personal data in our possession or under our control.
We have adopted this Policy to inform you of the way we collect, use and disclose the personal data we need to fulfill our professional responsibilities and operate our business.
We make sure to manage your personal data with all the necessary discretion and rigor in accordance with the applicalbe legal and regulatory requirements. The practices described in this Policy reflect requirements imposed by federal and/or provincial laws in force in Canada, Europe, the United States, and India, and endorse the privacy principles adopted by Hitachi Ltd.
Definition Of Terms
By “Personal Data” we mean any information relating to an identifiable natural person or that, individually or in combination with other data, allows an individual to be identified.
By “Data Subject” we mean an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
By “Processing” we mean all operations relating to personal data, including but not limited to: collection, use, disclosure, sharing, deletion, etc.
By “Purpose of processing” we mean the main purpose of the processing of personal data. The data is collected for a well-defined and legitimate purpose and is not further processed in a way that is incompatible with this initial purpose.
By “Controller” we mean the natural or legal person that which, alone or jointly with others, determines the purposes and means of the processing of personal data.
By “Processor” we mean the natural or legal person that processes personal data on behalf of the controller, e.g., in the course of providing a service or performance.
Rules And Practices Relating To The Processing Of Personal Data
Determination And Limitation Of The Purposes Of Processing
The personal data we collect about you is processed for specific purposes determined prior to collection. These purposes are the following:
- As a Controller:
- Talent acquisition: hiring, assessment and background checks of candidates for employment
- Prospect and client management: new client acquisition and brand promotion campaigns, opportunity management, client account management, client relationship follow-up
- Supplier selection and management
- Accounting management: representation and fluctuations in the company’s assets and financial position
- Litigation management: litigation with clients, suppliers, and other stakeholders
- Security of goods and people: CCTV and badge access management for visitors to company premises.
- Management of security incidents and data breaches: monitoring, identification, risk assessment, notification and communication, documentation and archiving of the breach
- Management of requests from Concerned Parties or their beneficiaries: Reception, validity check, processing, response, documentation and archiving of the request
- As a Processor, according to the client’s instructions:
- Managed security services, including the following:
- Managed vulnerability assessment and security awareness program
- Web vulnerability and compromise monitoring, log monitoring, cloud security monitoring and file integrity monitoring and management
- Intrusion detection and endpoint and network threat detection and response service
- Incident response and digital survey
- Risk management and governance
- Dark Web threat intelligence and cyberthreat monitoring service.
- Managed cybersecurity for PCI-DSS compliance
- DDoS protection
- Professional services, including the following:
- Web compromise and vulnerability monitoring
- Technical testing
- Data Protection Services
- Cloud cybersecurity services
- Security by design
- Advisory services
- Incident response planning and handling and digital forensics
- Cloud and data center analytics and services (MARS and Hitachi DCA)
- Solution engineering
- Managed security services, including the following:
The HSTCM group strives to limit the collection of Personal Data to what is strictly necessary to accomplish the purposes for which it is collected. Rest assured that we will not disclose or use your Personal Data for purposes other than those originally intended, unless justified by an applicable legal basis, such as obtaining your consent or as provided by law.
In addition, as you will see in the Security Measures for Personal Data section, we limit access to your personal data to those who have the need and responsibility to access it for such a specific purpose.
Collection Of Personal Data
The HSTCM group processes Personal Data which may be collected in two ways:
- Directly from you, via forms, e-mails, discussions, etc.
- Indirectly from you, through the use of technological tools or third parties (e.g., financial institutions, referral agencies, etc.).
For the purposes identified above, we need to collect Personal Data about you as a Controller and Processor, to the extent that is appropriate:
- Hiring data such as resumes, professional experiences or any other data relevant to a potential recruitment
- Identification data, such as civil status, surname, first name, date of birth, image, identification documents
- Data relating to professional life, such as postal address, e-mail address or telephone number, company, position
- Data relating to the follow-up of the commercial relationship such as language of communication, exchanges, services provided, details of operations
- Technical data or any other data collected through cookies or other similar tools during a visit on our website
- Marketing and communication preference data such as comments, survey responses
- Information on any disputes that may have arisen
- Video sequences from CCTV cameras, as well as location data associated to access badges
- Data relating to personal data breaches, including investigation information, such as date, time, cause, and individuals affected by the event, e-mail exchanges and other messages and comments relating to the incident, as well as communications addressed to the persons concerned, where applicable
- Data necessary for the delivery of our services, within the limits of the client’s instructions, such as IP addresses, log data and other technical data, identifiers, etc.
Liceity Of Processing
As a general rule, we will obtain the necessary Personal Data directly from you, with your consent, subject to the exceptions provided for in the applicable law[1] such as a legal obligation, the existence of a contractual relationship or HSTCM group companies’ legitimate interest.
Under the same conditions, we may also collect Personal Data from third parties as permitted by applicable laws, or if we have obtained your consent.
You have the right to refuse to provide us with personal data that is not required for identified processing activities.
You also have the right, subject to reasonable notice and applicable legal or contractual restrictions, to withdraw your consent to the use of Personal Data already collected by contacting our Data Protection Officer (contact information available in section Requests, Complaints and/or Comments).
Sharing Of Personal Data
As part of our activities, we could disclose your Personal Data:
- Between the HSTCM group companies, nominally:
- Hitachi Systems Trusted Cyber Management Inc. located in Santa-Clara, California, USA,
- Hitachi Systems Security Inc. located in Blainville, Quebec, Canada,
- Hitachi Systems Security Europe SA, located in Sierre, Switzerland,
- Cumulus Systems Private Ltd, located in Pune, India,
- To other companies in the Hitachi group,
- To service providers and other recipients such as insurers, banks, professional advisors, etc.
