privacy policy
Personal information protection regulations
Established on August 10, 2021
Revised September 1, 2022
(the purpose)
Article 1
The purpose of these regulations is to establish, implement, maintain, and improve the management system for the purpose of appropriate protection of personal information handled by Media Bank Co., Ltd. (hereinafter referred to as "our company"). .
(applicable target)
Article 2
This provision applies to all personal information handled by the Company, as well as to all departments of the Company, all employees including officers, employees, temporary employees, and temporary employees, and all operations. and
(definition)
Article 3
1 In this provision, “personal information” means information about a living individual that can identify a specific individual by name, date of birth, and other descriptions contained in the information (other information (including those that can be easily collated with personal information and thereby identify a specific individual) or those that contain an individual identification code.
2. In this provision, the term “personal information handling business operator” means, among those who use personal information databases, etc. Refers to persons excluding independent administrative agencies, etc. as defined by the law (Law No. 59, 2003) and local independent administrative agencies as defined by the Local Independent Administrative Agency Law (Law No. 118, 2003).
3. The term "gateway business" as used in this provision refers to the business conducted by the gateway system provider in QR code settlement.
4. "Personal information protection management system" as used in this provision refers to the management system that includes policies, systems, plans, implementation, audits and reviews for the protection of personal information used by the Company for its own business.
5. In this provision, "personal identification code" refers to letters, numbers, symbols and other codes stipulated by laws and regulations as those that can identify a specific individual from the information alone.
6. In these provisions, "sensitive information" means personal information requiring special care, membership of a labor union, family origin, permanent domicile, health and medical care, and sexual life (excluding those that fall under personal information requiring special care). ) related information (persons, national agencies, local governments, Act on the Protection of Personal Information (hereinafter referred to as the "Act"), Article 76, Paragraph 1, or foreign governments, etc. to the extent specified by laws and regulations. things, or things that are obvious in terms of appearance that are obtained by looking at or photographing the person).
7. In this provision, "special care-required personal information" means information that requires special consideration in handling so as not to cause unjust discrimination, prejudice, or other disadvantages, and includes the following descriptions from (1) to (11) personal information it contains.
(1) Race
Broadly means race, descent or ethnic or ethnic origin. Simple information such as nationality and "foreigner" are legal statuses, and are not included in race by themselves. In addition, the skin color is not included in the race because it is merely information for inferring the race.
(2) Creed
It means an individual's basic way of looking at things and way of thinking, and includes both thoughts and beliefs.
(3) Social status
It means a position that is fixed to a certain individual as a situation and cannot be easily extricated by one's own power for the rest of one's life, and does not include mere occupational status or educational background.
(4) Medical history
It means a history of suffering from a disease, and corresponds to a part that shows a specific medical history (eg, a specific individual is suffering from cancer, suffering from schizophrenia, etc.).
(5) Criminal record
A previous conviction, that is, a fact that has been convicted and confirmed.
(6) Facts of being harmed by a crime
It means the fact that you have been a victim of a crime, regardless of whether it is physical harm, mental harm, or financial harm. Specifically, among acts that can fall under the constituent requirements stipulated in criminal laws and regulations, those in which criminal proceedings have been initiated fall under this category.
(7) Having a physical disability, intellectual disability, mental disability (including developmental disability), or other mental and physical impairments stipulated by laws and ordinances.
Refers to the information listed in the following a to d. In addition, information that identifies the person with the disability or the past (e.g., disability based on the Law for Comprehensive Support for Daily and Social Life of Persons with Disabilities (Law No. 123 of 2005) Receiving or having received welfare services in the past) is also applicable.
B. Information that identifies the existence of a physical disability listed in the attached table of the Act on Welfare of Persons with Physical Disabilities (Act No. 283 of 1949)
(b) Being diagnosed or determined by a doctor or a rehabilitation counseling center for persons with physical disabilities to have a physical disability listed in the separate table (including information on the name and degree of the disability listed in the separate table).
(b) Having received or possessed a physical disability certificate from a prefectural governor, the mayor of a designated city, or the mayor of a core city, or having possessed it in the past including.)
(c) The person has a physical disability listed in the attached table that is evident from the person's appearance.
(b) Information that identifies the existence of an “intellectual disability as defined in the Law for the Welfare of Persons with Intellectual Disabilities (Law No. 37 of 1960)”
(b) Being diagnosed or determined to have an intellectual disability by a doctor, child guidance center, rehabilitation counseling center for persons with intellectual disabilities, mental health welfare center, or vocational center for persons with disabilities (including information on the degree of disability).
(b) Having received or possessed a rehabilitation handbook from the prefectural governor or the head of a designated city, or possessed it in the past (including information on the degree of disability).
C. Mental disorders as defined in the Act on Mental Health and Welfare for Mentally Disabled Persons (Act No. 123 of 1950) (developmental disorders as defined in Article 2, Paragraph 2 of the Act on Support for Persons with Developmental Disabilities (Act No. 167 of 2004) including, and excluding intellectual disabilities as defined in the Act on the Welfare of Persons with Intellectual Disabilities.")
(b) Being diagnosed or determined by a doctor or mental health welfare center to have a mental disorder or developmental disorder (including information on the degree of the disorder);
(b) Have received or possessed in the past a Health and Welfare Handbook for Persons with Mental Disabilities from a prefectural governor or the head of a designated city (including information on the degree of disability).
(d) Degree of disability due to diseases for which treatment methods have not been established and other special diseases specified by Cabinet Order in Article 4, Paragraph 1 of the Act on Comprehensive Support for Daily and Social Life of Persons with Disabilities. is to the extent specified by the Minister of Health, Labor and Welfare in the same paragraph.
(b) Diagnosed by a doctor that the person is continuously severely restricted in daily life or social life due to a disability caused by a special disease specified by the Minister of Health, Labor and Welfare (including information on the name and severity of the disease).
