Privacy policy of Mitsubishi Heavy Industries EMEA, Ltd.

Mitsubishi Heavy Industries EMEA, Ltd. (also referred to in this privacy policy as MHI-EMEA, "we" "us" or "our") takes your privacy very seriously. We ask that you read this privacy policy carefully as it contains important information about what to expect when we collect and process your personal data and how we will use your personal data.

This privacy policy supplements any other privacy policies and specific notices provided to you and is not intended to override them.

This privacy policy covers the following areas.

  • Data controller and how to contact us
  • Your right to rectification
  • The information we collect about you
  • How your personal data is collected
  • How we will use your data
  • Retention periods
  • When we will disclose your data to third parties
  • Marketing
  • Website visitors
  • How we protect your data
  • Overseas transfers
  • Your rights
  • Links to other sites
  • Changes to our privacy policy

This website is not intended for children and we do not knowingly collect data about children.

1. Data controller and how to contact us

The Mitsubishi Heavy Industries Group (MHI Group) entities, including MHI-EMEA, responsible for your personal data are regulated as controllers under applicable data protection laws.

Depending on your location, these laws may include some or all of the following: (in the European Economic Area (EEA)) the EU General Data Protection Regulation 2016/679 (GDPR) and applicable national data protection and privacy laws; and (in the UK) the UK GDPR (being the UK’s retained law version of the GDPR) and the Data Protection Act 2018. Please note, references to the GDPR in this privacy policy should, where applicable, be read as references to corresponding provisions in the UK GDPR.

Details of the controlling entities and how to contact them are set out below.

UK:

For the processing of personal data in relation to MHI-EMEA’s UK operations, Mitsubishi Heavy Industries EMEA, Ltd. is the data controller.

The Head of the Legal Department at MHI-EMEA is the responsible individual for overseeing questions in relation to privacy matters. If you have any questions about UK processing activities, including any requests to exercise your data protection rights, please contact them using the details set out below:

Addressee: Head of Legal

Full name of legal entity: Mitsubishi Heavy Industries EMEA, Ltd.

Postal address: Building 11 Chiswick Park, 566 Chiswick High Road, London, W4 5YA

Email:M_MHIE-GDPRqueries@mhi.com

Tel: +44(0)20 3480 7515

Germany:

For each of our German branches, the controller details are as follows:

  • Munich branch office: the data controller is the MHI-EMEA Munich branch office located at Sonnenstraße 32, 80331 München, Germany.
  • Erlangen branch office: the data controller is the MHI-EMEA Erlangen branch office located at Hauptstraße. 40, 91054 Erlangen, Germany.
  • Dusseldorf branch office: the data controller is the MHI-EMEA Dusseldorf branch office located at Kennedydamm 19, 40476 Düsseldorf, Germany.

The Data Protection Officer responsible for the Munich, Erlangen and Dusseldorf branches is Mr.  Thorsten Feldmann, Christinenstr. 18/19, 10119 Berlin, Germany

Email:Feldmann@jbb.de

Tel: +49 30 443 765 0.

Belgium:

For the processing of personal data in the context of MHI-EMEA's Brussels liaison office, the data controller is the MHI-EMEA Brussels liaison office located at Rue Froissart 95, 1040 Brussels, Belgium.

If you have any questions about the Brussels liaison office's processing activities, including any requests to exercise your data protection rights, please contact the Head of the Legal Department at MHI-EMEA using the details set out below.

Addressee: Head of Legal

Full name of legal entity: Mitsubishi Heavy Industries EMEA, Ltd.

Postal address: Building 11 Chiswick Park, 566 Chiswick High Road, London, W4 5YA

Email:M_MHIE-GDPRqueries@mhi.com

Tel: +44 (0)20 3480 7515

The Netherlands:

For the processing of personal data in the context of MHI-EMEA’s Dutch branch, Mitsubishi Heavy Industries EMEA, Ltd., Corrugating & Printing Machinery Division is the controller. If you have any questions about the Dutch branch’s processing activities, including any requests to exercise your data protection rights, please contact them using the details set out below.

Address: Splijtbakweg 115, Almere, The Netherlands

Tel: +31-36-8000000

Complaints:
You have the right to make a complaint at any time to the relevant local data protection authority:
We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority, so please contact us in the first instance using the details above.