The Personal Data provided is then limited to the information necessary for them to perform their services and the above-mentioned processing activities. All recipients are requested to protect your Personal Data in order to preserve its confidentiality.
At no time will we sell or trade your Personal Data. We will seek your consent if we wish to use or disclose your Personal Data for new business purposes. We may not seek consent if the law permits (for example, the law permits organizations to use personal information without consent for debt collection purposes).
Retention Of Personal Data
Your Personal Data is retained only as long as necessary for the purposes set out in the Policy and to ensure compliance with applicable laws and instructions from our clients.
In addition, depending on the entity of the HSTCM group with which you do business, your Personal Data may be stored in different locations, including Canada, the European Union and Switzerland or Japan and India. In any cases, we ensure that the adequate security measures and contractual agreements are in place to protect your Personal Data.
Security Measures For Personal Data
We strive to apply the necessary and appropriate security measures to ensure the protection of Personal Data in our possession. To this end, we follow accepted standards in the industry such as ISO/IEC 27001 and SOC 2 Type II.
These measures are implemented, taking into account the sensitivity and risks relating to the protection of Personal Data, and fall into three (3) main categories:
- Logical security measures, including but not limited to firewalls, continuous monitoring of our systems and network, management of data access privileges, data encryption, etc.
- Physical security measures, including but not limited to locked filing cabinets and restricted access to premises and IT equipment, air-conditioning of our servers, intruder alarms, fire management, CCTV and security guards, etc.
- Organizational security measures, including but not limited to the implementation of information security and privacy policies, procedures, training and awareness, supplier risk assessment and privacy impact assessments, enhanced contractual agreements, confidentiality agreements, etc.
International Personal Data Transfer
HSTCM group companies use service providers located in Canada, Switzerland, the European Union, the United States, India and other countries around the world to perform specific mandates in the normal course of business. As a result, some of your Personal Data may be transferred to another country and be subject to the laws of that country.
We have taken appropriate safeguards to ensure that the Personal Data we process is protected in accordance with our privacy policies and practices when transferred to a third country, by requiring our service providers to undertake to comply with their obligation to preserve the confidentiality and security of the Personal Data entrusted to them. This includes the obligation to implement effective security measures, but also the prohibition to disclose your Personal Data to third parties.
If you have any questions or require further information regarding international data transfers, please contact the Data Protection Officer (contact information available in the Requests, Complaints and/or Comments section).
Rights Of The Data Subject
Right Of Access And To Rectification
You can request access to your Personal Data, or information on how we process your Personal Data. You can also ask that the data held by the HSTCM group companies be rectified if they were inaccurate, ambiguous, or incomplete.
Right To Erasure (“Right To Be Forgotten”)
You have the right to obtain from HSTCM group companies the erasure of your Personal Data as soon as possible. The right to erasure will not apply to the extent that the processing is necessary, in particular:
- the exercise of the right to freedom of expression and information,
- for research or statistical purposes,
- the exercise or defense of legal rights,
- by virtue of a legal obligation.
Right To Restriction Of Processing
You have the right to obtain from HSTCM group companies, the restriction of processing where one of the following applies:
- for a period enabling HSTCM group companies to verify the accuracy of the Personal Data contested by the Data Subject,
- the processing is unlawful, and you are opposed to the erasure of your Personal Data, you request the restriction of their use instead,
- the HSTCM group companies no longer needs the Personal Data for the purposes of the processing, but you request them for the establishment, exercise, or defence of legal claims,
- you have objected to processing pending the verification whether the legitimate grounds of HSTCM group companies override yours.
Where processing has been restricted, Personal Data is only processed, with the exception of storage, with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of a public authority empowered by law.
Right To Data Portability
You have the right to receive the Personal Data you have provided to HSTCM group companies, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without us impeding it. This right applies when the processing is based on your consent and the processing is carried out using automated processes.
Right To Object
You can object, at any time, for reasons related to your particular situation, to the processing of your Personal Data. The HSTCM group companies will no longer process your Personal Data unless they can demonstrate that there are legitimate reasons for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Automated Individual Decision, Including Profiling
You may request not to be subject to a decision based exclusively on automated processing, including profiling, unless the decision is:
- necessary for entering into or performance of a contract between you and HSTCM group companies,
- authorized by the laws to which HSTCM group companies are subject and which also lay down suitable measures to safeguard your rights, freedoms, and legitimate interests,
- based on your explicit consent.
Requests, Complaints And/Or Comments
To submit a request for access or rectification, exercise any applicable right, file a complaint, obtain information about our Policy or send us comments, we invite you to contact our Data Protection Officer for the HSTCM Group:
- at the following email address: dpo@hitachi-systems-security.com or
- at the following postal address: Hitachi Security Systems Inc. to the attention of the Data Protection Officer, 244-955 Michèle-Bohec Blvd., Blainville QC J7C 5J6.
General Data Protection Regulation (GDPR) – EU Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Hitachi Systems Security Inc. and Hitachi Systems Security Europe SA. have appointed European Data Protection Office (EDPO) as their GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
- by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
- by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
UK General Data Protection Regulation (UK GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Hitachi Systems Security Inc. and Hitachi Systems Security Europe SA. have appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
- by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom
Update Of This Policy
Processing of Personal Data may be modified by the HSTCM Group at any time. Therefore, this Policy may be subject to change from time to time in the future. We recommend that you review it each time you visit our website to stay informed about how we handle personal data.
Update: 2023.09.25
[1] European Union: Art. 6 and 7 of the RGPD; Switzerland: Art. 34 and 36 of the nFADP; Quebec: Art. 18 and following of the Private Sector Act; India: Art. 4 of the DPDPA