A. Overview on Data Protection Principles

1. Introduction
FUJIFILM South Africa (Pty) Ltd (“Fujifilm” or “we”) collects, processes and uses certain personal data of its personnel, customers, suppliers, contractors and other third parties to conduct its business. We at Fujifilm are strongly committed to do so in accordance with the applicable data protection laws.

This internal policy is intended to provide information and guidance to our personnel about our goals, requirements and legal framework when it comes to the collection, processing and use of personal data, how we comply with the applicable laws and – most importantly – how every person working at Fujifilm can and should help us to comply.

This policy is not intended to replace or change legal requirements, but to inform and provide guidance about our data protection obligations and those of our personnel.

The policy applies to all Fujifilm personnel, including Fujifilm employees at all levels as well as individual contractors and secondees (including expatriates) working for Fujifilm (“personnel” or “you”. The policy may be amended from time to time.

2. Personal Data
Personal data means any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, registration number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that such person.

As examples, this might include personnel data such as name, address information, telephone number, date of birth, marital status, bank account, ID, registration number and social security numbers, medical records and testimonials. It also might include supplier and customer data such as name, address information, telephone
number, order history, payment details, photos and medical data.

3. Purpose of Data Protection
The protection of persons in relation to the processing of their personal data is recognized as a fundamental right by international and national laws. In particular, the EU Treaty provides that everyone has the right to the protection of personal data concerning him or her and from a South African perspective, the protection of personal data is recognised in terms of the right to privacy as enshrined in the South African Constitution (section 14). Accordingly, the Member States of the EU are required to provide legal protection for each individual in relation to his or her personal data and in South Africa, data controllers are required to provide legal protection to all persons, whether natural or juristic in relation to their personal data.

We, as a company, have a clear business interest in supporting the protection of personal data in order to maintain a relationship of trust with our personnel, customers, suppliers, contractors and other third parties. The EU and/or foreign legislation on data protection together with national data protection laws support these interests by establishing a high legal standard of data protection throughout the EU.

4. Legal basis
In 1995 the EU adopted the EU data protection directive (Directive 95/46/EC). The Directive was intended to harmonize national laws of the Member States and has been implemented by all Member States into national data protection laws.

Between 1995 when the Directive was adopted and today, the number of member states has grown and the use and importance of data processing has obviously changed significantly. The development of the internet, including the “world wide web”, the appearance of mobile data connectivity, a wide range of “Cloud” services, the Internet of Things (IoT) and similar technological advancements make the processing of data one of the key issues of today’s economy, our working world and our lives as consumers. As a response to the growing importance of data processing, in 2016 the EU adopted the new General Data Protection Regulation (Regulation (EU) 2016/679),
which directly applies as of 25 May 2018 in all 28 Member States. In principle, the GDPR largely replaces different national data protection laws of the Member States that developed under the Directive. However, the GDPR still leaves considerable room in certain areas for national specifics. Member States are also required to specify certain issues in accordance with their local requirements or legal traditions. One important area, where Member States may provide for more specific rules is the processing of data in the context of employment.

Apart from the GDPR, Fujifilm operates in South Africa and South Africa is not a member state tothe EU and therefore local South African data protection law is required to be complied with. The Protection of Personal Information Act 4 of 2013 (“POPIA”) came into effect on 1 July 2020 butthere is a 1 (one) year grace period within which to comply with POPIA. POPIA specifically regulates the processing of personal information that is entered into a record pertaining to natural persons as well as existing legal persons. The grace period afforded in terms of POPIA’s enforcement officially ends on 30 June 2021 with the 1st July 2021 being the full effective date for compliance in relation
to its provisions.

Therefore, Fujifilm must comply with the GDPR and POPIA. For purposes of this Data Protection Policy (DPA) the following words stemming from terminology used in the GDPR have the equivalent meaning in terms of POPIA:

Data Controller
Data Processing
Data Processing Agreement (DPA)
Data Processor
Data Protection Authority
Data Protection Officer (DPO)
Data Subject (only Natural persons)
Sensitive Data
Personal Data

Responsible Party
Data Processing
Operator Agreement
Information Regulator
Information Officer
Data Subject (Natural and Juristic persons)
Special Person Information
Personal Information

5. Key principles
The GDPR as well as the national data protection laws in the Member States are based on certain basic principles. These fundamental principles are the basis for more detailed and specific rules in the different areas of data processing.

Lawfulness, fairness,transparency
Data must be processed lawfully, fairly and in a transparent manner in relation to the persons concerned (“data subjects”)

Purpose limitation
Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimisation
Data collection, processing and use must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed

Data must be kept accurate and, where necessary, kept up to date

Storage limitation
Data must be kept only for as long as necessary for the purposes for which the
personal data are processed and certain archiving purposes

Integrity and confidentiality
Data must be kept confidential and processed in a manner that ensures appropriate security of the personal data

Similarly to the GDPR 6 (six) principles, POPIA regulates lawful processing of personal data byprescribing certain conditions that form the fundamental basis for more detailed and specific rules in the different areas of data processing ,POPIA specifies 8 (eight) condition which are by and large similar to GDPR’s principles:

Responsible party must comply with all of the conditions for lawful processing and is responsible for how personal data is processed.