(8) Medical examinations and other examinations for the prevention and early detection of diseases (in the same item (referred to as “medical examinations, etc.”) Results of medical checkups, medical examinations, specific health examinations, health measurements, stress checks, genetic tests (those performed in the course of medical treatment) for the purpose of disease prevention and early detection ), and the results of examinations that reveal the health status of the examinee himself/herself.
(9) Based on the results of a medical examination, etc., or due to illness, injury, or other mental and physical changes, guidance, medical treatment, or dispensing of medication was given to the individual by a doctor, etc., to improve their mental and physical conditions.
(10) Arrest, search, seizure, detention, prosecution, or other criminal proceedings (excluding criminal background) with the person as suspect or defendant The fact that proceedings relating to a criminal case have taken place is relevant. Information on the fact that a person has been interrogated for a criminal investigation in which another person is a suspect or the fact that the person has been questioned as a witness does not fall under this category because the person himself/herself is not the suspect or defendant.
(11) Investigation, guardianship measures, trial, protective measures and other protection of juveniles as juveniles prescribed in Article 3, Paragraph 1 of the Juvenile Law (Law No. 168 of 1948) or suspected juveniles Procedures related to the incident have been carried out. This applies to the fact that procedures related to juvenile protection cases, such as protective measures, were carried out on the basis of juvenile delinquency or suspected juvenile delinquency.
8. In this provision, “personal information database, etc.” means (1) a collection of information including personal information that is systematically configured so that specific personal information can be searched using a computer, and (2) a collection of information processed on paper. Organize and classify personal information according to certain rules (for example, in the order of the Japanese syllabary), attach a table of contents, index, code, etc. so that specific personal information can be easily searched, and can be easily accessed by others It means something that is placed in a searchable state. However, information that falls under any of the following (1) to (3) does not fall under personal information databases, etc., because there is little risk of harming the rights and interests of individuals due to the method of use.
(1) It was issued for the purpose of selling to an unspecified number of people, and its issuance was not carried out in violation of the provisions of the law or an order based on the law.
(2) It can or could have been purchased at any time by an unspecified number of people.
(3) it serves its intended purpose without adding any other information about a living individual;
9. In this provision, "personal data" means personal information that constitutes the "personal information database, etc." managed by the Company.
10. In this provision, "retained personal data" means all disclosure, correction, addition or deletion of content, suspension of use, erasure, and suspension of provision to third parties requested by the person or his/her agent. Refers to personal data that has the authority to respond to However, among personal data, the following personal data or data that will be deleted (excluding updating) within six months shall not fall under retained personal data.
(1) The existence or non-existence of the personal data may pose a threat to the life, body, or property of the individual or a third party.
(2) Those that may promote or induce illegal or unjust acts by clarifying the existence or non-existence of the personal data.
(3) If the existence or non-existence of the personal data becomes clear, there is a risk that national security may be harmed, a relationship of trust with other countries or international organizations may be impaired, or there may be a risk of being disadvantaged in negotiations with other countries or international organizations. some stuff.
(4) The disclosure of the existence or non-existence of the personal data may interfere with the prevention, suppression or investigation of crimes or other maintenance of public safety and order.
11. In this provision, “anonymously processed information” means information about an individual that is obtained by processing personal information in such a way that a specific individual cannot be identified by taking the measures stipulated according to the classification of personal information. It means that the personal information is restored so that the specific individual cannot be re-identified.
12 In this provision, "notifying the person" means to inform the person directly. In the gateway business, the method of "notifying the person" of the purpose of use is, in principle, in writing (including electromagnetic records. The same shall apply hereinafter. ).
13. "Publication" as used in these provisions means making one's intentions known to the general public (announcing so that an unspecified number of people can know).
14. In this provision, "consent of the person" means the expression of intention of the person to the effect that the person's personal information consents to be handled in the manner indicated by the Company. In the gateway business, in principle, when obtaining the consent of the person specified in Articles 16, 23 and 24 of the Act, it shall be in writing (including electromagnetic records).
15. In this provision, "employee" refers to a person who is directly or indirectly engaged in the business of a company under the direction and supervision of the company within the company's organization, and an employee who has an employment relationship ( Regular employees, contract employees, contract employees, part-time employees, part-time employees, etc.), but also directors, executive officers, directors, auditors, auditors, temporary employees, etc.
16. "Providing" as used in this provision means making personal data, retained personal data, or anonymously processed information available to a person other than oneself.
17. In this provision, an "anonymously processed information handling business operator" means a collection of information including anonymously processed information, which is systematically configured so that specific anonymously processed information can be searched using a computer. A person who uses for business purposes specified by a Cabinet Order as systematically structured information that enables easy retrieval of specific anonymously processed information.
(Jurisdictional department and person in charge)
Article 4
The department responsible for the protection of personal information in our company shall be the business audit department, and the head shall be the person in charge of personal information protection.
(Specification of purpose of use)
Article 5
When handling personal information, the Company must specify the purpose of use as specifically as possible. In specifying the purpose of use in the gateway business, the Company shall clarify the correspondence between each item of personal information and each item of purpose of use.
2. If the Company assumes that personal information will be provided to a third party in advance, the purpose of use must be specified in such a way that it can be clearly understood.
3. With respect to the purpose of use specified in the preceding three paragraphs, the Company shall reasonably recognize that it is related to the purpose of use before change (the purpose of use after change is considered to be (within the limit that the person can normally expect and the range that can be objectively recognized).
(Restrictions on purpose of use)
Article 6
When handling personal information beyond the scope necessary to achieve the purpose of use specified in paragraphs 1, 2 and 3 of the preceding article, the Company must obtain the consent of the person in advance.
2. Notwithstanding the preceding paragraph, in the following cases, the Company may handle personal information beyond the scope necessary to achieve the specified purpose of use without obtaining the consent of the individual.
(1) When required by law
(2) When it is necessary to protect a person's life, body or property, and it is difficult to obtain the person's consent.
(3) When it is particularly necessary to improve public health or promote the sound development of children, and it is difficult to obtain the consent of the individual.
