SEGA Europe - Data Protection Addendum

INFORMATION REGARDING PRIVACY AND PERSONAL DATA

In this Data Protection Addendum (“DPA”) we would like to inform you how we will process the personal data you provide to us when entering into an agreement with us (the “Agreement”) in accordance with the requirements of the General Data Protection Regulation (the “Data Protection Regulation”).

1. The personal data we collect and our data processing activities

  1. The Data Protection Regulation applies only to information that constitutes "personal data", which is data that relates to an identified or identifiable natural person. We hold some or all of the following types of personal data (which may include sensitive/special categories of personal data) for the purposes set out in this DPA.
  2. We will comply with data protection laws, with respect to the way in which we process your personal data. The Data Protection Regulation requires that we:
    1. Process your personal data lawfully, fairly, and in a transparent way;
    2. Only collect your personal data for a valid purpose, in accordance with the reasons that we have informed you about our data processing/collection activities;
    3. Ensure that your personal data is accurate, secure and kept up to date; and
    4. Maintain your personal data only for as long as is necessary for the purposes which we have informed you about.
  3. It is necessary for us to process your personal data in order to carry out our legitimate activities when we commission your services. We will only process your personal data:
    1. to perform our obligations under the Agreement; and/or
    2. to comply with any legal or regulatory obligations; and/or
    3. for legitimate business purposes.

  4. Our legitimate business purposes includes some or all of the following:

    1. keeping our business records up to date;
    2. budget and financial planning, and/or
    3. to comply with legal requirements

    Whenever we process data for these purposes we will ensure that we always keep your personal data rights in high regard and take account of these rights. You have the right to object to this processing if you wish. Please bear in mind that if you object this may affect our ability to carry out the tasks above for your benefit.

Personal data processed/collectedHow and why we process your personal dataWho receives your personal data

Name, gender, contact details, including personal email addresses, postal addresses and telephone numbers.

 

Reporting lines, and work location.

 

 

Services start and end dates, meeting appointments, meeting notes.

 

Invoicing information including the bank details you provide to us.

 

CCTV video footage from our offices.

 

We will hold and process your personal data for the following purposes:

 

  • Business administration, support and management
  • Product records
  • Invoicing activities
  • Evaluation and appraisals
  • Reimbursing pre-approved  business travel
  • Authorising/authenticating access to IT systems
  • Continuous security analytics to maintain the security of our computer systems in accordance with SEGA's IT Acceptable Use Policy
  • Budgets and financial planning
  • Managing health and safety at work and reporting incidents
  • Regulatory requirements
  • Product documentation files and game credits

 

If we wish to process sensitive/special categories of your personal data for any further purposes, we will seek your explicit consent to do  so. You have the right to withdraw your consent to that processing at any time.

We may disclose your personal data to other companies within the SEGA group, such as our corporate parent SEGA Games Co., Ltd. in Japan, for any of the purposes set out in this policy.

 

It may also be necessary from time to time for us to disclose your personal data to third parties, including without limitation to the following:

 

  • Individuals or companies engaged by us to carry out specific services, including without limitation Oracle, travel services such as flight operators and hoteliers for local and international travel and accommodation
  • Consultants, auditors, accountants and other professional advisors
  • Law enforcement agencies, government agencies, regulators, investigators and other bodies as may be required by law
  • Prospective or actual purchasers or assignees of SEGA or any of its assets, divisions or lines of business.

 

Retention period

We will hold and process your personal data for the term of your Agreement plus 6 years following termination of the Agreement. We will process your personal data for longer periods where required and permitted by law.  

  5. We will collect the above data sets directly from you.

  6. Automated and computerised personal data about independent contractors held by companies is covered by the Data Protection Regulation. Personal data stored physically (for example, on paper) and held in any "relevant filing system" is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.

  7. We will only process sensitive personal data about you, such as information relating to criminal convictions, information about your race, ethnicity, religious beliefs, health and medical conditions, when permitted by law, or where provided voluntarily by you.