2. Your right to rectification

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us (Art. 16 GDPR).

3. The information we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you, such as:

  • Identity Data, including first name, last name.
  • Contact Data, including company, country of residence, email address and telephone numbers.
  • Careers Data, including your job title, job application data (please see Group Privacy Notice for job applicants).
  • Profile Data, including the product/service area(s) which interest you.

We do not normally collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

4. How your personal data is collected

We may collect and process the following information about you:

  • Information that you give us. This is information about you that you give to us when visiting our website, giving us a business card (or similar), filling in forms that we ask you to complete or corresponding with us by telephone, post, email or otherwise. It may include, for example, your Identity Data, Contact Data, Careers Data and Profile Data. If you have given us your consent to the processing of personal data for certain purposes, the lawfulness of this processing is given on the basis of your consent (Art. 6(1)(a) GDPR). Your consent can be revoked at any time. Please note that the revocation will only take effect for the future. Processing that took place before the revocation is not affected by this.
  • Other information: We may also collect some information from other sources. For example:
    - If we have a business relationship with the organization that you represent, your colleagues or other business contacts may give us information about you such as your Identity Data, Contact Data, Careers Data or Profile Data.
    - We sometimes collect information from third party data providers or publicly available sources for anti-money-laundering, background check and similar purposes, and to protect our business and comply with our legal and regulatory obligations.

5. How we will use your data

We have set out in the table below a description of the ways we plan to use your personal data and which legal bases we rely on to do so. We have identified what our legitimate interests are where appropriate.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

To operate, manage, develop and promote our business and, in particular, our relationship with the organization you represent and related transactions

(a) Identity
(b) Contact
(c) Careers
(d) Profile


Necessary for our legitimate interests (Art. 6(1)(f) GDPR) (to operate, manage, develop and promote our business and to enable the relevant recipient within MHI-EMEA, or any related company within our corporate group, to respond to you and offer the right information, and/or product(s) and/or service(s). Where we have a contract with you as an individual, our lawful basis may be that the processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract (Art. 6(1)(b) GDPR).


To administer and protect our business


 
(a) Identity
(b) Contact


(a) Necessary for our legitimate interests pursuant to Art. 6(1)(f) GDPR (for running our business, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).
(b) Necessary to comply with a legal obligation pursuant to Art. 6(1)(c) GDPR.
 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. You can contact us for more information about this. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so (Art. 13(3) and Art. 14(4) GDPR).

6. Retention periods

We will retain and process your data for as long as we require it for the purposes for which it was collected or as is otherwise required by applicable law. To determine the appropriate retention period for your personal data, we consider the amount, nature and sensitivity of the personal data, the risk of potential harm from its unauthorised use or disclosure, the purposes for which we process it, whether we can achieve our purposes through other means, and the applicable legal requirements.

Where necessary, we process and store your personal data for the duration of our contractual relationship, which includes, for example, the initiation and execution of a contract. It should be noted that our contractual relationship may, depending on the individual case, be a continuing obligation for a number of years. For contractual relationships, but also for other civil law claims, the storage period also depends on the statutory limitation periods. In addition, we are subject to various storage and documentation obligations, including those arising from the applicable law. If you require more specific information on retention periods please ask and we will provide you with our country-specific retention schedule.

Once your personal data is no longer needed, we will securely delete or anonymise it. We may continue to use anonymised data, which cannot be associated with you, for research or statistical purposes.

7. When we will disclose your data to third parties

We will not sell, exchange or otherwise distribute your personal data to unaffiliated third parties without your consent, except to the extent required by applicable laws and regulations or our contractual relationship, or as set out in this privacy policy. We may share data we collect with any related company (or other incorporated or unincorporated entity) within our corporate group and with selected third parties including:

  • our business customers, partners, suppliers, agents, sub-contractors and service providers in order to provide our services (for example where we enter into agreements with third parties who provide services to us or on our behalf) (Art. 6(1)(f) GDPR);
  • public bodies, authorities etc. in order to comply with applicable local law; and
  • professional advisers such as lawyers and accountants.