(4) When it is necessary for our company to cooperate with a national agency, local government, or a person entrusted by them in carrying out the affairs stipulated by laws and regulations, and with the consent of the person concerned When there is a risk of impeding the execution of office work.
3. In the event that the Company acquires personal information in connection with the succession of business from another business operator handling personal information due to a merger or other reasons, the Company shall not use the personal information before the succession without obtaining the prior consent of the person concerned. Personal information shall not be handled beyond the scope necessary to achieve the purpose.
(Appropriate Acquisition)
Article 7
Acquisition of personal information shall be done by lawful and fair means. In addition, personal information shall not be acquired beyond the limit necessary to achieve the specified purpose of use.
(Sensitive information)
Article 8
Except for the following cases, the Company shall not acquire, use, or provide third parties with sensitive information.
(1) Cases based on laws and regulations
(2) When it is necessary to protect human life, body or property
(3) When it is particularly necessary to improve public health or promote the healthy upbringing of children
(4) When it is necessary to cooperate with a national agency, a local public entity, or a person entrusted by them in carrying out the affairs stipulated by laws and regulations.
(5) When obtaining, using, or storing a copy of a family register containing sensitive information or other documents that can identify an individual for the purpose of identifying the individual
(6) When acquiring, using, or providing to a third party sensitive information to the extent necessary for the transfer of rights and obligations due to inheritance procedures.
(7) When acquiring, using, or providing to a third party sensitive information to the extent necessary for business execution based on the consent of the individual, out of necessity to ensure appropriate business operations in the credit field.
(8) When biometric information corresponding to sensitive information is used for identity verification based on the consent of the person
2. When acquiring, using, or providing to a third party sensitive information in the cases listed in the preceding paragraph, the Company shall ensure that the acquisition, use, or provision to a third party does not deviate from the reasons listed in the preceding paragraph. should be handled with particular care.
3. When acquiring, using, or providing to a third party sensitive information in the cases set forth in paragraph 1, for example, when acquiring special care-required personal information, the Company shall comply with Article 17, Article 2 of the Law In accordance with the paragraph, we must take appropriate measures in accordance with laws and regulations concerning the protection of personal information, such as the fact that we must obtain the consent of the person in advance.
4. When providing sensitive information to third parties, the Company shall not apply the provisions of Article 23, Paragraph 2 (opt-out) of the Act.
5. When acquiring special care-required personal information, the Company must obtain the consent of the person in advance. However, this does not apply to the cases listed in (1) to (7) below.
(1) When required by law
(2) When it is necessary to protect a person's life, body or property, and it is difficult to obtain the person's consent.
(3) When it is particularly necessary to improve public health or promote the sound development of children, and it is difficult to obtain the consent of the individual.
(4) When it is necessary for the business operator to cooperate with a national agency, local government, or a person entrusted by them in carrying out the affairs stipulated by laws and regulations, and with the consent of the person When there is a risk of hindering the execution of the relevant affairs.
(5) When the relevant special care-required personal information is disclosed by the person, a national agency, a local government, a person listed in each item of Article 76, Paragraph 1 of the Law, or a person specified by the Enforcement Regulations.
(6) When obtaining special care-required personal information that is obvious in appearance by looking at or photographing the person
(7) When receiving provision of special care-required personal information, which is personal data, in the cases listed in each item of Article 23, Paragraph 5 of the Act.
(Notification, etc. of Purpose of Use upon Acquisition)
Article 9
When acquiring personal information, the Company shall promptly notify or announce the purpose of use to the individual, unless the purpose of use has been announced in advance.
2. Notwithstanding the provisions of the preceding paragraph, when acquiring the personal information of the person stated in the contract or other documents in connection with concluding a contract with the person When acquiring the personal information of the person concerned, the purpose of use must be clearly indicated to the person in advance. However, this shall not apply in cases where it is urgently necessary for the protection of human life, body or property.
3. In the gateway business, the Company shall obtain the consent of the individual when obtaining personal information of the individual in writing directly from the individual. At that time, the method of specifying the purpose of use shall be according to the method specified in each item of Article 4.
4 If the Company changes the purpose of use, the Company will notify the person or announce the changed purpose of use.
5. The provisions of the preceding four paragraphs shall not apply to the following cases.
(1) When notifying the person of the purpose of use or publicly announcing it may harm the life, body, property or other rights and interests of the person or a third party
(2) When notifying the person of the purpose of use or publicly announcing it may harm the rights or legitimate interests of the Company
(3) When it is necessary to cooperate with national organizations or local governments in carrying out the affairs stipulated by laws and ordinances, and by notifying the person of the purpose of use or publicly announcing the purpose of use When there is a risk of hindrance.
(4) When it is recognized that the purpose of use is clear in view of the acquisition situation
(Ensuring accuracy of data content, etc.)
Article 10
Within the scope necessary to achieve the purpose of use, the Company will develop procedures for collation and confirmation when personal information is entered into a personal information database, etc., develop procedures for correction when errors are discovered, and record items We will strive to keep personal data accurate and up-to-date by updating data and setting retention periods.
2. When the Company no longer needs to use the personal data it holds (when the purpose of use has been achieved and there is no longer a reasonable reason to retain the personal data in relation to that purpose, or when the purpose of use has been achieved) (e.g., when the business itself, which is the premise of the purpose, has been discontinued, etc.), efforts must be made to delete the personal data without delay. However, this does not apply if the retention period of personal data is stipulated by laws and regulations.
(Safety control measures)
Article 11
In handling personal information, the Company shall take measures in accordance with these regulations and related procedures to prevent leakage, loss, or damage of personal information and to manage personal information safely.
1 Handling of documents containing personal information
Documents containing personal information shall be handled according to the following.
(1) Classification and display of documents
Documents containing personal information should be classified as either “confidential,” “confidential,” or “public” documents. Documents classified as “confidential to concerned parties” shall be appropriately labeled with the classification name on the document itself or by the unit handled, such as a folder, so that the classification can be clearly confirmed when handling the document. It shall also be indicated on “confidential” documents as necessary.