2.  Transfers of personal data outside the EEA

  1. The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"), for one or more of the purposes described above. Due to the global nature of our business, your personal data may be disclosed to members of the SEGA group outside the EEA, including in particular the USA and/or Japan. Additionally, some of the third party service providers we use to provide administration services are situated outside of the EEA.  We will ensure appropriate safeguards are in place to protect the privacy and integrity of such personal data. You can obtain information on which countries outside of the EEA your personal data may be transferred to and the safeguards in place to protect your personal data from SEGA Europe’s Data Protection Officer (DPO@sega.co.uk).

3.  Data retention

  1. We will not keep your personal data for longer than is necessary for the purposes set out above. This means that we will store your personal data for the duration of your Agreement for six (6) years following termination of your Agreement.
  2. We may be required to process your personal data after this period where it is necessary to enable us to comply with any legal obligations or for the exercise or defence of any legal claims following termination of your Agreement. In cases of pre-litigation disputes, personal data will be deleted in a secure manner as soon as the dispute is amicably resolved or as soon as the corresponding action is time-barred. In case of litigation, personal data will be deleted in a secure manner as soon as an appeal is no longer possible. 

4.  Closed-circuit-television (CCTV)

4.1. CCTV Usage

We use CCTV cameras to view and record individuals on and around our premises.CCTV monitors the exterior of the building, both the main entrance and secondary exits 24 hours a day. This use is necessary for legitimate business reasons, including: 

a. To prevent crime and protect buildings and assets from damage disruption, vandalism and other crime;

b. For the personal safety of our staff, visitors and other members of the public and to act as a deterrent against crime; and

c. To support law enforcement bodies in the prevention, detection and prosecution of crime

This list is not exhaustive and other purposes may be or become relevant.

4.2. How We Will Operate Any CCTV

Where CCTV cameras are placed in our offices, we will ensure signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded.

5.  Processing in line with your rights

  1. You have several rights in relation to your personal data. You have the right to:
    1. request access to any personal data we hold about you;
    2. prevent the processing of your personal data for direct-marketing purposes (although we don’t process personal data for this purpose);
    3. ask to have inaccurate or incomplete personal data held about you amended;
    4. request erasure of your personal data in certain circumstances;
    5. restrict our use of your personal data in certain circumstances and object to the processing of your personal data where our legal basis for processing is our legitimate interests;
    6. move (or port) any of your personal data in certain circumstances;
    7. not be subject to a decision based on automated processing, including profiling which has legal or similar significant effects.
  2. If you wish to know what personal data we hold about you, you must make the request in writing to SEGA Europe’s Data Protection Officer at: DPO@sega.co.uk.
  3. We may reserve our right to withhold your right to access data where any statutory exemptions apply. Within one (1) month of receiving your written request for access, we will provide you with information on action taken in relation to your request. The one (1) month period may be extended in certain circumstances.

6.  Data security

  1. We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
  2. We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures.
  3. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

7.  Your obligations regarding personal data

  1. You should use all reasonable endeavours to keep us informed of any changes to your personal data. This will enable us to keep our records up to date at all times and comply with the Data Protection Regulation.
  2. You must follow applicable law and any policies, standards and procedures that have been brought to your attention when handling any personal data in the course of providing services  to us, including those set out below. In particular, you will not access or use any personal data for any purpose other than in connection with and to the extent necessary for providing the services to us. You must understand that these obligations continue to exist after termination of your relationship with us.

8.  Further Information

  1. If you have any questions about this DPA or wish to exercise any of your rights, you can contact SEGA Europe’s Data Protection Officer at:

    Email: DPO@sega.co.uk

    Telephone: 020 8995 3399

    Post: Data Protection Officer, SEGA Europe Limited, Building 12, Chiswick Business Park, 566 Chiswick High Road, London, W4 5AN, United Kingdom

  2. If you remain unhappy with a response you receive from us, you can also refer the matter to your data protection supervisory authority - https://www.edpb.europa.eu/about-edpb/about-edpb/members_en