Purpose specification
Personal information must only be collected for a specific, explicitly defined lawful purpose related to a function or activity of the responsible party

Processing limitation
Processing must be justified on a ground recognised under POPIA (e.g.: consent / legitimate interests of the data subject, responsible party or the third party to whom the information is supplied / the law requires processing to take place).

Further processing limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.

Information quality
Steps must be taken to ensure that the information is completed, accurate, not misleading and updated where necessary.

Notification requirements must be complied with when collecting personal information and in the case of a breach

Security safeguards
Appropriate, reasonable, technical and organisational measures must be implemented and maintained to prevent loss of, damage to or one authorised destruction of or
unlawful access to personal information.

Data subject participation
Data subjects have the right to request details of the personal information that a responsible party holds about them and, in certain circumstances,
request access to such information.

Data processing is permitted if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

consent for marketing purposes, consent in connection with medical treatment, consent to participate in a study, consent in order to be able to benefit
from certain advantages, consent to receive certain individualized information

Performance of a contract
Data processing is permitted if such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

use of bank account information to pay a salary; using family information for pay roll purposes; use of travel information to book a journey; use of address information to ship products or services to a customer; use of user information to handle a customer complaint; access to information held in a system to provide support; use of GPS
information to provide location based services

Legal obligation
Data processing is permitted if processing is necessary for compliance with a legal obligation to which the data controller is subject

use of personnel data for payment of taxes or social security contribution; use of participant lists to document safety training; storage of contact details to comply with
“know-your-customer” or export control obligations

Legitimate interests of data controller or third party
Data processing is permitted if processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

login information for operation of company system; tracking of system access (e.g. in relation to an ERP system); using a company contact directory; video surveillance to
protect property or individual safety; fraud detection; consumer credit checks (if not already covered by consent)

There are other circumstances where data processing is generally permitted, but they are of less practical relevance in the context of Fujifilm’s business.

8. Special Categories of Personal Data
The data protection laws apply to all personal data. However, for special categories of “sensitive” personal data the requirements for allowing their processing are specifically strict. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and data regarding criminal convictions and offences. The processing of such data is only permitted under very narrow circumstances. As an example, if the data processing is based on the data subject’s consent, such consent must be explicit. Member States of the EU might even provide that consent is not sufficient to process such data.

9. Transparency; Rights of Data Subjects
The GDPR and POPIA puts an emphasis on transparency. The data subject must be informed in detail about the circumstances, the purposes and the parties involved in the data processing. The information must be provided usually before the collection of data begins. In case of material changes or if the data subject is not aware of the collection, processing or use of the data, the data controller must actively seek to inform the data subjects. If the personal data was not obtained from the data subject directly, such information must also describe from which source the personal data originated and whether it came from publicly accessible sources.

The information provided to the data subject must also include details about the data subject’s rights. In particular, this includes information on

  • the existence of the right to request from the data controller access to and rectification or  erasure of personal data or restriction of data processing and to object to data processing,
  • the existence of the right to withdraw consent for the future at any time (where data processing is based on consent) and
  • the right to lodge a complaint with a Data Protection Authority.

The information obligations of the data controller are subject to reasonableness. As an example, where the data subject already has the information or where the provision of the information is impossible or involves a disproportionate effort, the information obligations might not apply. Also, transparency will usually not require that the data controller has to disclose any business secrets, algorithms or similar.

10. Using service providers for processing of data
The data protection laws acknowledge that a company must be able to use third party service providers for the processing of personal data. However, the laws require that a “data controller” complies with certain requirements before transferring personal data to a “data processor”. Any data processing by a third party must be based on an appropriate contract and a data processor must provide sufficient guarantees to implement appropriate technical and organizational measures regarding security of data processing.

11. Transferring data outside South Africa
The GDPR provides a high standard of protection for the EU and the additional European Economic Area (EEA) countries Iceland, Liechtenstein and Norway. To maintain this standard, it is important to ensure that data may only be transferred to (or accessed from) countries outside the EU/EEA with a lower data protection standard if appropriate safeguards ensure that the recipients are subject to a comparable data protection standard as under the GDPR. For this purpose, the GDPR provides a
number of instruments, some of which were already developed under the Directive. The most
important instruments are:

“Standard Contractual Clauses” or “Model Clauses”: The EU Commission has adopted certain standard contractual clauses for transfers of data from companies inside the EU/EEA to companies outside the EU/EEA. We use these Standard Contractual Clauses for data transfer within the FUJIFILM Group and for exchange of data with suppliers and customers.

Adequacy Decisions: Transfers may be permitted based on adequacy decisions, in which the EU
Commission determines that a third country’s legislation ensures an adequate level of protection. The Commission has adopted such decisions for Switzerland, Canada and a number of other countries.

EU-US-Privacy-Shield: In addition, US companies that are self-certified under the EU-US Privacy Shield are considered as recipients with guaranteeing and adequate level of protection; relevant companies are listed on a website administered by the U.S. Department of Commerce’s International Trade Administration (ITA).