1. “Personal Information” means information relating to a living individual that falls under any of the following items.

• (1) Information containing a name, date of birth or other identifier (excluding individual identification codes; hereinafter the same) that is described or recorded (documented, drawn or recorded in an electronic or magnetic means (electronic form, magnetic form, or any other form that cannot by recognized by another person nearby,) drawn or any matter described by voice, motion or other means, which can be used to identify a specific person (including any information that can be cross-checked with other information and thereby used to identify a specific individual).
• (2) Those containing an individual identification code.

2. “Individual identification code” consists of any letter, number, symbol or other codes falling under any of the following items as prescribed by the Law.

• (1) Letters, numbers, symbols or other codes converted in order to be provided for use by computers, used to identify a specific individual by a distinguishing physical feature of theirs
• (2) Letters, numbers, symbols or other codes used to identify a specific user, purchaser, or recipient, which are assigned differently for each of them, stated or recorded regarding the use of services for an individual or the purchase of goods for an individual, or which are stated or recorded in an electronic or magnetic means in a card or other document issued to an individual.

3. “Sensitive personal information” means personal information as to an identifiable person’s race, creed, social status, medical history, criminal record, the fact of having suffered damage by a crime, or other identifiers or their equivalent prescribed by the Law as those of requiring special care so as not to cause unjust discrimination, prejudice or other disadvantages to that person.

4. “Personal information database or the equivalent” means (i) a collective body of information that is systematically organized so as to be searchable for particular personal information using a computer, etc. and (ii) a collective body of information that is systematically organized so that particular personal information can be easily searchable by arranging personal information contained in it according to certain rules, including a table of contents, index and other items to facilitate the search, excluding all of the following prescribed as having little possibility of harming individual rights and interests in consideration of how the information is used.

• (1) That which is issued for the purpose of selling to many and unspecified persons, and that was not made in violation of the Law or an order based on the Law.
• (2) That which can be or was purchased at any time by many and unspecified persons.
• (3) That which is used for its original purpose without adding any other information about the living individual.

5. “Personal data” means personal information compiled in a personal information database or equivalent.

6. “Personal data the business holds” means personal data which the Company has the authority to disclose, correct or cease to use, etc., excluding the following items.

• (1) Personal data in which making its existence or non-existence clear could potentially harm the life, wellbeing or property of an identifiable person or a third party
• (2) Personal data in which making its existence or non-existence clear could potentially foment or induce an unlawful or unjust act
• (3) Personal data in which making its existence or non-existence clear could potentially cause harm to national security, damage to the relationship of mutual trust with another country or an international organization, or a disadvantage in negotiations with another country or international organization
• (4) Personal data in which making its existence or non-existence clear could potentially hinder prevention, suppression or the investigation of crimes and other matters concerning upholding public safety and public order

1. When engaging in work involving the handling of personal data, officers and employees of the Company who handle personal data shall perform their work in accordance with these regulations, other internal rules, and the instructions of the person in charge of handling personal data, and shall pay sufficient attention to the protection of personal data.

2. In the event that any of the Company’s officers or employees who handle personal data becomes aware of an actual or potential violation of these regulations or other internal rules, such as a leak of personal data, they shall promptly report such information to the person in charge of handling personal data.

1. The person in charge of handling personal data shall confirm the following management status of personal data.

• (1) Records of the use of and output from personal information databases or the equivalent
• (2) Status of carried documents, media, etc. in which personal data is stated or recorded
• (3) Status of deletion or disposal of personal information databases or the equivalent
• (4) Records, etc. that prove the deletion or disposal in the case that it is outsourced
• (5) In the case that personal information databases or the equivalent are handled by an information system, usage status of the information system (login records, access logs, etc.) by the person in charge of handling personal data

2. The person in charge of handling personal data shall confirm the following handling status of personal data.

• (1) The type and name of personal information databases or the equivalent
• (2) Details of personal data
• (3) Purpose of use
• (4) Person or department in charge
• (5) Persons with access rights

(1) Prevent the spread of damage

(2) Investigate all facts and causes

(3) Identify the scope of impact

(4) Consider and implement measures to prevent recurrence

(5) Contact, etc. identifiable persons who may be affected

(6) Disclose all facts and measures to prevent recurrence

(7) Report to the relevant authorities

1. The person in charge of handling personal data shall confirm the status of management and handling stipulated in Article 6 at least once a year or on an ad hoc basis.