② Appropriate management
Documents containing personal information shall be appropriately managed by setting access rights, locking storage, and restricting copying and taking out of documents according to their classification.
(3) Measures for storage and preservation
For personal information that needs to be stored and preserved for business purposes, access rights shall be limited to the minimum number of persons necessary, and controls shall be implemented.
④Measures concerning transfer and transmission
For personal information that needs to be transferred or transmitted for business purposes, limit access to the minimum number of people necessary, and implement data encryption and password lock.
⑤ Disposal measures
Personal information that is no longer necessary for business shall be shredded or otherwise shredded to make it unreadable. Also, the number of persons who handle disposal shall be kept to a minimum.
2 Entrance/exit management
We will restrict access to the places (buildings, rooms, etc.) where personal information is stored and used by employees who are not authorized to access the personal information. Establish and implement a recording method for leaving the room.
3 Information system management
The information system department develops, operates, and manages information systems (hardware including servers, computers, software, networks, recording media, and related equipment) that refer to, use, and store personal information. The information system department shall formulate procedures for managing the information system after fully considering the importance of the information system in the safety management of personal information. All employees shall follow procedures for managing information systems to ensure that:
①Introduction, development, operation, modification and disposal of information systems in accordance with procedures
② Backup of information and database
(3) Physical protection of information systems
(4) Appropriate setting, change, and review of access rights and administrator rights, and reporting of access rights setting status to management
⑤ Recording and monitoring of access status to personal data and protection of user privacy
⑥ Appropriate management of IDs and passwords and setting of expiration dates
⑦ Appropriate use of e-mail, the Internet, and other networks
⑧ Introduction, use, storage, anti-theft and disposal of appropriate recording media
(9) Restrictions on using or bringing in information systems from outside the company
(10) Restrictions on taking mobile devices such as personal computers, smartphones, tablets, and mobile phones outside the company (application permission system)
⑪ Prohibition of business use of mobile devices such as personal computers, smartphones, tablets, and mobile phones
⑫Implementation of measures against viruses, malicious software, and malicious programs
(13) Communication and appropriate response in the event of an information security incident
⑭ Prohibition of using personal data as test data for checking the operation of information systems
⑮ Monitoring of information system usage status and appropriate protection of access status records
4. Regarding the appropriate implementation status of the security control measures stipulated in this article, the Business Audit Department shall confirm and evaluate within two months from the end of each business year. Once approved, it must be implemented promptly.
(Supervision of Employees)
Article 12
When concluding an employment contract or a consignment contract with an employee, be sure to conclude a non-disclosure agreement. Non-disclosure matters specified in the non-disclosure agreement shall remain valid for a certain period of time even after the termination of the agreement. When having an employee handle personal information, the department manager shall exercise necessary and appropriate supervision over the employee so that the personal information can be safely managed.
2. As a result of the supervision stipulated in the preceding item, when a problem related to safety control measures is found in an employee, the department manager shall promptly give appropriate instructions and orders.
3. All employees who violate these regulations intentionally or through gross negligence shall be subject to disciplinary action based on the employment regulations. In either case, you will be subject to a claim for damages.
(Supervision of contractors)
Article 13
When outsourcing all or part of the handling of personal information, the business audit department must select a contractor that satisfies a sufficient level of protection of personal information in terms of the following points. In addition, when concluding a contract for such outsourcing, the content of the contract must clearly state that a sufficient level of personal information protection should be ensured for the following items.
(1) Clarification of responsibilities of consignor and trustee
②Matters related to safety management of personal information
③Matters related to subcontracting
(4) Details and frequency of reports to consignors regarding the handling of personal information
⑤ Matters that allow the consignor to confirm that the content of the contract is being observed
⑥Measures to be taken in the event that the content of the contract is not complied with
⑦ Matters related to reporting and communication in the event of an incident or accident
2. The business audit department must receive a written report every business year on the status of compliance with rules regarding the handling of personal data from the subcontractor specified in the preceding paragraph.
(Implementation of education and training activities, etc.)
Article 14
The Company will provide employees with education and training to contribute to the protection and proper handling of personal information.
2. Regarding the education and training set forth in the preceding paragraph, participants shall participate in education and training provided by the Japan Consumer Credit Association through affiliated companies or training with equivalent content.
(Restrictions on provision to third parties)
Article 15
When providing personal data to a third party, the Company shall not provide it without obtaining the consent of the person in advance. In obtaining such consent, the Company believes that it is necessary for the person to make a decision regarding consent, depending on the scale and nature of the business, the handling status of personal data (including the nature and amount of personal data to be handled), etc. clearly indicate the content within a reasonable and appropriate range.
2. In principle, the Company shall specify third parties who provide personal data in the gateway business by stating their names, and the purpose of use by third parties to whom personal data is provided shall be as follows: be as specific as possible.
3 Notwithstanding the preceding two paragraphs, in the following cases, the consent of the person is not required for the provision of personal data to a third party.
(1) When providing personal data based on laws and regulations
(2) There is a risk of infringement of specific rights and interests such as the life, body or property of a person (including corporations), the provision of personal data is necessary to protect this, and the consent of the person if it is difficult to obtain
(3) When it is particularly necessary for the improvement of public health or the sound development of children who are still developing physically and mentally, and it is difficult to obtain the consent of the individual.
(4) When it is necessary to obtain the cooperation of our company in carrying out the affairs stipulated by laws and ordinances of a government agency, etc., and when the cooperating company provides personal data to the government agency, etc., When obtaining the consent of the individual is likely to interfere with the execution of the relevant affairs
(Provision to a third party by opting out)
Article 16
When providing personal data (excluding special care-required personal information; hereinafter the same shall apply in this Article) to a third party, the Company shall notify the person in advance of the matters listed in (1) to (5) below, or Notwithstanding the preceding article, personal data may be provided to a third party without obtaining the prior consent of the person, if it is put in a state where the person can easily know it, and if it is notified to the Personal Information Protection Commission.
