This Privacy Policy applies to customers residing in the EEA or the UK. For the processing of personal data of customers not residing in the EEA or the UK, please see our Privacy Policy (for All Customers).

Our Basic Principles

1. In order to ensure that our customers and partners can use our services safely, H2O RETAILING Group companies (the “Group”) will lawfully and properly manage and use personal data in compliance with internal regulations and relevant laws, regulations, guidelines, etc., and will endeavor to protect the privacy of our customers and partners.

When processing any personal data of customers residing in the EEA or the UK (“personal data”), the Group will endeavor to ensure that customers will be able to purchase our products and services safely by complying with the EU General Data Protection Regulation and the same as retained in UK law and related guidelines, etc., and by improving this Privacy Policy on an ongoing basis.

Collection of Personal Data

2. If the Group collects any personal data, the Group will specify the purpose of use thereof, and only collect personal data by which the stated purpose(s) of use can be accomplished.

Purposes of Use and Legal Bases for Processing Personal Data

3. The Group processes personal data on any of the following legal bases:

  1. The customer has given consent to the processing (“customer’s consent”).
  2. The processing is necessary for entering into and the performance of a contract to which the customer is a party (“performance of contract”).
  3. The processing is necessary for the Group to comply with a legal obligation (“legal obligation”).
  4. The processing is necessary in order to protect the vital interests of the customer or a third party (“protection of vital interests”).
  5. The processing is necessary for public interest (“public interest”).
  6. The processing of personal data is necessary for purposes of the legitimate interests of the Group or a third party, and those interests are not overridden by the customer’s rights (“legitimate interests”).
    This includes the processing of personal data that is necessary for the Group to conduct its business or provide its services.
  7. Other instances in which the processing is based on laws and regulations.


Unless otherwise specified, the Group processes personal data for the purposes of use and on the legal bases listed below. The customer may withdraw his/her consent any time and the withdrawal of his/her consent will not affect lawfulness of processing based on consent before the withdrawal. If the customer does not provide the Group with his/her personal data, you may not receive all or a part of services provided by the Group.

The personal data that the Group processes includes information about the customer himself/herself, as well as any personal data indirectly collected through the customer, such as personal data about family members or recipients of shipped products.


(i)Business related to retail and services

Type of personal data Purpose of use Legal basis
Information regarding the customer’s attributes, such as name, address, phone number, and e-mail address ・Provision of sales services and other services, such as processing of sale, delivery or shipping of products, member registration, and after-sales service 1) Customer’s consent
2) Performance of contract
6) Legitimate interests
・Sending a notice of goods left behind, etc., and responding to customer inquiries and feedback on sales processing, products, and services 6) Legitimate interests
・Printing the information of the sender and the recipient on a gift shipping slip 2) Performance of contract
6) Legitimate interests
・Shipping notices, prizes, etc., to the winners of prize competitions, etc., and shipping rewards, etc., for answering questionnaires 1) Customer’s consent
2) Performance of contract
6) Legitimate interests
・Responding to other customer inquiries, requests for material, etc. 6) Legitimate interests
・Securing the safety of customers 4) Protection of vital interests
6) Legitimate interests
(ii) Business to perform services outsourced by corporations, etc.
Type of personal data Purpose of use Legal basis
Information regarding the attributes of our partners’ officers and employees, etc., such as name, department, phone number, and e-mail address ・Providing services under a service agreement with a partner, such as salary calculation, bookkeeping, individual number management, and hiring 6) Legitimate interests
・Providing services under a service agreement with a partner, such as system development, operation, and maintenance 6) Legitimate interests
・Responding to other inquiries, requests for material, etc., from our partners 6) Legitimate interests
(iii) Common to the Group
Type of personal data Purpose of use Legal basis
Information regarding customer’s attributes, such as name, address, phone number, and e-mail address, and information regarding purchase history, browsing history for websites, social media, etc., and activity history, etc. ・Analyzing the collected information in order to provide various types of information according to a customer’s hobbies and preferences, such as information on the Group’s products, services, and events, and information on lifestyle and culture 1) Customer’s consent
・Analyzing the collected information in order to conduct marketing activities for the purpose of market research, product development, product renewal, etc. 1) Customer’s consent 
6) Legitimate interests

