1.1 The H&R Group K.K. is committed to protecting the personal information provided to us by the H&R Group K.K.’s clients, and to adhering to all relevant privacy laws and regulations* regarding same. As a part of this commitment, we want the H&R Group K.K.’s clients to understand how we treat their information.
2. Privacy Basics
2.1 Personal information for this policy refers to the United States National Institute of Standards and Technology’s definition of “personally identifiable information.” This definition includes any information that can be used to distinguish or trace an individual’s identity, or any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
2.2 The H&R Group K.K. is certified under ISO 27001:2013, an internationally recognized information security management standard that verifies that an organization’s ability to effectively apply a security framework to business processes to identify, manage and reduce risks to information security at all levels, and in all areas of the business. Our information security management system (ISMS) for was certified compliant with ISO 27001 requirements on February 26, 2018 by Intertek, an external independent certification authority.
View certificate here: ISO 27001:2013 Certification
3. Client Rights
3.1 The H&R Group K.K.’s client’s may request a report of the personal information they have entrusted to us. To request a report of your personal information, please send a request to privacy(at)morethanrelo.com.
3.2 Upon request, H&R Group K.K. will delete a client’s personal information unless it must be retained as described in section 6.3.2. Please note that if services initiated to us by the client have not been completed, this request may result in our inability to complete these services.
4. Collection of Personal Information
4.1.1 The H&R Group K.K. does not collect personal information from visitors to our website, unless you choose to provide such information to us via a webform.
4.1.3 The H&R Group K.K. may from time to time provide links to third-party websites, products, and services for informational purposes only. These links do not constitute an official endorsement by the H&R Group K.K., and clients should consider that these third parties have not agreed to abide by our policies when deciding to visit those sites or not.
4.2 General Collection
4.2.1 The H&R Group K.K. collects personal information using the “minimum necessary” principle. Only personal information essential to completing services initiated to us by the client should be collected, used, and maintained.
4.2.2 To complete initiated services, we may require personal information such as, but not limited to:
Names, date of births, passport numbers, physical addresses, email addresses, mailing addresses, phone numbers, bank account information, credit card information, employment contract information, visa information.
4.2.3 The H&R Group K.K. collects information deemed necessary to provide services through Microsoft Office 365 email, which is TLS encrypted and “Send this file,” a file transfer system featuring SSL encryption and the ability to track and monitor how many times a file was downloaded, who downloaded it, and ability to create detailed exportable audit transfer logs.
Other methods of collection may include, but are not limited to: relocation management company portal sites, employer HR representatives, Face to face meetings, Telephone and fax, Interaction with the H&R Group K.K.’s websites and tools
5. Usage of Personal Information
5.1 The H&R Group K.K. uses personal information under the principal of “minimum necessary.” Only personal information essential to completing services initiated to us by the client should be collected, used, and maintained as a part of those services.
5.2 The H&R Group K.K. may also use personal information for internal purposes such as auditing, data analysis, training, and research to improve the H&R Group K.K.’s products, services, and communications.
5.3 In extreme circumstances, the H&R Group K.K. may use personal information when failing to do so will result in imminent threat to a person’s life or public safety.
5.4 In extreme circumstances, the H&R Group K.K. may use personal information as required to comply with valid requests from law enforcement or to aid internal investigations into unlawful activities.
5.5 Personal information collected by the H&R Group K.K. from the H&R Group K.K.’s clients is for business purposes and activities only. These include, but are not limited to:
6. Disclosure of Personal Information
6.1 The H&R Group K.K. will not provide the H&R Group K.K.’s client’s personal information to third parties, except where it is necessary to the provision of destination or other services that have been initiated to us by the client.
6.4 As a user of cloud services, the H&R Group K.K. retains personal information on servers located in Japan, and Hong Kong. The H&R Group K.K. will take all reasonable steps to ensure that no person or entity breaches our policies or relevant laws in regard to this data.
6.5 In the rare event that H&R Group K.K. is required to disclose personal information to law enforcement agencies, government agencies or external advisers. H&R Group K.K. will only do so in accordance with the applicable laws and regulations.
7. Staff Training
8. Data Integrity
8.1 The H&R Group K.K. must have accurate data to complete services initiated to us by the client, and we use all reasonable measures to ensure that the personal information entrusted to us is accurate.
8.2 If a client believes their personal information entrusted to us is inaccurate in anyway, they should contact their consultant, or email us at privacy(at)morethanrelo.com.
9. Data Security, Retention, and Disposal
9.1 Data Security
9.1.1 The H&R Group is committed to information security, and industry best practices are used at operational, procedural, and policy levels to systemically protect personal information entrusted to us from loss or unauthorized access, destruction, use, modification or disclosure.
9.1.2 Data is kept either within the H&R Group K.K.’s dedicated server hosted in Japan, or in the H&R Group K.K.’s client database which is hosted in Hong Kong. We limit access to personal information in several ways,
9.1.3 Within the H&R Group K.K.’s dedicated server we pool personal information into a specific location and maintain strict access control over same via active directory permissions using principals of access enforcement, separation of duties, and least privilege. This dedicated server is accessible only through an encrypted network VPN, which is locked by IP address to the H&R Group K.K.’s physical offices. Authorized users may be given access outside of the physical offices, if required, via VPN client.
9.1.4 The H&R Group K.K.’s cloud server hosting the client database is also locked by IP address to the H&R Group K.K.’s physical offices and strict access is control is maintained via login and user permissions, established using principals of access enforcement, separation of duties, and least privilege, are assigned through the application. The application was built to conform to the best practices outlined by OWASP and data is SSL encrypted. Authorized users may be given access outside of the H&R Group K.K.’s physical offices, if required, via VPN client.
9.1.5 H&R Group K.K staff are required to use strong passwords on all logins, as mandated by the H&R Group Password Policy. The weakest password format allowed is 15 random characters: including uppercase, lowercase, numbers, and special characters. The strongest are 20 character, random “mnemonic passwords.”
9.1.6 All H&R Group K.K. computers are secured via an enterprise IT management tool, “Sky Sea Client View,” which allows us to monitor events that could affect the confidentiality of Private Information.
9.1.7 If the H&R Group K.K. experiences a security breach involving the loss of private information, we will:
9.2 Data Retention
9.2.1 The H&R Group K.K. retains personal information using the “minimum necessary” principle. Only personal information essential to completing services initiated to us by the client should be collected, used, and maintained.
9.2.2 The following circumstances will require us to keep a client’s data after their services are completed.
9.4 Data Disposal
9.4.1 The H&R Group K.K. will dispose of personal information that is no longer required to complete services initiated to us by the client on a standard schedule, unless it must be retained as described in 6.3.2 above (for example, invoices must by law be retained for a minimum of 7 years in Japan).
10. Insurance Business Specific
10.1 Group company H&R Consultants operates as both an insurance agency and a real estate agency. Personal information collected while completing real estate services will be shared to process insurance applications only if that service is initiated to us by the client.
10.2 Personal information shared with our respective insurance company partners is used in diverse ways to provide services. Their individual policies are available on their respective websites.
10.2.1 H&R conducts business with, and may share information as described above, with these companies:
11. Changes to this Policy
12. Questions or Inquiries
*Japan’s Act on the Protection of Personal Information (Act No. 57 of 2003, amended 2015).