a
Q
  1. Home
  2. Privacy statement

Privacy Statement

ORIX Corporation UK Limited

1. INTRODUCTION

About Us
ORIX Corporation UK Limited (“ORIX UK”) is a private company with limited liability incorporated in the United Kingdom with company number 11148044. It has its registered office at 65 Curzon Street, London, W1J 8PE, England. ORIX UK is an indirect UK subsidiary of ORIX Corporation (“ORIX”), a publicly owned Tokyo-based international financial services company founded in 1964.

About our Privacy Statement
This privacy statement (the “Statement”) is applicable to your relationship with ORIX UK. In this Statement ORIX UK will be referred to as (“we”/ “us”/ “our”/ “ORIX UK”) and is addressed to you being (i) (the representative of) a current or potential business partner, acquisition target, acquired business or portfolio company, supplier or vendor (“Business Partner”); or (ii) job applicant. This Statement sets the context in which we may process your personal data and explains your rights and our obligations when we do so.

The protection of personal data is important to us. We therefore process any personal data entrusted to us in line with applicable data protection rules, including the UK GDPR , the UK Data Protection Act 2018 and, where applicable the EU General Data Protection Regulation 2016/679, hereafter collectively referred to as “the GDPR”.

Under the GDPR and in this Statement, ORIX UK will be what is known as the “controller” of the personal data that ORIX UK processes about its job applicants. That means that we are responsible for determining how we collect, store and use (i.e. “process”) your personal data. In relation to our Business Partners, please note that ORIX UK will be acting as “joint controller”, together with ORIX, the indirect parent company of ORIX UK, incorporated under the laws of Japan, with registered office at 2-4-1 Hamamatsu-cho, Minato-ku, Tokyo, 105-5135, Japan, registered under No.0140-01006942. That means that ORIX UK and ORIX are jointly responsible for determining how your data is collected, stored and used (i.e. processed). ORIX UK and ORIX have set out their respective obligations in relation to the processing of your personal data in an agreement, including that ORIX UK shall perform the obligations towards you in relation to the processing of your personal data in its own name and in the name and on behalf of ORIX, but with full consultation and coordination with ORIX to ensure compliance with the GDPR.

2. WHAT TYPES OF PERSONAL DATA DO WE PROCESS?

The types of personal data we process depend on your relationship with us. Set out below are the categories of personal data we may process, defined by the nature of our relationship to you.

The personal data we process if you are a Business Partner
If you are a Business Partner of ORIX UK or an individual working for a Business Partner, we will process personal data about you for the purposes of performing and managing our business relationships and our agreements we have with our Business Partners and also to comply with our legal obligations, including the obligation to undertake identification checks and those under tax law. The types of personal data we may process include identity data (such as your full name, postal address, e-mail address, phone number, job title, the company you work for), and financial data (such as the Business Partner’s bank account details, billing contact address/email details and tax identification or VAT number).

The personal data we process if you are a job applicant
If you are a job applicant of ORIX UK, we process the following categories of personal data about you: identity data (such as your full name, postal address, e-mail address, phone number, age, gender, job title, the company you work for), financial data (such as your bank account details, email details and tax identification or VAT number) and human resources related data (such as CV, employment dates and history, language skills, education, training, visas, work and residence permits and passport information.

Insofar as necessary in the context of legal obligations or rights in connection with employment law, we may process certain sensitive types of personal data in very limited circumstances. This may include minimal information indicating that you require an adjustment in the recruitment process (for example, if you inform us that you are unable to attend an interview and request that it be rescheduled, or you ask us whether there is an escalator in the office to accommodate a disability).

3. HOW DO WE OBTAIN YOUR PERSONAL DATA?

We obtain your personal data in the following situations:

• when you provide us with your personal data, or when you interact with us by e-mail, phone or letter;
• through our job application and recruitment process if you apply for employment with us (when we collect information from you or a third party such as former employers, referees, job agencies, background check providers or credit reference agencies);
• through our employment relationship with you if you join our staff;
• when you enter into an agreement with us;
• when we carry out due diligence on you or your staff members as part of our Business Partner selection or onboarding process. We may collect information from publicly available sources, background check providers or credit reference agencies for those purposes, in compliance with applicable law;
• when we receive and process your invoices; and/or
• when we collect personal data from other sources, such as local counsel, counterparties, the trade register, commercial databases or by using public sources.

4. WHY DO WE PROCESS YOUR PERSONAL DATA AND ON WHICH BASIS?

We will only process your personal data we can rely on a legal basis under the GDPR, and for the following purposes (which also describe our legitimate interests):

• process and respond to requests, enquiries or complaints received from you or from third parties about you;
• onboard you as a Business Partner (which may include appropriate due diligence, screening and background checks, in compliance with applicable law) and execute our services and supporting processes and systems required;
• manage and administer our relationship with you;
• comply with legal, tax, accounting, regulatory requirements, including the prevention of fraud and misuse of our products or services as well as the security of our IT systems, architecture and networks;
• provide services requested by you;
• communicate with you about our services;
• monitor, analyze, develop and improve our business processes and systems and our services (e.g. by using cloud platforms operated by third party suppliers);
• manage our job application and recruitment process;
• meet our corporate and social responsibility objectives;
• carry out business development activities;
• identify, seek and defend claims;
• fulfil our internal and external financial and other reporting obligations, including the preparation of group consolidated accounts; and/or
• carry out legitimate internal administrative purposes relating to ORIX UK and its shareholders.

