LINE Pay Privacy Policy Addendum for GDPR

Last updated and effective as of October 2023

This LINE Pay Privacy Policy Addendum for GDPR (this “Addendum for GDPR”) shall apply to the processing, including the collection, use, retention, and disclosure, by the LINE Pay Corporation (hereinafter referred to as the “Company,” “we,” “our,” or “us”) of any information relating to an identified or identifiable natural person (“Personal Data”). This Addendum for GDPR is supplemental to and forms part of the LINE Pay Privacy Policy (the "Privacy Policy") and is applicable only to the processing of Personal Data of our customers who use our Services (as defined below) and are located in the European Economic Area (the “EEA”) or the United Kingdom (the “UK”). In case of any conflict between the terms of the Privacy Policy and this Addendum for GDPR, the terms of this Addendum for GDPR shall prevail.
Although the Company is not actively targeting persons within the EEA or the UK, they are not blocked from using certain services offered by the Company (the “Services”). Protecting their privacy are our primary concern.
1. Description of Our Activities
The Company’s commercial activity consists in providing you with payment services enabling you to make payments with a credit card registered with the Company at online and offline LINE Pay merchants.
2. Definitions and Interpretation
In this Addendum for GDPR, unless the context otherwise requires:
  • a reference to a document is a reference to that document as modified or replaced from time to time.
  • a reference to a person shall include any company, corporation or any corporate body wherever incorporated.
  • words importing the singular shall be treated as importing the plural and vice-versa.
  • unless expressly stated otherwise, any heading, caption or section title contained in this Addendum for GDPR is inserted only as a matter of convenience and in no way defines or explains any section or provision hereof.
3. Data Controller, Data Protection Officer, and Representatives
The Company, LINE Pay Corporation, incorporated under the laws of Japan, is the legal entity responsible for the collection and processing of your Personal Data.

You contact us from the Inquiry Form or at:
Email:
[email protected]
mail:
LINE Pay Corporation
22nd Floor, Osaki Garden Tower
1-1-1 Nishi-Shinagawa, Shinagawa-ku, Tokyo 141-0033, Japan
You can also contact our Data Protection Officer at 22nd Floor Osaki Garden Tower
1-1-1 Nishi-Shinagawa, Shinagawa-ku, Tokyo 141-0033, Japan.

As regards the processing of Personal Data concerning persons within the EEA and the UK, the Company has designated the following representatives to whom you can access on all issues related to the processing of your Personal Data:

Representative in the EEA: PLANIT // LEGAL
Attn: LINE Pay Corporation EU Representative
Neuer Wall 54, 20354 Hamburg, Germany
+49(0)40 60944190

