Sony Ethics & Compliance Hotline
Privacy Notice

Last Updated: November 2022

The Sony Ethics & Compliance Hotline (the "Hotline") is a confidential reporting tool operated by NAVEX Inc. ("NAVEX") on behalf of Sony Group Corporation and the relevant Sony Group Corporation subsidiary (ies) ("Sony" and "We") to allow individuals to report concerns or seek guidance with respect to suspected violations of law or Sony policies. This notice applies to information Sony collects through the toll-free number or online web form or through any follow-up communications Sony has with you. Sony Group Corporation together with the relevant Sony Group Corporation subsidiary about which the report is made (e.g. your employer, if you are an employee, or the Sony company contracting with you or your employing company in other circumstances) will act as data controllers with relation to the processing of personal data described in this privacy notice.

How We Use Personal Data

We may collect and process the following types of personal data when a report is made to the Hotline (herein “Hotline-related personal data” or “personal data”):

• your name, contact details, location, the Sony business unit you work for or you deal with;
• your relationship with Sony;
• the name and title of all individuals you mention in your report;
• the location where the violation occurred;
• a description of any matter you are reporting, including all relevant details;
• any questions you may raise through the Hotline; and
• any documents or files that support your report which you upload to the Hotline.

The information you provide will be submitted to the relevant personnel of the Sony Ethics and Compliance team. Sony will review and investigate all reports of unethical conduct and take steps toward resolving each reported matter.

Sony's legal basis for processing your personal data is that Sony has a legal obligation to comply with certain whistleblowing laws. To the extent not covered by a legal obligation, Sony has a legitimate interest in having a confidential reporting system to address areas of concern to Sony’s employees and business partners, including but not limited to accounting and auditing fraud, commercial fraud, harassment, retaliation, abuse, and other misconduct in the workplace in violation of our Sony Group Code of Conduct and investigating the related allegations. Sony may also process your personal data to establish or defend legal claims on behalf of the company, its officers, or its shareholders or as otherwise permissible under applicable law.

How We Share Personal Data

Sony sometimes works with third-parties to help us operate the Hotline and investigate concerns. These companies are contractually required to use your personal data only as necessary to provide their services to Sony at Sony’s instruction and are not permitted to use your information for any other purpose. Sony may also share your personal data with your authorization or as necessary to respond to a government request, subpoena, court order, or other applicable law or legal process.

How We Transfer Personal Data Internationally

Transfers within Sony group companies. Your personal data will be transferred to our U.S. based systems and may be transferred internationally to other members of the Sony group as necessary, particularly in the U.S., Japan and where the regional compliance office is located, to manage the Hotline and respond to your report. These jurisdictions may not have the same privacy laws as your own. The privacy laws in some countries, notably the UK, EEA and Switzerland regulate the transfer of personal data to other countries to ensure the data is protected in the recipient country.

Sony has an intra-company agreement on the transfer and processing of personal data within the Sony group of companies and uses EU Standard Contractual Clauses and the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner to help ensure that your rights and protections will travel with your personal data.

Transfers to Suppliers - In the case of transfers of your personal data to suppliers located in countries that the UK or EEA has stated do not provide an adequate level of data protection under local law, Sony utilizes appropriate safeguards such as the UK and/or the EU Standard Contractual Clauses and/or approved codes of conduct or certification mechanisms or other binding and enforceable commitments of the supplier.

NAVEX and its affiliates process Hotline-related personal data in the United States and in various countries throughout the world. Please follow this link for further information on NAVEX’s service providers: https://www.navex.com/en-us/service-hosting-providers/ethicspoint. NAVEX and Sony have entered into the EU Standard Contractual Clauses and into the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner to ensure an adequate level of data protection.

If you would like to receive additional information about international data transfers, please submit a “Guidance Request” report through the “Report a Concern” function on the Sony alertline homepage (www.sony.alertline.com) and clearly indicate you would like to receive additional information regarding international data transfers within the “Please describe your concern in more detail” section of the form.

How Long We Keep Personal Data

Sony collects the minimum amount of data required for the purpose outlined in this notice. Where required by law, personal data collected through the Hotline will be retained only as long as is necessary to complete the investigation or until the personal data is no longer relevant to an ongoing investigation or as otherwise required to comply with legal obligations. If legal proceedings or disciplinary measures are initiated, personal data may be kept until the conclusion of the proceedings and the period allowed for any appeal and as otherwise required to comply with legal obligations. For details of the applicable retention period in your territory, please contact us.

Your Rights in Relation to Your Personal Data.

Depending on the jurisdiction, you may have the right to:

• Request access or copies of personal data Sony processes about you;
• Rectify your personal data, if inaccurate or incomplete;
• Delete your personal data, unless an exception applies. For instance, we may need to keep your personal data to comply with legal obligations;
• Restrict the processing of your personal data, in certain circumstances;
• Object to processing of your personal data, in certain circumstances.

These rights may be limited in some situations. To exercise your rights, please submit a “Guidance Request” report through the “Report a Concern” function on the Sony alertline homepage (www.sony.alertline.com) and clearly indicate which right(s) you are requesting in the “Please describe your concern in more detail” section of the form. Sony may impose certain requirements or restrictions on your request as allowed or required by applicable laws.

Sony does not “sell” your Hotline-related personal data or “share” your Hotline-related personal data for advertising purposes, as those terms are defined in certain laws (e.g. the California Privacy Rights Act).

How to Contact Us.

If you have any questions about this notice or the processing of your Hotline-related personal data, please submit a “Guidance Request” report through the “Report a Concern” function on the Sony alertline homepage (www.sony.alertline.com). If you have concerns that Sony has not complied with its legal requirements, you have the right to contact the applicable data protection authority.