JAPANESE CHINESE

Privacy

The Maruha Nichiro Group Privacy Policy under GDPR/UK GDPR

The Maruha Nichiro Group publishes the following under the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR) (hereinafter the “Act”).

1. The main personal data retained by the companies of the Company Group (comprising Maruha Nichiro Corporation and its domestic consolidated companies; hereinafter the “Group”), and the purposes of use and legal grounds

(1) The main personal data retained by the Group companies and the purposes of use are as follows:

Main retained personal data Main purposes of use
1. Personal information
of business partners
obtained from business
operations and
public information
  • Business communication and smooth business execution
2. Personal information
of people making
inquiries
  • Consultations, response to inquiries
  • Retention of response records
3. Personal information
obtained through
consumer campaigns
  • Shipment of prizes and operation of campaigns
4. Personal information
obtained through
mail-order sales
  • Provision of mail-order website services, including shipment of products, collection of charges for products, provision of a purchase history, and response to inquiries
  • Sending catalogs, postcards, and e-mails to deliver information on products, life, after-sales services and campaigns, invitation notes, greeting cards, and other information
  • Creation and use of statistical data processed in such a way that individuals cannot be identified
5. Personal information
of participants in
contests
  • Notification and communication of lottery and selection results
  • Shipment of products and gifts
  • Announcement of seminars and other events
  • Information provision activities by e-mail newsletter
6. Personal information
of respondents to
questionnaires
  • Shipment of gifts
  • Product development and analysis of interests and preferences
7. Personal information
of participants in service
events
  • Improvement and development of the service events in question
  • Distribution of announcements and advertisements
8. Personal information
of participants in
seminars (sponsored
or cosponsored)
  • Announcement of seminars and other events
  • Information provision activities by e-mail newsletter
9. Personal information
of shareholders
  • Ensuring exercise of shareholder’s rights
10. Personal information
of employees (including
loaned and temporary
employees, and
retirees)
  • Business communication and employment management
11. Personal information
obtained through recruiting
activities
  • Communication in recruiting
    activities and notice of
    screening results
12. Personal information
of which handling is
entrusted
  • Performance of entrusted business

In addition to the above purposes, a Group company may use the personal information it obtains for statistical processing. Such information to be used will not include any information identifying individuals.

(2) A Group company may process personal data on the following legal grounds:

  • When the advance consent is obtained to the handling of personal data
  • When it is necessary for the performance of a contract between the person concerned and a Group company or procedures before the execution
  • When they need to be handled to comply with legal obligations borne by a Group company
  • When it is necessary for protecting vital interests of the person concerned or another natural person
  • When they need to be handled in performing business for public interests or the exercise of public authority given to a Group company
  • When they need to be handled for legitimate interests sought by a Group company or third party

(3) When obtaining any information stipulated in the Act as special categories of personal data, a Group company shall obtain the consent of the person concerned on a case-by-case basis by clearly stating the purpose of use.

2. Disclosure/provision of personal data from Group companies to third party and transfer to third country outside EEA/UK

(1) Within the purpose of use announced by a Group company, retained personal data may be disclosed or provided to another Group company or a third party. In this case, proper measures shall be implemented according to the GDPR/UK GDPR and other legislation.

(2) A Group company may transfer retained personal data to a country or region outside the European Economic Area (EEA) and the United Kingdom (UK). Recipients of such data include Group companies and third parties. In this case, unless the European Commission or UK government has determined that data protection will be adequately ensured in the country or region, the Group company shall implement proper protective measures (including execution of a contract providing the Standard Data Protection Clause) in accordance with the GDPR/UK GDPR and other legislation.

3. About requests for exercise of rights against Group companies

The requests for exercise of rights mean that the person concerned requests from a Group company information notification of retained personal data, access to retained personal data, rectification or erasure of personal data, restriction in the use of retained personal data, and portability of retained personal data, or the person raises an objection to the processing of retained personal data. If personal data is processed based on the consent of the person concerned, the person has a right to withdraw that consent. However, please note that withdrawal of consent shall not affect the legality of processing personal data made prior to the withdrawal. A person concerned who has an objection to a Group company regarding its handling of personal data may file a complaint with the EU or UK supervisory authority.