2. Based on the results of the confirmation described in the preceding paragraph, the person in charge of handling personal data shall evaluate, review, and improve measures for managing security.

1. The person in charge of handling personal data shall be responsible for understanding and complying with the provisions in these regulations, as well as planning and administering education and training to ensure that employees comply with these regulations.

2. Employees must receive education organized by the person in charge of handling personal data to ensure compliance with these regulations. The content and schedule of the training shall be determined by the person in charge of handling personal data each fiscal year.

3. The Company shall include provisions for protecting confidentiality in relation to personal data in its work rules.

(1) Store equipment, electronic media, or documents, etc. that handle personal data in a lockable cabinet, storeroom, etc.

(2) In the case that the information system that handles personal data is operated only with equipment, secure it with security cables, etc.

(1) Maintain the latest operating systems on equipment, etc. that handle personal data.

(2) Install security software, etc. (anti-virus software, etc.) on equipment, etc. that handles personal data, and keep it up to date by utilizing automated updating functions, etc.

1. The Company may hold personal information only when necessary for conducting processes and functions, and must specify the purpose of use (hereinafter referred to as Purpose of Use) of personal information as much as possible when holding this information.

2. The Company must not alter the Purpose of Use beyond a reasonable extent from that of the original Purpose of Use.

1. The Company may hold personal information only when necessary for conducting processes and functions, and must specify the purpose of use (hereinafter referred to as Purpose of Use) of personal information as much as possible when holding this information.

2. If, due to a merger or other such circumstances, the Company acquires personal information when succeeding to the business of another business handling personal information, it must not handle that personal information beyond the scope necessary for achieving the pre-succession Purpose of Use for that personal information without obtaining the identifiable person’s consent to do so in advance.

3. The provisions of the preceding two paragraphs do not apply in the following cases.

• (i) Cases based on laws and regulations
• (ii) Cases in which there is a need to protect the life, wellbeing, or property of an individual, and it is difficult to obtain the consent of the identifiable person
• (iii) Cases in which there is a special need to improve public wellbeing or promote healthy child development, and it is difficult to obtain the consent of the identifiable person
• Cases in which there is a need to cooperate with a national government organ, local government, or person entrusted thereby with performing the functions prescribed by laws and regulations, and obtaining the consent of the identifiable person is likely to interfere with the performance of those functions

1. The Company must not acquire personal information by deception or other wrongful means.

2. The Company must not acquire sensitive personal information without obtaining the identifiable person’s consent in advance, except otherwise permitted by the Law.

1. When personal data has been provided to a third party, the Company must prepare a record relating to the provision to a third party as recognized by the Law.

2. In cases where personal data is provided to a third party, records shall be prepared by means of documents, electronic or magnetic records, or microfilm.

3. The Company must keep a record prepared pursuant to the preceding paragraph for a specified period of time from the date of preparation of such records, depending on the following cases

1. When receiving personal data from a third party, the Company must confirm provisions required by the Law.

2. When the Company conducts a confirmation in accordance with the preceding paragraph, it shall record the matters required by the Law.

3. The Company must keep a record prepared pursuant to the preceding paragraph for a specified period of time from the date of preparation of such records, depending on the following cases

1. If an identifiable person requests that the Company notify that person of the Purpose of Use of the personal data the business holds that can be used to identify that person, the Company must notify the person of this without delay, except otherwise permitted by the Law not to notify.

2. If the Company decides not to notify the identifiable person of the Purpose of Use of the personal data the business holds as requested pursuant to the preceding paragraph, the Company must notify the identifiable person about this decision without delay.

1. If an identifiable person requests that the Company disclose the personal data the business holds that can be used to identify that person, the Company must disclose the personal data the business holds to an identifiable person without delay by means that the person requests (or by paper-based document, in cases in which disclosing the data by that means would require a costly expenditure or prove otherwise difficult); provided, however, that in cases in which disclosing that data falls under any of each following, all or a part of it may not be disclosed.

• (i) If disclosure is likely to harm the life, wellbeing, property, or other rights or interests of the identifiable person or a third party
• (ii) If disclosure is likely to seriously interfere with the proper implementation of the business of the Company
• (iii) If disclosure would violate any other law or regulation

2. If the Company decides not to disclose all or part of the personal data the business holds as requested pursuant to the preceding paragraph, or if it is difficult to disclose that data by the means the identifiable person requests, the Company must notify that person about this decision without delay. In this case, the Company must explain the reason for this in the notification to the identifiable person.