Representative in the United Kingdom:DP Data Protection Services UK Ltd
Attn: Line Pay Corporation, 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
www.dp-dock.com
[email protected]
4. Categories of Personal Data Collected and Processed
4.1. Categories of Personal Data Collected
The categories of your Personal Data we collect are set forth in “1. Acquisition of customer information” of the Privacy Policy and in the LY Corporation’s User Information Provision Policy.
4.2. Possible Consequences of Refusal to Provide Your Personal Data
A number of the personal data we collect from you are required to enable us to fulfil our contractual duties to you or to others. Other items may simply be needed to ensure that our relationship can run smoothly. Depending on the type of Personal Data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue providing the Services. When providing personal data is legally or contractually required, or necessary to enter into a contract with us, we will bring it to your attention.
5. Purposes and Legal Basis of Processing
Notwithstanding “2. Purpose of Use of Customer Information” in the Privacy Policy, we shall only use personal data of customers located in the EEA or the UK for the following purposes. For the details of the purposes, please see “(1) For the provision, improvement and development of the Services” and “(2) For the prevention of unauthorized use of the Services” of “2. Purpose of use of customer information” in the Privacy Policy.”
Purposes of Processing Legal Basis of Processing
For the provision, improvement, and development of the Services
  • The processing is necessary to perform our obligations under a contract with you or to take steps, at your request, prior to entering into such contract; or
  • The processing is necessary for our legitimate interests of promoting our economic activities and effectively providing the Services, as those will allow us to generate profits and to attract new customers.
For the prevention of unauthorized use of the Services
  • It is necessary to exercise our officially vested authorities; or
  • The processing is necessary for our legitimate interests to protect us and our customers from possible damages from the unauthorized use.
6. Withdrawal of Your Consent
Please note that you have at any time the right to withdraw your consent with regard to the processing for which your consent is legal basis. To exercise this right, please contact us using the contact details provided in “3. Data Controller, Data Protection Officer, and Representatives.”
Upon the withdrawal of your consent, we will cease the processing unless we determine that there is an alternative legal basis to justify our continued processing of your Personal Data, in which case we will inform you of this alternative legal basis. The withdrawal of your consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.
7. Age Limit
Notwithstanding “12. Personal Information of Customers below the Age of 15” in the Privacy Policy, the Services shall only be used by persons of 18 years old or older in case the persons are located in the EEA or the UK.
8. Keeping Your Personal Data Up-to-Date
You shall ensure that all Personal Data you directly provide to us are accurate, complete, true, and correct and shall keep such data up-to-data by reporting or registering to the Services any updates in a timely manner. Your failure to do so may result in your disadvantages such as being unable to use the Services. The Company is not responsible for any such disadvantages.
9. Your Rights
9.1 General
You have certain right regarding your Personal Data as described in 9.2 and 9.3 below. To exercise such rights outlined in this section, you can contact us using the contact details provided in “3. Data Controller, Data Protection Officer, and Representatives.” When sending us a request, please make clear which right you are exercising with regard to which of your Personal Data. Please also note that we may keep a record of your communications to help us resolve any issues arising in relation to your request.
Please be aware that your rights are not absolute, and it remains that, in accordance with applicable data protection laws, your rights may be withheld. In such event, we will provide you with the reasons for not complying with your request.
We will process your request as soon as reasonably practicable and provide you with information on actions taken without undue delay and in any event within one month of receipt of your request. This period may be extended by a further two months where necessary, taking into account the complexity and number of your request. In this event, we will inform you of any such extension within one month of the receipt of your request, together with the reasons for the delay.
In the event that we decide to not comply with your request or has not processed your request within the aforesaid timeframe, you can lodge a complaint with the national supervisory authority (see below) and you can seek a judicial remedy against our decision.
9.2. Your Right to Access, Rectification, Erasure, Restriction of Processing and Data Portability
You have, if applicable and within the limits of applicable data protection laws, the right to request access to your Personal Data, to seek the rectification or erasure of your Personal Data, to request the restriction of the processing.
In addition, you have, within the limits of applicable data protection laws, the right to receive the Personal Data you have submitted to the Company in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller without hindrance. We will, where applicable and technically feasible, transmit your Personal Data directly to the data controller of your choice.
9.3. Your Right to Object
If applicable in accordance with applicable data protection legislation, you have the right to object, on grounds relating to your particular situation, at any time, to our processing of your Personal Data, unless:
(a) there exist compelling legitimate grounds for such processing which override your interests, rights and freedoms; or
(b) the processing is necessary for the establishment, exercise or defense of legal claims.
Notwithstanding the foregoing, please be aware that you have the right to object at any time to processing of your Personal Data for direct marketing purposes.
9.4. Your Right to Lodge Complaint with Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, your place of work or of the place of the alleged violation.
10. International Transfers of Personal Data
The Company's servers are located in Japan, meaning that your Personal Data will be initially collected and stored in Japan.
Notwithstanding “7. Storage and Transfer of Customer Information” in the Privacy Policy, we may transfer your Personal Data to the countries outside of the EEA and the UK, including Japan, South Korea, the United States.
Among such countries, Japan, South Korea are considered by the relevant authorities to provide an adequate level of protection for personal information.
When the Company transfer Personal Data without the adequate decision, the Company will enter into standard data protection clauses approved by the European Commission or international data transfer agreement approved by Information Commissioner's Office to protect your Personal Data whenever it is being transferred between entities located outside of the EEA or the UK. For requesting further information about the international transfer, including requesting a copy of the documents used to protect Personal Data, please contact us using the contact details provided in “3. Data Controller, Data Protection Officer, and Representatives.”
11. Disclosure and Sharing of Personal Data
The categories of recipients of your Personal Data are set forth in “5. Disclosure of Customer Information to Contractors,” “6. Sharing of Customer Information among Group Companies,” and “7. Storage and Transfer of Customer Information” of the Privacy Policy and in the LY Corporation’s User Information Provision Policy. In addition, the Company may disclose your Personal Data to payment service providers such as payment gateways or payment processors in order to complete your payment.
12. Security of Personal Data
The Company protects your Personal Data by using appropriate administrative, technical and organisational security measures to reduce the risks of loss, theft, misuse, unauthorised access, disclosure, destruction and alteration of your Personal Data. For the details of our security measures, please also read “Safety Management Measures for Personal Data ".
13. Storage of Your Personal Data
Without prejudice to the Company’s right to further process your Personal Data for purposes that are not incompatible with the initial purpose, and subject to the Company’s own legal and regulatory obligations, the Company retains your Personal Data only for as long as necessary to fulfil the purposes described in this Addendum, or as required by applicable laws including the laws of Japan. The criteria used to determine our storage periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is any legal obligation to which we are subject; and (iii) whether there is a need in order to perform a contract to which you are a party.
When the storage of your Personal Data becomes no longer necessary, the Company shall proceed to the erasure of your Personal Data in a secure manner.
14. Updates to Privacy Policy and Addendum for GDPR
The Company reserves the right to revise, change, modify, update, supplement, add or remove portions of the Privacy Policy and this Addendum for GDPR (together, the "Privacy Documentation"), at any time, in an exercise of its sole discretion. When the Company makes such changes to the Privacy Documentation, the Company will notify such changes to you by making the amended Privacy Documentation available on the Company’s website and mobile application (“amended Privacy Documentation”). It is your responsibility to review the amended Privacy Documentation.
Your continued use of the Services subsequent to the notification of such changes, or the absence of any objection thereto within thirty days from the date the amended Privacy Documentation have been made available on the Company’s website and mobile application, constitutes your acknowledgement of the amended Privacy Documentation.
15. Merger/Corporate Acquisition
If the Company merges with another company or entity, of whatsoever form, or is partially or entirely acquired by such company or entity, such company or entity shall have access to all your Personal Data in the Company’s possession. Without prejudice to the right to update the present Addendum for GDPR, suchcompany or entity shall be bound by this Addendum for GDPR.
16. Inquiries
If you have any questions or concerns about the Privacy Policy or this Addendum for GDPR or seek additional information about our processing of your Personal Data, you can contact us using the contact details provided in “3. Data Controller, Data Protection Officer, and Representatives.”