(1) The purpose of use is to provide it to a third party.
(2) Items of personal data provided to third parties
(3) Method of provision to third parties
(4) Discontinue provision to third parties at the request of the person.
(5) How to accept the request of the person
2. When the Company notifies the Personal Information Protection Commission of the necessary matters pursuant to the preceding paragraph, the Company shall also disclose the content of such matters by using the Internet or other appropriate means.
3 If the Company provides personal data to a third party by opting out based on paragraphs 1 and 2, the items of personal data provided, the method of provision, or the provision to a third party In the case of changing the method of accepting the request of the person to stop the personal information, the content to be changed shall be notified to the person in advance or put in a state where the person can easily know, and the Personal Information Protection Commission must be submitted. In addition, when the Company notifies the Personal Information Protection Commission of necessary matters based on this paragraph, the content thereof shall also be made public.
(Cases that do not correspond to provision to a third party (1) - Consignment)
Article 17
Within the scope necessary to achieve the purpose of use, when the personal data is provided in connection with the outsourcing of all or part of the business related to the handling of personal data, the recipient shall It does not fall under the third party.
(Cases that do not correspond to provision to a third party (2) - Business succession)
Article 18
In the event that personal data related to the business is provided due to the succession of the business of the Company due to merger, spin-off, business transfer, etc., the recipient does not fall under the third party in Article 15.
2. Even after business succession, the Company shall use personal data within the scope of the purpose of use before it was provided by the business succession.
(Cases that do not correspond to provision to a third party ③ - Joint use)
Article 19
In cases where the Company provides personal data that is jointly used with a specific person to the specific person, the specific person does not fall under the category of a third party in Article 15. In this case, the Company shall notify the effect of joint use, the items of personal data to be jointly used, the scope of persons to be jointly used, the purpose of use of the persons to be used, and the person responsible for the management of the personal data. The name must be notified to the person in advance or placed in a state where the person can easily know it.
2. In the gateway business, the Company shall, in principle, give written notices as set forth in the preceding paragraph. In addition, even in the gateway business, it is also possible to carry out joint use by putting in a state where the person can easily know, instead of notification.
3. In the case of jointly using personal data, the Company may change the “purpose of use of the person who jointly uses” to the extent that the person can normally expect it and the extent that is objectively recognized in accordance with social norms. , ``the name of the person responsible for the management of personal data'' may also be changed, but before any change, the person must be notified or the person must be able to easily know it. not.
(Restrictions on Provision to Third Parties in Foreign Countries)
Article 20
When providing personal data to a third party located in a foreign country (meaning a country or region outside of Japan; the same shall apply hereinafter), the Company shall, in advance, except when falling under any of the following items: Consent must be obtained from the person to allow the provision to a third party in a foreign country.
(1) When the third party is located in a country designated by law as a country with a personal information protection system that is recognized to be at the same level as Japan.
(2) When the third party has established a system that conforms to any of the following standards as a system necessary for continuously taking measures equivalent to those that should be taken by a business operator handling personal information.
B. Between the Company and the person receiving the provision of personal data, regarding the handling of the personal data by the person receiving the provision, in accordance with the provisions of Chapter 4, Section 1 of the Act, in an appropriate and rational manner ensure that the measures are implemented;
(b) The person receiving the personal data has been certified based on the international framework for handling personal information.
(3) When it falls under each item of Article 15, Paragraph 5.
(Preparation, etc. of Records Pertaining to Provision to Third Parties)
Article 21
Whenever we provide personal data to a third party, we must keep a record of the items specified in the table below. provided, however, that the provision of said personal data shall be subject to any of the items of Article 15, Paragraph 5 or Articles 17 through 19 ), this does not apply.
(Matters to be recorded)
Provision to a third party with the consent of the individual
Third party provision by opt-out
Provided date
×
○
Third party name, etc.
○
○
Name of person, etc.
○
○
Items of personal data
○
○
with the person's consent
that you are
○
×
2 Notwithstanding the preceding paragraph, if the Company continuously or repeatedly exchanges personal data with a specific business operator within a certain period of time, instead of creating a record of individual exchanges, to create a record.
3. Notwithstanding Paragraph 1, when the Company concludes a contract for the provision of goods or services to a person, and in accordance with the performance of such contract, the personal data of the person to whom the contract is concluded shall be transferred to the third party. When providing personal data, it is possible to trace the distribution of personal data by means of a contract or other document prepared at the time of provision, so the contract or other document may be used as a record.
4. The Company shall retain the records created pursuant to the preceding paragraphs for the period specified in each of the following items.
(1) When records are created by the method specified in paragraph 3
Until the day when one year has passed since the last day when the personal data related to the record was provided
(2) When records are created by the method specified in paragraph 2
Until the day when three years have passed since the last day when the personal data pertaining to the record was provided
(3) Cases other than the preceding two items
3 years
(Confirmation and record creation, etc. when receiving third party provision)
Article 22
When receiving personal data from a third party, the Company shall confirm it by the methods specified in the following items. However, this does not apply if the provision of the personal data concerned falls under any of the items of Article 15, Paragraph 5 or Articles 17 to 19.
(1) The name and address of the third party and, in the case of a corporation, its representative (if it is a non-corporation and has a designated representative or administrator, its representative or administrator) full name of
Method of receiving a declaration from a third party who provides personal data or other appropriate method
(2) Circumstances of acquisition of the personal data by the third party
A method of receiving, from a third party that provides personal data, a contract or other document showing the circumstances in which the third party acquired the personal data, or any other appropriate method.
2. The third party set forth in the preceding paragraph shall not misrepresent the matters pertaining to the confirmation to the Company when the Company conducts the confirmation pursuant to the provisions of the same paragraph.