3. The provisions of the preceding two paragraphs shall apply mutatis mutandis to the record of provision to a third party pertaining to personal data that identifies the individual concerned. However, this shall not apply in the following cases.

• (i) A record in which making its existence or non-existence clear could potentially harm the life, wellbeing or property of an identifiable person or a third party
• (ii) A record in which making its existence or non-existence clear could potentially foment or induce an unlawful or unjust act
• (iii) A record in which making its existence or non-existence clear could potentially cause harm to national security, damage to the relationship of mutual trust with another country or an international organization, or a disadvantage in negotiations with another country or international organization
• (iv) A record in which making its existence or non-existence clear could potentially hinder prevention, suppression or the investigation of crimes and other matters concerning upholding public safety and public order.

1. If the Company has been requested to make a correction, addition, or deletion (hereinafter referred to as “Corrections, etc.”) of the personal data the business holds pursuant to the content of personal data the business holds that can be used to identify the identifiable person not being factual, the Company must conduct a necessary investigation without delay to the extent necessary to achieve the Purpose of Use, and based on its result, make Corrections, etc. to the content of the personal data the business holds, except in cases in which special procedures concerning correction of the content is prescribed by the provisions of other laws or regulations.

2. If the Company performs Corrections, etc. on all or part of the content of personal data the business holds as requested pursuant to the preceding paragraph, or decides not to perform Corrections, etc. the Company must notify the identifiable person about this (including the content in the event that Corrections, etc. were performed) without delay. In this case, the Company must explain the reason for this in the notification to the identifiable person.

1. If an identifiable person requests that the Company cease to use or delete the personal data the business holds that can be used to identify that person (hereinafter referred to as “Ceasing to Use or Deleting, etc. Personal Data” in this Article) pursuant to the acquisition being made in violation of a restriction on the Purpose of Use, or handled in violation of a prohibition on inappropriate use or proper acquisition and it is found that there are grounds for Ceasing to Use or Deleting, etc. Personal Data, the Company must Cease to Use or Delete, etc. Personal Data the business holds to the extent necessary to redress the violation without delay; provided, however, that this does not apply if Ceasing to Use or Deleting, etc. the Personal Data the business holds would require a costly expenditure or prove otherwise difficult, and the businesses take the necessary alternative measures to protect the rights and interests of the identifiable person.

2. If an identifiable person requests that the Company ceases to provide a third party with the personal data the business holds that can be used to identify that person pursuant to the provision being in violation of the Restrictions on Provision of Personal Data to Third Parties regulation, and it is found that there are grounds for that request, the Company must cease to provide a third party with the personal data the business holds without delay; provided, however, that this does not apply if ceasing to provide a third party with the personal data the business holds would require a costly expenditure or prove otherwise difficult, and the businesses take the necessary alternative measures to protect an identifiable person’s rights and interests.

3. If the Company decides to Cease to Use or Delete, etc. all or part, or decides not to Cease to Use or Delete, etc. the personal data the business holds as requested based on the provisions in the first paragraph, or decides to cease providing a third party with all or part, or decides not to cease providing a third party with the personal data the business holds based on the provisions in the preceding paragraph, the Company must notify the identifiable person about this decision without delay. In this case, the Company must explain the reason for this in the notification to the identifiable person.

4.Ceasing to Use or Deleting, etc. Personal Data the Business Holds applies to the following cases: (1) If the use of the personal data the business holds that can be used to identify a person is no longer necessary; (2) If a case that violates the Law has occurred among the cases stipulated in Article 7 (Responding to Information Leaks) relating to personal data the business holds that can be used to identify a person; and if handling the personal data the business holds that can be used to identify a person could potentially harm the identifiable person’s rights or legitimate interests and the identifiable person has requested that the Company Ceases to Use or Deletes, etc. or ceases to provide a third party with the personal data the business holds.

5. If the Company receives a request from an identifiable person pursuant to the provisions in the above paragraph and it is found that there are grounds for that request, the Company must Cease to Use or Delete, etc. the Personal Data the business holds or cease third party provision to the extent necessary and without delay to prevent infringement on the identifiable person’s rights; provided, however, that this does not apply if Ceasing to Use or Deleting, etc. the personal data the business holds or ceasing third party provision would require a costly expenditure or prove otherwise difficult, and the Company takes the necessary alternative measures to protect the rights and interests of the identifiable person.