Rakuten Symphony Supplier Whistleblowing Privacy Policy

Last updated: August 2023
This Privacy Policy describes how Rakuten Symphony Inc (“Rakuten Symphony”, “we”,“us”, or “our”) collects and processes Personal Data about you in connection with your use of our Supplier’s Whistleblower Hotline (respectively the “Supplier Hotline”), how we use and protect it, and your rights in relation to your Personal Data. All Rakuten Symphony’s Suppliers can report any incident (“Whistleblowing Report”) via the Supplier Hotline. You may also contact us anonymously to make a Whistleblowing Report if you prefer. More information about the Supplier Hotline is set out in our Supplier Pledge and can be found here. This privacy policy also applies to personal data of anyone who is reported, witnesses, and any person involved in the process.

Rakuten Symphony is part of the Rakuten Group. Rakuten Group Inc., is based in Tokyo, Japan. More information about Rakuten is available at https://global.rakuten.com/ corp/about/company.

Personal Data we collect and how

We collect personal data in different ways for you to use the Supplier Hotline. The following is a list with the categories of personal data we collect, and how we obtain it.
Information that we collect directly from you or receive about you via the Supplier Hotline:
  •  Your name, phone number, e-mail address, job title;
  • Information about where you work and/or the location of the incident regarding the Whistleblowing Report that is being made;
  • Information about your behavior such as your general conduct at work or specific incidents that have triggered a Whistleblowing Report to be made;
  • Information about how you are connected to the incident/behavior (i.e. whether you reported the incident/behavior, witnessed or allegedly took part in it); and
  • Any follow up exchanges that we might have in connection with your original Whistleblowing Report.

How we use your data and the basis on which we use it

We always need a proper reason to process your data. You may find the information regarding the purposes and basis for which we process the types of personal data here.
Purpose of Use
Supplier Hotline
Basis for Processing
Legal obligation
  • We are under a  legal obligation to provide whistle blowing channels to certain groups of  individuals to certain types of breaches. Where the Whistleblowing Report  falls under this legal obligation, that will be our basis for processing this  data.
Legitimate interest
  • We are under a  legal obligation to provide whistle blowing channels to certain groups of  individuals to certain types of breaches. Where the Whistleblowing Report  falls under this legal obligation, that will be our basis for processing this  data.
Performance of Contract
  • Investigating andresolving the reported incident may be necessary for performance of thecontract.
Public Interest
  • Some incidents may have the potential of affecting the public, and reporting such incidents for purposes of the public interest may be our legal basis for processing personal data.
Retention Period
Unless there is a legal obligation to maintain it for longer, Whistleblowing Reports will be kept for 2 months after the investigation is resolved and closed.

Your Choices

The rights and choices about your data are different depending on your location. Some of these rights may be restricted or may not apply, depending on the circumstances. For example, we may reject a Data Subject Access Request as responding to it could jeopardize an investigation or expose a whistleblower.In any case, any deferral or restriction of such rights shall be decided on a case-by-case basis and the reasons for any restriction should be documented. You may have the right to request:
  1. access to your data; either if you want to know what data we have about you; or
  2. get a copy of your data in a machine-readable format (right to data portability);
  3. correct any information that is wrong;
  4. delete your data;
  5. restrict usage to the bare minimum (for example, if you ask us to delete, but we still need to keep your order history for legal reasons, like tax audits of our business);
  6. object to specific uses;
  7. ask us where we got certain data about you, how we use it and with whom we share it;
  8. withdraw your consent easily; if you do so, the lawfulness of processing based on your consent before its withdrawal will not be affected.
You can always ask us to exercise these rights without having to be afraid of discrimination. Also, you can file a complaint with your data protection authority, where applicable, if you think we mishandled your data. If you want to exercise your rights, please get in touch with us by using the Contact section below. We will always try to find a good and easy solution together.

Data Sharing

We share your data with:      
  • Rakuten Symphony Group companies;
  • Service providers and business partners, who help us make our service possible (they are data processors). We ensure they only have access to such information that is strictly necessary for us to provide the Services. These parties are required to secure the data they receive and to use the data for pre-agreed purposes only, while ensuring compliance with all applicable data protection regulations.
  • Law enforcement bodies where we are required to share data or with a court if necessary to enforce our claims or other legal rights.
  • Asset purchasers. In case our service or our company are fully or partly purchased by another company, data will be shared. The acquiring company will be bound by this privacy policy.
Find here the list with our services providers, business and advertising partners, the data we share and the countries where they are located.
Categories of recipients
Supplier HotlineThe Whistleblowing Report is collected directly by Navex and shared with Rakuten Symphony for further investigation.
Recipients name
Data Shared
Any information that is included in the Whistleblowing Report. 
Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). See the section on "International Data Transfers" below for more information.

International Data Transfers

We are a global business. That means your data will be shared to other Rakuten Symphony Group companies around the world. Personal Data collected for our Supplier Hotline will be accessed from Japan and Singapore (where our personnel is located). We may use service providers indifferent countries. Data are sent to them as well as indicated in the Data Sharing section above. We have taken steps to keep your data safe. We are always watching out to ensure they are trustworthy, and we have strict contracts in place.

Inside the Rakuten Group, we have BCRs (Binding Corporate Rules), a set of privacy internal rules that we apply across all the Rakuten Group companies. The BCRs are Rakuten global standard for the protection of privacy and processing of personal data. Rakuten’s BCRs allow secure transfers of data within the Rakuten Group companies and have been approved by the relevant Data Protection Authorities in Luxembourg and the United Kingdom. You can find them here.


We have strict security measures in place to ensure that your account and your data are safe with us. Some of these are technical, like password rules and monitoring of log-in patterns. Others are organizational, like having proper processes and access rules in place. We do so to prevent unauthorized access or unauthorized disclosure of your information, to maintain the accuracy of such information and, when necessary, to ensure its proper destruction.

When collecting or transferring your personal information, we employ data encryption technology, and restrict access only to those persons who require it to fulfill their job responsibilities. We conduct periodic reviews of our practices to ensure that our safeguards are properly implemented and remain state of the art. We make sure to always keep up with the latest developments.


We will retain your data as long is necessary for the Supplier Hotline and after that, only if required by law. See retention period’s details in the [How we use your data and the basis on which we use it] section above.

Contact Us

Rakuten Symphony Inc is the controller responsible for the Supplier Hotline. If you have questions or concerns regarding the way in which your Personal Data has been used, please contact mobile-SymwarePrivacy Policy@mail.rakuten.com. Our data protection officer can be contacted this way.If you have any complaint, we hope we can work with you to achieve a good solution.

Please note that when contacting us, we may ask you for certain information to verify your identity and respond to your request appropriately.

Changes to this Policy

We may update this privacy policy from time to time. If there is going to be a substantial change, we will notify you in advance.
Download Privacy Policy
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Notice for more information.