3. When the Company confirms under the provisions of Paragraph 1, it must make a record of the items specified in the table below each time. provided, however, that the provision of said personal data shall be subject to any of the items of Article 15, Paragraph 5 or Articles 17 to 19 ), this does not apply.
(Matters to be recorded)
Proposal with the consent of the person
child
by opt-out
If provided
Provided by a private person, etc.
if received
Personal Information Protection Commission
Publication by the Committee
×
○
×
year of offer
time
×
○
×
Third party name, etc.
○
○
○
Acquisition process
○
○
○
Name of person, etc.
○
○
○
of personal data
item
○
○
○
with the person's consent
to the effect that
○
×
×
4 Notwithstanding the preceding paragraph, if the Company continuously or repeatedly exchanges personal data with a specific business operator within a certain period of time, instead of creating a record of individual exchanges, to create a record.
5. Notwithstanding Paragraph 3, when the Company concludes a contract for the provision of goods or services to a principal, and in accordance with the performance of such contract, the personal data of the principal to whom the contract is concluded is obtained from another business operator. When receiving provision, it is possible to trace the distribution of personal data with a contract or other document created at the time of provision, so the contract or other document can be used as a record.
6. The Company shall retain the records created pursuant to the preceding paragraphs for the period specified in each of the following items.
(1) When records are created by the method specified in paragraph 5
Until the day when one year has passed since the last day when the personal data related to the record was provided
(2) When records are created by the method specified in paragraph 4
Until the day when three years have passed since the last day when the personal data related to the record was provided
(3) Cases other than the preceding two items
3 years
(Publication, etc. of Matters Concerning Retained Personal Data)
Article 23
Regarding retained personal data, the Company shall put the following information (1) to (4) in a state where the person can know it (including cases where it responds without delay in response to the request of the person).
(1) Name of our company
(2) Purpose of use of all retained personal data (excluding cases falling under Article 8, Paragraph 5, Items (1) to (3))
(3) Procedures for responding to requests for notification of the purpose of use of retained personal data or requests for disclosure, etc., and amount of fees for requests for notification of the purpose of use or requests for disclosure, etc. of retained personal data (only if specified)
(4) Where to file complaints regarding the handling of retained personal data
2. Except for the cases of (1) and (2) below, when a person requests notification of the purpose of use of retained personal data that identifies the person, the Company shall notify the person without delay. There must be. In addition, when it is decided not to notify, the principal must be notified to that effect without delay.
(1) When the purpose of use of retained personal data that identifies the person is clear due to the measures in the preceding paragraph
(2) Cases falling under Article 9, Paragraph 5, Items (1) to (3)
(Disclosure)
Article 24
When the Company receives a request from a person to disclose retained personal data that can identify the person (including notifying that fact if it does not exist), the Company will notify the person in writing (not including electromagnetic records ) (if there is a method agreed by the person making the request for disclosure, that method) without delay. However, this does not apply if the disclosure falls under any of the following (1) to (3).
(1) When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(2) When there is a risk of significant hindrance to the proper implementation of our business
(3) When it violates other laws and regulations
2. When the Company has decided not to disclose all or part of the retained personal data based on the proviso of the preceding paragraph, or when the retained personal data pertaining to the request does not exist, the person must be notified to that effect without delay. not.
(Correction, etc.)
Article 25
If the Company receives a request for correction, addition, or deletion of content (hereinafter referred to as "correction, etc.") from the person on the grounds that there is an error in the retained personal data that identifies the person and is not true, The necessary investigation must be conducted without delay to the extent necessary to achieve the purpose of use, and based on the results, corrections, etc., must be made in principle.
2. When the Company makes corrections, etc. to all or part of the content of the retained personal data pertaining to the request based on the provisions of the preceding paragraph, or decides not to make corrections, etc., the Company shall, without delay, notify that fact ( When you make corrections, etc., you must notify the person in question.
(Suspension of use, etc.)
Article 26
The Company shall notify the person that the retained personal data that identifies the person concerned is being used for purposes other than the intended purpose without the consent of the person in violation of the provisions of Article 5, or is false or otherwise in violation of the provisions of Article 7. Suspension of use or erasure of retained personal data (hereinafter referred to as "suspension of use, etc.") on the grounds that personal information has been acquired by fraudulent means or personal information requiring special care has been acquired without the consent of the person concerned. In the event that a request has been received and it is found that there is a reason for the request, as a general rule, suspension of use, etc. must be carried out without delay.
2. The Company shall, on the grounds that the retained personal data that identifies the principal is provided to a third party by the principal in violation of the provisions of Article 15, Paragraph 1 or Article 20, the retained personal data In the event that a request for suspension of provision to a third party is received and it is found that there is a reason for the request, in principle, the provision to the third party must be suspended without delay.
3 In accordance with the preceding two paragraphs, when the Company suspends use, etc. or decides not to suspend use, etc., or suspends provision to a third party, or does not suspend provision to a third party When making a decision to that effect, the person concerned must be notified to that effect without delay.
(explanation of reason)
Article 27
The Company shall respond to requests for notification of the purpose of use of retained personal data, requests for disclosure, correction, etc., suspension of use, etc., or suspension of provision to third parties of retained personal data (hereinafter referred to as “requests for disclosure, etc.”). When notifying the person that they will not take all or part of such measures or that they will take measures different from those measures, they must also try to explain the reasons to the person. must.
(Procedures and Fees for Responding to Requests for Disclosure, etc.)
Article 28
Matters related to requests for disclosure, etc. from the person are stipulated as follows.
(1) Rights regarding personal information
If the person requests disclosure, correction, addition or deletion of the content, suspension of use, erasure, or suspension of provision to a third party (hereinafter referred to as "disclosure, etc.") of his/her own personal information subject to disclosure, Respond within a reasonable period of time in accordance with the procedures set forth in these regulations.
However, if it falls under any of the following, it is not subject to disclosure, so it can be decided not to disclose it based on the approval of the personal information protection manager. As a procedure in that case, the personal information protection manager will approve the application of the proviso in the complaint and consultation record and notify the person to that effect.
