California Personnel
Privacy Notice (“Notice”)

Last Updated Date: 3/26/2024

This Notice describes how Kinokuniya Book Stores of America Co ltd. (“Kinokuniya,” “we,” “us,” or “our”) processes personal information (“PI”) of Personnel (defined below) in various human resources (“HR”) contexts. This Notice is designed to meet obligations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”).  In the event of a conflict between any other Kinokuniya policy, statement, or notice and this Notice, this Notice will prevail as to California Personnel, unless stated otherwise. Capitalized terms used but not defined in this Notice shall have the meanings given to them under the CCPA.

Applicability: This Notice applies to the following California residents who provided us with PI in HR contexts:

• Job applicants who have applied for a position with Kinokuniya. 

• Current/former employees of Kinokuniya.

• Independent contractors of Kinokuniya.

This Notice also applies to California residents whose family member or friend has provided PI about you to Kinokuniya in an HR context, such as if:  

• You are listed as an emergency contact for one of the foregoing.

• You are a beneficiary or dependent of one of the foregoing.

The individuals referred to in the foregoing bullet points are collectively referred to as “Personnel” throughout this Notice.  Section 1 of this Notice provides notice of our data practices, including our collection, use, retention, and disclosure of Personnel PI.  Sections 2-5 of this Notice provide information regarding California Personnel rights under the CCPA and how you may exercise them.

Non-Applicability:  This Notice does not apply to our consumer facing website(s) or our data practices outside of the HR context, which are addressed in our general privacy notice available here.

The description of our data practices in this Notice covers the twelve (12) months prior to the “Last Updated” date. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

(a) PI Sources and Use

We may collect your PI directly from you, such as when apply for a position with or become employed or engaged by us (e.g., identification/identity data, contact details, educational and employment data), others through interactions in the course of employment or engagement, third parties (e.g., references) or public sources of data.

Generally we use Personnel PI for HR Business Purposes and as otherwise related to the operation of our business, including for: Performing Services; Managing Interactions and Transactions; Security; Debugging; Advertising & Marketing; Quality Assurance; Processing Interactions and Transactions; and Research and Development. For example, we use Personnel PI for the following purposes:

· Workforce Planning and Recruitment, for example business forecasting, employee assignment, planning and budgeting, job advertising, interviewing, selecting and hiring staff, assessing job candidacy and conducting background checks;

• General Human Resources Management and Administration, for example employee intake/onboarding/off-boarding, employee career development, performance management, training and education program, compensation and benefits management and benchmarking, administering payroll and benefit arrangements (including long-term incentive awards and bonus administration), obtaining management and employee satisfaction feedback, managing absences (e.g., sickness, parental leave and other family related and flexible working policies), health and safety, travel and expense management, general headcount reporting, disaster recovery and emergency response planning;

• Performance of Kinokuniya’s Business Operations, for example carrying out Kinokuniya’s day to day business activities, allowing us to work together and collaborate, providing services to our customers and ensuring business continuity;

• Security Management, for example to ensure the security of Kinokuniya’s premises, assets, information, HR IT systems, and employees;

• Marketing, Advertising and Public Relations, for example displaying employees’ contact details and photographs on our website, or other professional social media websites and on other means of communication such as press releases;

• Legal and Regulatory Compliance, for example to ensure compliance with health and safety requirements and other legal or fiscal obligations, or in connection with litigation or an internal investigation or audit and to ensure compliance with our policies regarding anti-money laundering, bribery and corruption; and

• Ensuring compliance with our Code of Conduct, for example to ensure that we are living up to our values and, in particular for equal opportunities monitoring purposes.

We may also use PI for “Additional Business Purposes” in a context that is not a Sale or Share under the CCPA, such as:

• Disclosing it to our Service Providers or Contractors that perform services for us (“Vendors”);

• Disclosing it to you or to other parties at your direction or through your action (e.g., payroll processors, benefits providers, some software platform operators, etc.);

• For the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice);

• As required or permitted by applicable law;

• To the government or private parties to comply with law or legal process or protect or enforce legal rights or obligations or prevent harm;

• Where we believe we need to in order to investigate, prevent or take action if we think someone might be using information for illegal activities, fraud, or in ways that may threaten someone’s safety or violate our policies or legal obligations; and

• To assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”).

Subject to restrictions and obligations under the CCPA, our Vendors may also use your PI for Business Purposes and Additional Business Purposes, and may engage their own vendors to enable them to perform services for us.

(b) PI Collection, Disclosure, and Retention - By Category of PI

We collect, disclose, and retain PI as follows:

There may be additional information we collect that meets the definition of PI under the CCPA but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category.

