JAPANESE CHINESE

Privacy

The Maruha Nichiro Group Privacy Policy under the Personal Information Protection Act

The Maruha Nichiro Group publishes the following under the Act on the Protection of Personal Information (Act No. 57 of 2003; hereinafter the “Act”).

1. The main personal data retained by the companies of the Company Group (comprising Maruha Nichiro Corporation and its domestic consolidated companies; hereinafter the “Group”), and the purposes of use

The main personal data retained by the Group companies and the purposes of use are as follows:

Whenever obtaining personal information in a document form directly from the person concerned, the Group will specify the purpose of use. Apart from this, the Group will handle information, which is obtained directly or indirectly, within the purpose of use set forth below. Personal information may be jointly used under the section 3 below. Notwithstanding the foregoing, the purpose of use may not be announced or reported in any of the following cases:

  1. When it is likely to harm the life, body or property, or any other rights or interests of the person concerned or a third party
  2. When it is likely to significantly interfere with the proper execution of business of a Group company
  3. When it is likely to preclude a national government organ or local government from performing business set forth in laws and regulations
  4. When the purpose of use is clear from the circumstances of acquisition
Main retained personal data Main purposes of use
1. Personal information
of business partners
obtained from business
operations and
public information
  • Business communication and smooth business execution
2. Personal information
of people making
inquiries
  • Consultations, response to inquiries
  • Retention of response records
3. Personal information
obtained through
consumer campaigns
  • Shipment of prizes and operation of campaigns
4. Personal information
obtained through
mail-order sales
  • Provision of mail-order website services, including shipment of products, collection of charges for products, provision of a purchase history, and response to inquiries
  • Sending catalogs, postcards, and e-mails to deliver information on products, life, after-sales services and campaigns, invitation notes, greeting cards, and other information
  • Creation and use of statistical data processed in such a way that individuals cannot be identified
5. Personal information
of participants in
contests
  • Notification and communication of lottery and selection results
  • Shipment of products and gifts
  • Announcement of seminars and other events
  • Information provision activities by e-mail newsletter
6. Personal information
of respondents to
questionnaires
  • Shipment of gifts
  • Product development and analysis of interests and preferences
7. Personal information
of participants in service
events
  • Improvement and development of the service events in question
  • Distribution of announcements and advertisements
8. Personal information
of participants in
seminars (sponsored
or cosponsored)
  • Announcement of seminars and other events
  • Information provision activities by e-mail newsletter
9. Personal information
of shareholders
  • Ensuring exercise of shareholder’s rights
10. Personal information
of employees (including
loaned and temporary
employees, and
retirees)
  • Business communication and employment management
11. Personal information
obtained through recruiting
activities
  • Communication in recruiting
    activities and notice of
    screening results
12. Personal information
of which handling is
entrusted
  • Performance of entrusted business

In addition to the above purposes, a Group company may use the personal information it obtains for statistical processing. Such information to be used will not include any information identifying individuals.

When obtaining any information stipulated in the Act as special categories of personal data, a Group company shall obtain the consent of the person concerned on a case-by-case basis by clearly stating the purpose of use.

2. Provision of personal information by Group companies to third parties

(1) A Group company will properly manage retained personal data and will not provide them to any third party without the advance consent of the person concerned, except where:

  • They are disclosed under laws and regulations
  • It is necessary for the protection of the human life, body, or property, and it is difficult to obtain the consent of the person concerned
  • It is especially necessary for the improvement of public health or the promotion of healthy child development, and it is difficult to obtain the consent of the person concerned
  • It is necessary to cooperate with a national government organ or local government or with a person commissioned thereby to perform business set forth in laws and regulations, and obtaining the consent of the person concerned is likely to interfere with the performance of the business

When providing retained personal data to a third party abroad, the Company will implement the necessary measures according to the Act, including acquisition of consent.

(2) Processing of personal information may be outsourced within the purpose of use announced by the Group company. In this case, a contractor will be selected on the condition that the contractor has a sufficient personal information protection system in place, and the Group company will execute the necessary and adequate contracts with the contractor on the handling of personal information and will implement other measures as required under laws and regulations.