(1) Information that may cause harm to the life, body, or property of the individual or a third party if the existence or non-existence of the personal information becomes clear.
② Information that may encourage or induce illegal or unfair acts due to the existence or non-existence of the personal information being clarified.
③ If the existence or non-existence of the personal information becomes clear, there is a risk that national security may be harmed, a relationship of trust with other countries or international organizations may be impaired, or there may be a risk of being disadvantaged in negotiations with other countries or international organizations. thing
(4) Information that reveals the existence or non-existence of the personal information that may hinder the prevention, suppression, or investigation of crimes or other public safety and order maintenance.
(2) Procedures for responding to requests for disclosure, etc.
As a procedure for responding to requests for disclosure, etc., of personal information subject to disclosure from the person himself/herself, the following matters shall be established and announced on the Company's website. In addition, when publishing or changing, the content must be approved by the personal information protection manager.
a) Where to submit a "request for disclosure, etc."
〒105-0001
KDX Toranomon 1-chome building 11th floor, 1-10-5 Toranomon, Minato-ku, Tokyo
Legal Compliance Officer, Media Bank Co., Ltd.
Contact TEL: 03-5276-6601
b) Documents to be submitted when requesting disclosure, etc.:
Application form for personal information disclosure, etc.
When a person requests disclosure of his or her personal information subject to disclosure, the person responsible for legal compliance receives and responds to the request.
c) How to confirm that the person making the "request for disclosure, etc." is the legal representative of the individual, a minor, or an adult ward, or an agent entrusted by the individual to make the request for disclosure, etc.:
①Person: A copy of a resident card, or a copy of a driver's license, health insurance card, or passport
②Legal representative: Documents to confirm that you have legal representative authority (a copy of your family register, or a copy of your health insurance card with dependents in the case of a person with parental authority) and a document to verify the identity of the representative ( according to ①)
(3) Agent by delegation: power of attorney and documents to verify the identity of the agent by delegation (similar to (1))
d) Fees for “requests for disclosure, etc.” and how to collect them:
Enclose 1,000 yen worth of postage stamps for each application
The personal information protection manager must be the contact information of the response reception desk, response time, response method, reception (request) form, fee and collection method (if necessary), and the person (or authorized agent) in advance. Establish and publish the method of confirmation and the procedure for responding. Consideration should be given to the handling procedures so as not to impose an excessive burden on the patient. In addition, when collecting fees, set the amount within the range that is considered reasonable in consideration of the actual costs. No fees shall be collected except for (4) notification of the purpose of use of personal information subject to disclosure and (5) disclosure of personal information subject to disclosure in Article 28 of this guideline.
(3) Dissemination of personal information subject to disclosure, etc.
If the acquired personal information corresponds to the personal information subject to disclosure, the personal information protection manager or the department manager will publish the following matters regarding the personal information subject to disclosure on the website, etc. (including cases where we respond without delay at the request of the person).
a) Company name
b) Job title, affiliation and contact information of the personal information protection manager or department manager (or his/her representative)
c) Purpose of use of all personal information subject to disclosure
d) Contact point for complaints regarding the handling of personal information subject to disclosure
e) Name of the authorized personal information protection organization and contact point for resolution of complaints (if it is a target business operator of an authorized personal information protection organization based on the Personal Information Protection Act)
f) the procedures laid down by paragraph 2;
(4) Notification of purpose of use of personal information subject to disclosure
If the person requests notification of the purpose of use of the personal information to be disclosed that identifies the person, respond without delay. When answering (including not responding to the request), write it in the complaint and consultation record and obtain the approval of the personal information protection manager. However, in the following cases, notification of the purpose of use is not required, but in that case, the person shall be notified to that effect without delay and the reason must be explained.
①When notifying the person of the purpose of use or publicly announcing it may harm the life, body, property or other rights and interests of the person or a third party
②When notifying the person of the purpose of use or publicly announcing it is likely to harm the rights or legitimate interests of the business operator concerned
(3) When it is necessary to cooperate with a national agency or local government in carrying out matters stipulated by laws and regulations, and notifying the person of the purpose of use or announcing the purpose of use will hinder the execution of the relevant affairs when there is a risk of
(4) When it is recognized that the purpose of use is clear in view of the acquisition situation
In addition, when applying the above proviso 1 to 4, it shall be stated in the complaint and consultation record and the approval of the personal information protection manager shall be obtained. Notify the person without delay that the request for disclosure, etc. cannot be complied with and the reason for the reason.
(5) Disclosure of personal information subject to disclosure
When a person requests disclosure of personal information subject to disclosure that identifies the person concerned (including notifying to that effect when there is no personal information subject to disclosure that identifies the person concerned), in accordance with the provisions of laws and ordinances. Disclose the personal information subject to disclosure in writing (if there is a method agreed to by the person making the request for disclosure, that method) without delay, except when special procedures are stipulated. matter. When answering (including not responding to the request), write it in the complaint and consultation record and obtain the approval of the personal information protection manager. However, if the disclosure falls under any of the following, it is not necessary to disclose all or part of it, but in that case, the person must be notified to that effect without delay and the reason must be explained. must.
① When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
② When there is a risk of significant hindrance to the proper implementation of our business
③ When it violates laws and ordinances
In addition, when applying the above proviso 1 to 3, please describe it in the complaint and consultation record and obtain the approval of the personal information protection manager.
(6) Correction, addition or deletion of personal information subject to disclosure
As a result of the disclosure in (5), if you are requested to correct, add or delete the personal information subject to disclosure for the reason that it is not true, unless a specific procedure is stipulated by the provisions of laws and regulations, the purpose of use To the extent necessary to achieve this, we will conduct necessary investigations without delay, and based on the results, we will correct, add or delete the personal information subject to disclosure, and after correcting, adding or deleting, we will notify the person. , without delay, notify to that effect (including the contents of corrections, additions or deletions). When replying (including cases where the request is not complied with or corrections, etc. are not made), write it in the complaint and consultation record and obtain the approval of the personal information protection manager.