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information, and may elect not to treat publicly available information as PI.  We will not attempt to reidentify data that we maintain as deidentified.  

Because there are numerous types of PI in each category of PI, and various uses for each PI type, our retention periods vary for each of the categories of PI described above. The length of time for which we retain each category of PI depends on the purposes for our collection and use and requirements pursuant to applicable laws. In no event do we retain your PI for any longer than reasonably necessary to achieve the purposes for which it was collected or processed, or as required by applicable law.  The criteria used to determine the retention period of PI includes the nature and sensitivity of the PI, the potential risk of harm from unauthorized use or disclosure of the PI, as well as applicable laws (such as applicable statutes of limitation). 

As described more below, subject to meeting verification requirements and limitations permitted by applicable laws, we provide you the privacy rights described in this section. 

To submit a request to exercise your privacy rights, or to submit a request as an authorized agent, use our Rights California Resident Privacy Rights Webform, or call us at 1-833-673-0797, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).  More details on the request and verification process is in Section 2(g) below.  The rights we accommodate are as follows:

(a) Right to Limit Sensitive PI Processing

With regard to PI that qualifies as Sensitive PI under the CCPA, we only process such Sensitive PI for purposes that are exempt from Consumer choice under the CCPA.  

(b) Right to Know/Access

You are entitled to access PI up to twice in a 12-month period.   

(1)  Categories

You have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

•  The categories of PI we have Collected about you.

•  The categories of sources from which we Collected your PI.

•  The Business Purposes or Commercial Purposes for our Collecting, Selling, or Sharing your PI.

•  The categories of Third Parties to whom we have disclosed your PI.

•  A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.

•  A list of the categories of PI Sold or Shared about you and, for each, the categories of recipients, or that no Sale or Share occurred. 

(2)  Specific Pieces

You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have Collected and are maintaining.  For your specific pieces of PI, as required by the CCPA, we will apply the heightened verification standards as described below.  We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests. 

(c) Do Not Sell / Share

We do not Sell or Share PI. We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.

We may disclose your PI for the following purposes, which are not a Sale or Share:  (i) if you direct us to disclose PI; (ii) to comply with a rights request you submit to us; (iii) disclosures amongst the entities that constitute Kinokuniya as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

(d) Right to Delete

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI.

Note also that, we may not be required to delete your PI that we did not Collect directly from you. 

(e) Correct Your PI

You may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.

(f)  Automated Decision Making/Profiling

We do not believe we engage in Automated Decision Making or Profiling as of the Last Updated Date of this Notice.

(g) How to Exercise Your Privacy Rights

To submit a request to exercise your privacy rights, or to submit a request as an authorized agent, use our California Resident Privacy Rights Webform, or call us at 1-833-673-0797, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). 

(1) Your Request Must be a Verifiable Request

As permitted or required by the CCPA, any request you submit to us must be a verifiable request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number and/or account information. We will review the information provided and may request additional information via e-mail or other means to ensure we are interacting with the correct individual.  We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we Collected PI. 

We verify each request as follows:

·   Right to Know (Categories):  We verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you.  If we cannot do so, we will refer you to this Notice for a general description of our data practices.

· Right to Know (Specific Pieces):  We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the individual whose PI is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request.

·  Right to Delete:  We verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two reliable data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three reliable data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the individual posed by unauthorized deletion. 

·  Correction:  We verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two reliable data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three reliable data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the individual posed by unauthorized correction.

If we are unable to verify you sufficiently we will be unable to honor your request. We will use PI provided in a Verifiable Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

(2) Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you.  You can learn how to do this by visiting the agent section of our California Resident Privacy Rights Form. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of the CCPA.

(h) Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a verified individual (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests.  If we deny a request, in whole or in part, we will explain the reasons in our response. 

We will make commercially reasonable efforts to identify PI that we Process to respond to your request(s).  In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest.  We reserve the right to direct you to where you may access and copy responsive PI yourself.  We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome.  If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision.  You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number in response to a privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us. 

We will not discriminate or retaliate against you in a manner prohibited by the CCPA for your exercise of your privacy rights.

We do not currently offer discounts or rewards for providing us PI, or set price or service differences related to the collection, retention, Sale, or Sharing of PI.  If we offer such programs in the future, we will update this Notice to describe such program(s), including how you may opt-in and how we value the PI required.

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under the CCPA. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law. 

If you have any questions, comments, or concerns about our HR privacy practices, please contact us by e-mail at hrny2@kinokuniya.com. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.