3. Joint use of personal information among Group companies

Group companies may share personal information of participants in seminars sponsored or cosponsored by Group companies to be used for announcing seminars or other events or providing product information. In this case, Group companies will notify the person concerned in advance of the following items:

  • Items of personal information jointly used
  • The name and address of the person responsible for the management of personal information jointly used, and the name of the representative in the case of a corporation

4. About requests for exercise of rights against Group companies

The requests for exercise of rights mean that the person concerned requests from a Group company notification of the purpose of using retained personal data; disclosure of retained personal data or records on third-party provision of the data; correction, addition, or deletion of/to retained personal data; and discontinuation of using, erasure, or discontinuation of third-party provision of retained personal data.

Upon a Group company’s receipt of a request for exercise of rights from the person concerned or agent, the Company shall, after having verified the identity of the person or agent, properly respond to the request in accordance with the legislation within a reasonable period and to the extent reasonable. The specific procedures the Company will take shall be as set forth in the section 5 below.

Please note in advance however that we cannot accept requests for exercise of rights in any of the following cases. In this case, we will notify you of such effect.

(1) Cases where notification of the purpose of use cannot be given

  • When the person concerned or the agent cannot be verified
  • When the purpose of use is published on the website of the Company so that the person concerned is able to easily determine the purpose
  • When it is likely to harm the life, body, or property or any other rights or interests of the person concerned or a third party
  • When it is likely to significantly interfere with the proper execution of business of a Group company
  • When it is likely to preclude a national government organ or local government from performing business set forth in laws and regulations

(2) Cases where retained personal data or records on third-party provision thereof cannot be disclosed

  • When the person concerned or the agent cannot be verified
  • When it is likely to harm the life, body, or property or any other rights or interests of the person concerned or a third party
  • When it is likely to significantly interfere with the proper execution of business of a Group company
  • When it violates any other laws and regulations
  • When it is personal information not corresponding to retained personal data or when it has been already destroyed or erased
  • When the personal information subject to the request for disclosure cannot be identified
  • When it is a matter relating to employment screening or unpublic personnel information
  • When entries in the disclosure request form are incomplete
  • When it corresponds to any cases prescribed in a cabinet order where revealing the existence of records on third-party provision of retained personal data would harm public or other interests

(3) Cases where retained personal data cannot be corrected, added or deleted (hereinafter “Correction”)

  • When the person concerned or the agent cannot be verified
  • When Correction is not necessary in light of the purpose of use
  • When the requestor’s claim that data contain an error is incorrect
  • When the information subject to Correction does not pertain to a fact but to assessment
  • When it is personal information not corresponding to retained personal data or when it has been already destroyed or erased
  • When the personal information subject to the request for Correction cannot be identified

(4) Cases where a request for discontinuation of using, erasure, or discontinuation of third-party provision of retained personal data (hereinafter “Discontinuation”) cannot be accommodated

  • When the person concerned or the agent cannot be verified
  • When a Group company needs to use retained personal data or when Discontinuation is requested for any reason other than that they are used for an unintended purpose not consented, unproperly used, illegitimately acquired, or provided to a third party without consent, or that procedures stipulated in laws and regulations are violated (hereinafter “Violation”)
  • When it exceeds the extent necessary for rectifying violation
  • When the requestor’s claim that there is Violation is incorrect
  • When making Discontinuation requires a large expense or when it is difficult to make Discontinuation so that alternative measures are implemented to protect the rights and interests of the person concerned
  • When it is personal information not corresponding to retained personal data or when it has been already destroyed or erased
  • When the personal information subject to the request for Discontinuation cannot be identified

5. Specific procedures taken by the Company

The Company will respond to a request for exercise of rights about retained personal data made against a Group company as follows:

About requests for exercise of rights about retained personal data made against Group companies

Please submit the request to the point of contact below. The point of contact will ask the person concerned to provide information to identify the personal information and will respond to the request after having confirmed whether the personal information can be disclosed or whether the qualification to submit a request is met.

6. Matters concerning security control measures for personal data in Group companies

The Group company implements the necessary and adequate security control measures to manage personal data, including to prevent leakage, loss, and corruption, as follows. A Group company also provides the necessary and adequate supervision over employees and contractors handling personal data.