Disclosing Personal Data

4. If a customer has given consent, the customer’s personal data will be disclosed to the Group in order to respond to inquiries, to improve the quality of services, or for other similar purposes. Details are as follows:

  1.  Personal data to be disclosed
    Equivalent to the personal data specified in Section 3
  2. Scope of disclosure
    The Group and Ningbo Hankyu Department Stores Co.,Ltd. 
  3. Purposes of use of disclosed personal data
    Equivalent to the purposes of use specified in Section 3

Security Management of Personal Data

5. The Group will take necessary and appropriate security measures against any risks to personal data that the Group holds, such as unauthorized access, loss, destruction, alteration, and leakage of personal data.


Establishing regulations for processing personal data
Protection of individual rights and interests (such as preventing violations of privacy) by establishing Group-wide personal data management regulations and setting out necessary matters for processing personal data.
Organizational security measures
Appointment of a personal data officer and establishment of a reporting system for any potential breach of laws, regulations, or internal regulations related to personal data or any potential leakage, etc., of personal data.
Personnel security measures
Providing officers and employees with education and programs to raise awareness and familiarize them with the need to protect personal data on an ongoing basis.
Physical security measures
Limiting the areas in which personal data is processed and taking measures to prevent the theft or loss of information equipment, electronic media, documents, etc., through which personal data is processed.
Technical security measures
Introducing a mechanism to prevent external unauthorized access to the system through which personal data is processed and having access controls in place to limit the scope of personal data processed by the people who are in charge.

Retention Period of Personal Data

6. The Group will establish the minimum required retention period for the personal data it collects, in light of the purposes of processing such data, and will retain such data only for that period. Any personal data that no longer needs to be retained will be destroyed promptly.

Outsourcing the Processing of Personal Data

7. If the Group outsources work relating to the processing of personal data to a third party, the Group will provide the third-party service provider with necessary and appropriate supervision to ensure that the third-party service provider will also manage personal data securely.

Customer’s Management of Personal Data

8. If a customer requests any of the following with regard to the customer’s personal data, the Group’s inquiry desk will handle the customer’s request swiftly, to the extent necessary and reasonable, in accordance with the method requested by the customer, whenever possible: access to personal data, rectification or erasure of personal data, exercise of the right to data portability, objection to processing, restriction of processing, withdrawal of consent, or other relevant matters.
The Group will also endeavor to ensure that the personal data it holds is accurate and updated in light of its purpose of use.
If a customer makes any of the following requests, the Group will handle the request as follows:

  1. If a customer does not wish to receive direct mails, e-mails, etc., from the Group, the Group will promptly stop sending the communications upon receiving a request from the customer.
  2. If a customer wishes to make a request to access, rectify, or erase personal data, to exercise the right to data portability, to object to processing, to restrict processing, or to withdraw consent, the customer is requested to contact our inquiry desk and file a request in the form designated by the Group. The Group will handle the request promptly, to the extent necessary and reasonable.

(If certain conditions are met, restrictions or fees may apply.)
 

Lodging a Complaint with Supervisory Authority

9. A customer has the right to lodge a complaint regarding the processing of personal data with a data protection authority that has jurisdiction over the customer’s place of residence.

Disclosing Other Information Regarding the Processing of Personal Data

10. The Group’s websites may use data that identifies a customer’s computer, called “cookies,” that are sent to and stored in the customer’s hard disk in order to gather browsing information for the purpose of improving website performance and to deliver services and advertisements that are most suited to the customer’s interests.
Although the cookies themselves do not include data that identifies individuals, a customer may refuse to accept the cookies sent by the Group’s websites by changing the cookie settings on the customer’s software for browsing the Internet (web browser).
For details about cookies, please see the Cookie Policy on respective Group websites.

Desk for Inquiries Regarding the Processing of Personal Data

11. If a customer has any inquiries about the processing of personal data that the Group holds, please make a request using the following form:
Group inquiry form