Compliance with GDPR in the Global KINTO

M.Mori

Cover Image for Compliance with GDPR in the Global KINTO

Introduction

Hi, this is Mori from the Global Development Group. I am usually working on the Global KINTO Web as a Product Manager and also responsible for handling personal data related tasks in Global Dev. group. KINTO offers a wide range of mobility services such as Full-Service Lease (car subscriptions), car rental services, etc. These services are available not only in Japan but also in over 30 countries worldwide, operated by affiliated companies and partners. For more information, please check out the list of our KINTO services around the world on the Global KINTO Web🔎. Today, I would like to write a story about how we complied with personal data related laws in each country, which is crucial for expanding services globally.

*Although the Global Development Group is part of KINTO Technologies, the product we develop become assets of our parent company, Toyota Financial Services Corporation. Therefore, we are handling all legal tasks as Toyota Financial Services Corporation.

Background

KINTO strives to provide seamless mobility experiences to our customers around the world with the brand promise of "Ever Better Mobility For All." To enable seamless access to each KINTO service separately operated in each country, we provide 'the Global KINTO ID Platform' (GKIDP), a solution to connect IDs around the world. I will skip the details of how it works in this article, but GKIDP allows users from one country (Country A) to use the services of another country (Country B) with the same ID. This means the global data transfer of personal data, such as users' names and e-mail addresses occurs across the different countries. As a side note, the definition of 'personal data' varies by country. For example, in the General Data Protection Regulation (GDPR) , 'personal data' is described as below:

Article.4 (1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an 3 identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
General Data Protection Regulation

Currently, strict laws related to personal data have been enacted in various countries, such as the GDPR in the European Economic Area (EEA) and the California Consumer Privacy Act (CCPA) in California, US. Also in Japan, the Amendments to the Act on the Protection of Personal Information was fully enforced in April 2022. This indicates a global trend towards strengthening personal data protection. Prominent companies have been inspected by supervisory authorities, particularly in Europe, and have been subject to substantial fines for non-compliance with regulations.

Reference: The Biggest GDPR Fines of 2022 from EQS group blog

Considering the above, we work to comply with personal data related laws in each country to provide GKIDP globally.

KINTO_Privacy

1. Data Transfer Agreement (DTA):

A Data Transfer Agreement (DTA) is an agreement that establishes the conditions for transferring personal data between jurisdictions and organizations, covering the data processing and global data transfer between signed entities. In Global KINTO, we anticipated the global transfer of personal data and have developed the "Global Data Transfer Agreement (GDTA)" framework.

GDTA Components	Contents
Scope of the agreement	The project overview and GDTA scope
Role and responsibilities of each entity	Role definition and responsible scope of each entities
Adhension clause	Provisions allowing other KINTO service providers to participate in the GDTA
Annex	Covering the use cases of anticipated roles and processing

The entities who join the GKIDP should sign this agreement, and follow the following essential steps:
✅ Identifying the role of each entity and signing the GDTA.
✅ Evaluating the risk level of global data transfer considering use cases.
✅ Applying appropriate data transfer mechanisms.

sign_process

2. Role Definitions

Under the GDPR, the following definitions apply to the processing of personal data, and each entity requires appropriate contracts after defining their respective roles.

Roles	Definition
Controller	Alone or jointly with others, determines the purposes and means of the processing of personal data;
Processor	Processes personal data on behalf of the controller

From the definition above, we consider each entity who joined GKIDP framework as Joint Controller for our case. These include:

Local KINTO service providers in each countries who determines the purposes or users' personal data.
Toyota Financial Services Corporation who developed and owns the GKIDP where users' personal data is stored

3. Use Cases and Data Transfer

In order to transfer personal data to other countries, it is necessary to conduct assessments to check whether a country has sufficient regulations in place. As an example, in the GDPR case, countries that have been recognized by the European Commission as having adequate laws and regulations for data protection (receiving an adequacy decision), can rely on that decision as the basis for data transfer. However, for countries without such adequacy decision, it is necessary to implement measures such as signing the Standard Contractual Clauses.