Basic policy

  • A Group company will comply with the relevant legislation and guidelines stipulated by the State to ensure the proper handling of personal data according to the Maruha Nichiro Group Privacy Policy and will strive toward the protection and the proper use of personal information.

Regulations on the handling of personal data

  • The Group provides the Maruha Nichiro Group Regulations on the Handling of Personal Information Protection as rules to be observed in handling personal data, which provide the handling of personal data, including its acquisition, use, provision, deletion, and disposal.
  • The Group provides the Maruha Nichiro Group Personal Information Handling Guidelines to provide practical and concrete procedures.

Systematic security control measures

  • To properly manage personal information and the confidential information of the Group and to address significant management risks, such as leakage and falsification of information, the Company provides an Information Management Committee to formulate policies and strategies on information management, manage incidents, and draw up and promote education/training systems for information management.
  • The Company appoints a Personal Information Protection Supervisor as the chief executive for the management of personal information to deliberate and assess the policies and measures so as to maintain and improve information security.
  • The Company appoints a Personal Information Protection Promotion Manager as the person responsible for the promotion of planning, dissemination, and deployment of measures for personal information protection as a security management system of personal information protection.
  • The Company appoints personal information management managers in the respective departments of the head office and the respective group companies as persons responsible for the management of personal information.
  • The Company appoints personal information management supervisors to give supervision and guidance to the respective personal information management managers under their control.
  • The Company will conduct self-inspections every year on the status of personal data handling and will have the personal information audit manager conduct an audit as the occasion requires.
  • With the aim to make proper decisions and implement prompt measures for leakage of personal information and other information incidents to minimize the spread of damage and impacts, the Company provides the Maruha Nichiro Group Information Incident Response Regulations and the Maruha Nichiro Group Information Incident Response Rules.
  • When outsourcing the processing of personal data, the Company will examine the contractor in advance to determine that it can handle the data properly and will provide adequate conditions in an outsourcing contract concerning the handling of personal information, including security control measures, confidentiality, conditions for subcontracting, and the return of personal information at the termination of the outsourcing contract and will provide the necessary and adequate supervision.

Human security control measures

  • The Group conducts regular education for the Group’s employees by e-learning or other means regarding important matters related to the handling of personal data.
  • The Group strives to disseminate among its employees the Maruha Nichiro Group Personal Information Handling Guidelines providing the handling of personal data.
  • The Group conducts regular training involving the secretariat of the Information Management Committee and relevant departments in preparation for incidents.

Physical security control measures

  • Documents and storage media recording personal data will be stored in an appropriate place under lock and key as measures to prevent confusion, loss, and leakage.
  • The Group company properly manages information equipment and implements other measures so that it will not be used without legitimate authority.
  • Personal data will be transported by appropriate means and will not be duplicated or reproduced beyond the necessary limits.
  • When disposing of personal data no longer needed, a document will be completely destroyed by shredder, fire, or dissolution, and for a storage medium, the data will be erased by specialized software or by physically destroying the medium.

Technical security control measures

  • Having provided the Maruha Nichiro Group Information Security Control Regulations, the Group has adopted a system that protects an information system handling personal data from unauthorized external access or illegal software.
  • The Group implements access control to limit persons and personal information databases handling personal data.

7. Revision

The Group companies will continue to work on further improvement of personal data protection by reviewing the above handling of personal data as the occasion requires. Incidental to this, this publication may be subject to revision. Upon any revision, we will inform you by publishing the contents of the revision.

8.About the point of contact accepting opinions and complaints concerning the handling of personal information of Group companies

Please submit the inquiries to the point of contact below for any opinions, complaints, and comments you may have regarding the handling of personal information by Group companies.

Point of contact

Legal Affairs & Risk Management Department, Maruha Nichiro Corporation
Address: 3-2-20 Toyosu, Koto-ku, Tokyo 135-8608
E-mail address: houmu@maruha-nichiro.co.jp

Please note that we cannot respond to inquiries, requests, and comments when made in person.

Date of establishment: April 1, 2022