We may also disclose data we collect to third parties:

  • if we undergo a change of control or any of our business or assets are sold or transferred (in which case we may disclose your data to the prospective seller, buyer or their representatives);
  • if we or substantially all of our assets are acquired by a third party, in which case information held by us about our website users will be one of the transferred assets; or
  • if we are under a duty to disclose or share your information in order to comply with any legal obligation or legal process (for example, a court order), or in order to enforce or apply our contractual rights or any other agreement; in order to protect the rights, property, or safety of our website users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Where parties qualify as data processors, we insist that they enter into a contract that protects your information and only permit them to process your personal data for specified purposes in accordance with our instructions.

8. Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Promotional offers from us. For certain enquiries about specific products and/or services, we may use your Identity, Contact and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products and/or services may be relevant for you. You will receive marketing communications from us if you have requested information from us and have not opted out of receiving that marketing.

Opting out. You can ask us to stop sending you marketing messages at any time by contacting us in accordance with section 1 above or by using the unsubscribe link in any of our emails.

9. Website visitors

Our website uses cookies (text files placed on your computer to collect standard Internet log information and visitor behaviour information) and may collect technical and usage data about website visitors. As MHI-EMEA is part of the MHI Group and our website is solely operated by Mitsubishi Heavy Industries, Ltd. (MHI), we do not control these cookies or have access to any personal data relating to website visitors. If you wish to learn more about MHI’s use of cookies and collection of website visitor data, or wish to contact MHI about such use, please see MHI’s website Terms of Use.

10. How we protect your data

We have implemented appropriate technical and organisational measures to safeguard your personal data and we have put in place security procedures and technical and organisational measures to do so. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. However, you should be aware that the use of the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data which is transferred from you or to you via the Internet.

11. Overseas transfers

The data you provide may be transferred to countries outside the UK or European Economic Area (EEA), especially for the purpose of the performance of a contract, personal data may be transferred to other companies of the MHI Group based outside the UK or EEA. Click here to see a list of the relevant MHI Group entities along with their contact details.

Countries outside of the UK or EEA might not have similar protections in place regarding your data and restrictions on its use as set out in this privacy policy. However, we will take steps to ensure that adequate protections and appropriate safeguards are in place to keep your data secure and that any such transfers are made in strict accordance with applicable data protection laws.

Data transfers will only take place on the basis of a UK or EU adequacy decision of the Commission or on the basis of approved standard contractual clauses or other lawful transfer mechanisms.

All the companies in the MHI Group with which your personal data may be shared have entered into data sharing agreements with the relevant data controller which satisfy the requirements of data protection laws with respect to intra-group transfers and include, where appropriate, approved standard contractual clauses. Please contact us if you want further information on (or a copy of) the specific mechanism used by us when transferring personal data out of the UK or EEA.

12. Your rights

In some circumstances you have rights in relation to the personal data we hold about you. Please contact us using the contact details above if you wish to exercise any of these rights.

  • Request access to your personal data (commonly known as a "data subject access request" pursuant to Art. 15 GDPR). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you (Art. 16 GDPR). This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data (commonly known as the "right to be forgotten" pursuant to Art. 17 GDPR). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms (Art. 21 GDPR). You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data (Art. 18 GDPR). This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party (Art. 20 GDPR). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data (Art. 7 para. 3 GDPR). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products and/or services to you. We will advise you if this is the case at the time you withdraw your consent.

Irrespective of the foregoing, you have the right to lodge a complaint with a supervisory authority - in particular in the UK or in the EEA Member State where you reside, your place of work or the place where the alleged infringement is suspected - if you are of the opinion that the processing of your personal data violates the GDPR or other applicable local data protection laws. See section 1 above for details of relevant supervisory authorities.

You will not usually have to pay a fee to exercise these rights but if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee (or refuse to comply with your request). We may need specific information from you to help us confirm your identity and to speed up our response; this helps keep your personal data safe and speeds up our response to your request. We try to respond to all legitimate requests within one month but this period may be longer if your request is particularly complex or you have made multiple requests; we will notify you in this case.

13. Links to other sites

Our website may contain links to other sites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. This privacy policy applies only to this website so when you access links to other sites you should read the privacy policy applicable to that site.

14. Changes to our privacy policy

We keep this privacy policy under regular review. If we change our privacy policy, we will notify you thereof, for example by posting the changes on this page, or by placing notices on other pages of the website, so that you may be aware of the information we collect and how we use it at all times.

This privacy policy was last updated in July 2023.