We process your personal data on one or more of the following legal bases:

• in order to perform the contract we may enter into or have entered into with you;
• where it is necessary for legitimate interests pursued by us (i.e. for the effective and lawful operation of our businesses, and the specific legitimate interests described above), provided those interests are not overridden by your interests or fundamental rights and freedoms;
• in order to comply with a legal or regulatory obligation;
• with your consent (where applicable); or
• where it is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection.

If you do not provide certain personal data when requested, it may impede our ability to perform any contract we have entered with you.

We will only process more sensitive personal data (e.g. information on your health) in limited circumstances, and only when applicable law allows us to. We may process sensitive personal data for the following purposes and on the following legal bases (e.g.):

• carry out necessary due diligence or background checks (which, depending on the nature of your role or our business partnership, may require us to carry out criminal checks) in order to comply with regulatory requirements, protect the public from dishonesty and for fraud prevention purposes;
• ensure health and safety in the workplace;
• comply with our legal obligations or exercise rights in connection with employment, such as anti-discrimination or equal opportunities law.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

5. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, tax, regulatory or reporting requirements, and any contractual obligations we may have with you. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax or accounting requirements.

6. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

Where necessary for the above purposes, we share your personal data with other ORIX group companies (i.e. ORIX and its subsidiaries, joint ventures and affiliates effectively controlled directly or indirectly by ORIX). We also transfer (or may grant access to) your personal data to the following third parties:
• service providers and contractors for the performance of any agreement we conclude with them (such as our (IT) systems, cloud service, storage and database providers);
• any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
• any third party in connection with a proposed reorganization, merger, sale or other form of corporate transaction or process;
• any national or international governmental or judicial authority or arbitral tribunal, where we are required to do so by applicable law or regulation or at their request, in compliance with applicable laws;
• entities processing personal data on behalf and on instruction of ORIX UK, including but not limited to:, IT, archiving, courier, and training service providers; and
• professional advisers such as accountants, financial services providers, legal advisers and medical professionals.

In that context, your personal data may be transferred and processed outside of the UK, including the countries which have been subject to a UK adequacy regulation issued by the UK government .

Your personal data may also be transferred to other jurisdictions outside of the UK, where the privacy and data protection laws may not be as protective as those in your jurisdiction. In this case, we will implement a safeguard or rely on a derogation as set out in the GDPR to validate such data transfer. In particular, together with our shareholders and certain other ORIX group companies, we have entered into an Interaffiliate Data Processing and Transfer Agreement, including (amongst others) the most recent EU Standard Contractual Clauses adopted by the European Commission (the “SCC”) and the UK addendum.

In other cases where we share your personal data with third parties located outside of the UK, we will only do so if (i) such transfer is to a jurisdiction in respect of which an UK adequacy regulation is issued by the UK government; or (ii) the transfer of data is governed by the SCC and the UK addendum.

7. HOW DO WE PROTECT YOUR PERSONAL DATA?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those Business Partners and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant supervisory authority of a breach where we are legally required to do so.

8. WHAT ARE YOUR RIGHTS REGARDING OUR PROCESSING OF YOUR PERSONAL DATA?

You have the following rights under the GDPR which rights are personal rights and are exercisable only by you as the individual person concerned. You may (i) request access at any time to the personal data we hold about you and obtain a copy thereof, (ii) request correction of any incorrect, incomplete or obsolete data, (iii) request restriction of the processing of your personal data, (iv) request erasure of your personal data, (v) object to the processing of your data and (vi) request that a copy of your personal data be transmitted in a structured, commonly used machine-readable format, where technically feasible, to another controller, provided that you exercise the above rights within the limits of applicable law including the GDPR.

If you would like to exercise these rights or understand if these rights apply to you, please contact us by one of the means set out at the end of this Statement. We may charge a reasonable fee if a request in relation to your personal data, is manifestly unfounded, excessive (in particular because of their repetitive character). We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or exercise any other of your rights). This is another appropriate measure to ensure that personal information is not disclosed to any person who has no right to receive it.

In circumstances where you may have provided consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us by one of the means set out at the end of this Statement. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, but this withdrawal will not affect the lawfulness of processing based on the consent before withdrawal thereof.

9. COMPUTER COOKIES

Computer cookies are small text files, often containing unique identifiers, that web servers send to browsers. They are created when your browser loads a particular website, and the site sends information to your browser which then creates a text file. These cookies then can be sent back to the server each time your browser requests a new page. It is a way for a website to remember you.

Our website (www.orix.uk) uses cookies that are necessary for a user friendly and good functionality of our website. Although such essential cookies in principle do not require prior consent, we, however, created a cookie-consent banner to inform every website visitor through this Statement of the cookies set out below that are used by our website.

Name Cookie Domain Purpose Duration

Cookieconsent_status

 

(First party functional cookie)

 www.orix.uk Same-site connections only. It enables the website not to show the message more than once to a user. Expires after 12 months.

(First party functional cookie) www.orix.uk Same-site connections only. It enables the website not to show the message more than once to a user. Expires after 12 months.

10. DATE AND CHANGES TO THIS STATEMENT

This Statement may be updated if developments so require. The date on which this policy was most recently updated is 28 January 2026.

11. QUESTIONS OR COMPLAINTS

Contact Us. If you have any questions or complaints relating to this Statement, please contact us at:

Email: privacy@orixnv.com

Post mail: ORIX Corporation UK Limited
Attn. Legal & Compliance / Privacy matters
65 Curzon Street
London W1J 8PE
England

Supervisory Authority. We are committed to complying with the terms of the GDPR and to the processing of personal data in a fair, lawful and transparent manner. If, however, you believe that we have not complied with our obligations under the GDPR, you have the right to lodge a complaint with your local data protection regulator, the Information
Commissioner’s Office (https://ico.org.uk/make-a-complaint/).