(7) Right to refuse use or provision of personal information subject to disclosure
Respond to requests from the person to stop using, erase, or stop providing to third parties personal information subject to disclosure that can identify the person. In addition, after taking measures, notify the person to that effect without delay. When responding (including not responding to the request), write it in the complaint and consultation record and obtain the approval of the personal information protection manager. However, in any of the following cases, it is not necessary to suspend use, erase, or suspend provision to third parties, but in that case, notify the person to that effect without delay and explain the reason. to do.
① When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
②When there is a risk of significant hindrance to the proper implementation of the business of the business operator
③ When it violates laws and ordinances
In addition, when applying the above proviso 1 to 3, please describe it in the complaint and consultation record and obtain the approval of the personal information protection manager.
(8) Identity verification
When responding to (4) to (7), the person making the request must be the person himself/herself or his/her representative (legal representative of a minor or an adult ward, or the person entrusted with the request for disclosure, etc.) agent). Confirmation shall be performed by the following method.
a) In the case of the person himself/herself: Copy of resident card, or copy of driver's license/health insurance card/passport
b) In the case of a legal representative: In addition to a), a document confirming that there is legal representation (a copy of the family register, or in the case of a person with parental authority, a copy of the insurance card with the dependent family members filled in is also acceptable) and the representative Documents for identity verification (copy of resident card, or copy of driver's license, health insurance card, passport)
c) In the case of an entrusted agent: In addition to a), a power of attorney and documents for identity verification of the agent (copy of resident card, copy of driver's license, health insurance card, passport)
(Processing of Complaints)
Article 29
Regarding the handling of personal information, the contact point for complaints and consultations from the individual shall be the personal information protection manager, and the contact information, reception method, reception hours, etc. shall be made public. Contact information must also be included in the complaints handling policy published on the bulletin board or website.
2. If we receive a complaint or consultation from the person in question, we will respond according to the following procedures.
(1) When an employee accepts
If an employee receives a complaint or consultation from the individual, respond sincerely and politely and immediately contact the personal information protection manager.
(2) Response by personal information protection manager
When the personal information protection manager receives a complaint or consultation from the individual, he/she will respond appropriately and promptly, and if necessary, instruct the relevant department manager to take action. The personal information protection manager shall create a reception record for each complaint and consultation, and record the contents of the complaint and consultation, investigation details, response progress, and results. In addition, report the contents of complaints and consultations to the president.
(3) Confirmation and investigation of facts
The personal information protection manager will confirm the facts as much as possible regarding complaints and consultations. If necessary, direct the investigation to the relevant department manager.
(4) Determination of response policy
The personal information protection manager analyzes the content of complaints and consultations based on the confirmation of facts and investigation results, and determines the response policy. As a result of the analysis, if there is a possibility of an emergency such as leakage, loss or damage of personal information, or violation of laws and regulations, we will respond in accordance with the emergency such as immediate contact with the relevant parties.
(5) Response to the person
The personal information protection manager or the department manager who receives instructions from the personal information protection manager will deal with the person himself/herself. When responding, explain the reason for deciding the response content.
(6) Confirmation of end of response
If the person accepts the result of the response, confirm and record the completion of the response. If the response has not been completed, record that fact and maintain the record for the specified period. In addition, report the response results to the president. In the case of complaints and consultations that are difficult to terminate (in the case of a business operator covered by an authorized personal information protection organization based on the Personal Information Protection Act), consider making an inquiry to the authorized personal information protection organization.
(Handling of anonymously processed information)
Article 30
We will comply with laws and regulations regarding the handling of anonymously processed information by our company.
(Reports, etc. of Personal Data Leakage, etc.)
Article 31
The Company shall retain the descriptions, etc. and individual identification codes deleted from the personal information used to create the anonymously processed information it possesses, as well as information on the method of processing performed pursuant to the provisions of Article 36, Paragraph 1 of the Law (hereinafter referred to as “processing method information”). ), from the perspective of preventing secondary damage and avoiding the occurrence of similar incidents, we will disclose the facts without delay as much as possible, and promptly inform the person of the facts. We will notify you or put it in a state where you can easily know it.
(Thorough dissemination of measures to report accidents such as leaks)
Article 32
The person in charge of legal compliance must thoroughly inform all officers and employees and all subcontractors once a year of the method of reporting to related parties in the event of an accident such as leakage stipulated in the preceding article and the obligation to do so. must not.
(Educational training)
Article 33
All executives and employees must participate in the related training held by the Japan Consumer Credit Association once a year through affiliated companies in order to familiarize themselves with the proper handling of personal information.
2. The person responsible for legal compliance shall summarize the participation status of all officers and employees at the end of each fiscal year regarding the training set forth in the preceding paragraph, and report this to the representative director. You must order them to attend the training as soon as possible.
(Advance Request for Judicial Action)
Article 34
When the person intends to file an action concerning a claim under the provisions of Article 28, paragraph 1, Article 29, paragraph 1, or Article 30, paragraph 1 or 3, the person who is to be the defendant of the action , the lawsuit cannot be filed unless the request has been made in advance and two weeks have passed since the date of arrival. provided, however, that this shall not apply if the person who should be the defendant in the lawsuit refuses the request.
(2) The request set forth in the preceding paragraph shall be deemed to have arrived at the time when the request should normally have arrived.
3. The provisions of the preceding two paragraphs shall apply mutatis mutandis to a petition for a provisional disposition order pertaining to a request pursuant to the provisions of Article 28, paragraph 1, Article 29, paragraph 1, or Article 30, paragraph 1 or 3.
(Review of regulations)
Article 35
The Company shall revise these regulations as necessary in light of changes in relevant laws and regulations, guidelines, etc., in response to changes in social conditions, changes in public awareness, technological progress, international trends, etc.