The GDPR provides different tools to frame data transfers from the EU to a third country:
・sometimes, a third country may be declared as offering an adequate level of protection through a European Commission decision ('Adequacy Decision'), meaning that data can be transferred to another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an 'adequate' third country will be comparable to a transmission of data within the EU.
・in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include:
in the case of a group of undertakings, or groups of companies engaged in a joint economic activity, companies can transfer personal data based on so-called binding corporate rules;
・contractual arrangements with the recipient of the personal data, using, for example, the standard contractual clauses approved by the European Commission;
・adherence to a code of conduct or certification mechanism together with obtaining binding and enforceable commitments from the recipient to apply the appropriate
safeguards to protect the transferred data.
・finally, if a transfer of personal data is envisaged to a third country that isn't the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.

Reference: What rules apply if my organisation transfers data outside the EU? by European Commision

Based on this rule, we classified use cases as follows.

Use case	Data transfer basis
Entities within EEA	Since there's no data transfer outside of EEA, simple participate in GDTA.
Transfer from EEA to a country that has adequacy decision	Adequacy decision as basis for data transfer outside of EEA. * Adequacy decisions by European Commision
Transfer from EEA to a country does doesn't have adequacy decision	Data can be transferred outside of EEA based on the Standard Contractual Clauses (SCC)^[1] and Transfer Impact Assessment (TIA)^[2] according to GDPR.

For countries recognized as that they don't provide an essentially equivalent level of data protection to that within the European Economic Area (EEA) = don't have the adequacy decision, it is necessary to sign the Standard Contractual Clauses (SCC) and assess the data transfer through Transfer Impact Assessment (TIA) in order to transfer European personal data to those countries. We are working to ensure that joining entities in GKIDP understand this requirement and sign the necessary agreements accordingly, explaining the need for SCC and TIA. Let me skip the details today, but if there's opportunities, I will tell you this story in another article.

Reference: Standard contractual clauses for data transfers between EU and non-EU countries

Next Challenges

The above 1-4 steps must be followed, and each documents should be signed before data transfer can finally take place. It took nearly a year to establish this framework and process, including drafting the actual GDTA with KINTO Italy team as a GDPR stakeholder. Going forward, we will proceed with contracts with GKIDP joining entities in accordance with these steps.

The above framework was provided based on GDPR as a reference, but there may be other documents required for global data transfer between different countries. As our GKIDP collaborative services expand, we have been conducting investigations and did necessary tasks to comply with the respective laws and regulations of each country, taking into account the differences from GDPR. In order for KINTO to offer "Ever Better Mobility For All" worldwide, further GKIDP introduction into many more countries is essential. So that we will continue ensuring compliance with the regulations of each country.

Conclusion

When I was first assigned to this project, I was fresh out of joining the company, and until then I didn't know much about Privacy Policy, much less about GDPR. But now, I find myself working as the counterpart for personal data-related laws in Global Dev. group, answering questions from internal team members, engaging in specialized conversations with experts like the security team. This change comes from the culture at KINTO Technologies that 'values and welcomes individuals who seek knowledge themselves'. Moving forward, I aim to continue enhancing not only personal data relative knowledge but also my overall skill set within this environment.

There are various articles available online about GDPR, but I have referred to the following links. They provide comprehensive and easily understandable insights. (*It's for Japanese)
Of course, it's important to note that relying solely on amateur knowledge for compliance is risky, and insights from legal and security experts are crucial 👨‍⚖️

Source:

牧野総合法律事務所弁護士法人 / 合同会社LEGAL EDGE (2019) 図解入門ビジネス最新GDPRの仕組みと対策がよ～くわかる本
個人情報保護委員会
An official website of the European Union

脚注

SCC：A set of legal provisions used to ensure that the transfer of personal data from the EEA to countries outside the EEA complies with the GDPR. It's just one mechanism that can be used for cross-border data transfers. ↩︎
TIA：An assessment of the privacy protections of the laws and regulations of a recipient country outside of the EU / EEA. It could include evaluating the risk of government access, adequate protections, and the local legal framework. ↩︎