Upon a Group company’s receipt of a request for exercise of rights from the person concerned or agent, the Company shall, after having verified the identity of the person or agent, properly respond to the request in accordance with the legislation within a reasonable period and to the extent reasonable. The specific procedures the Company will take shall be as set forth in the section 4 below.

4. Specific procedures taken by the Company

The Company will respond to a request for exercise of rights about retained personal data made against a Group company as follows:

About requests for exercise of rights about retained personal data made against Group companies

Please submit the request to the point of contact below. The point of contact will ask the person concerned to provide information to identify the personal information and will respond to the request after having confirmed whether the personal information can be disclosed or whether the qualification to submit a request is met.

5. Matters concerning security control measures for personal data in Group companies

The Group company implements the necessary and adequate security control measures to manage personal data, including to prevent leakage, loss, and corruption, as follows. A Group company also provides the necessary and adequate supervision over employees and contractors handling personal data.

Basic policy

  • A Group company will comply with the relevant legislation and guidelines stipulated by the State to ensure the proper handling of personal data according to the Maruha Nichiro Group Privacy Policy and will strive toward the protection and the proper use of personal information.

Regulations on the handling of personal data

  • The Group provides the Maruha Nichiro Group Regulations on the Handling of Personal Information Protection as rules to be observed in handling personal data, which provide the handling of personal data, including its acquisition, use, provision, deletion, and disposal.
  • The Group provides the Maruha Nichiro Group Personal Information Handling Guidelines to provide practical and concrete procedures.

Systematic security control measures

  • To properly manage personal information and the confidential information of the Group and to address significant management risks, such as leakage and falsification of information, the Company provides an Information Management Committee to formulate policies and strategies on information management, manage incidents, and draw up and promote education/training systems for information management.
  • The Company appoints a Personal Information Protection Supervisor as the chief executive for the management of personal information to deliberate and assess the policies and measures so as to maintain and improve information security.
  • The Company appoints a Personal Information Protection Promotion Manager as the person responsible for the promotion of planning, dissemination, and deployment of measures for personal information protection as a security management system of personal information protection.
  • The Company appoints personal information management managers in the respective departments of the head office and the respective group companies as persons responsible for the management of personal information.
  • The Company appoints personal information management supervisors to give supervision and guidance to the respective personal information management managers under their control.
  • The Company will conduct self-inspections every year on the status of personal data handling and will have the personal information audit manager conduct an audit as the occasion requires.
  • With the aim to make proper decisions and implement prompt measures for leakage of personal information and other information incidents to minimize the spread of damage and impacts, the Company provides the Maruha Nichiro Group Information Incident Response Regulations and the Maruha Nichiro Group Information Incident Response Rules.
  • When outsourcing the processing of personal data, the Company will examine the contractor in advance to determine that it can handle the data properly and will provide adequate conditions in an outsourcing contract concerning the handling of personal information, including security control measures, confidentiality, conditions for subcontracting, and the return of personal information at the termination of the outsourcing contract and will provide the necessary and adequate supervision.

Human security control measures

  • The Group conducts regular education for the Group’s employees by e-learning or other means regarding important matters related to the handling of personal data.
  • The Group strives to disseminate among its employees the Maruha Nichiro Group Personal Information Handling Guidelines providing the handling of personal data.
  • The Group conducts regular training involving the secretariat of the Information Management Committee and relevant departments in preparation for incidents.

Physical security control measures

  • Documents and storage media recording personal data will be stored in an appropriate place under lock and key as measures to prevent confusion, loss, and leakage.
  • The Group company properly manages information equipment and implements other measures so that it will not be used without legitimate authority.
  • Personal data will be transported by appropriate means and will not be duplicated or reproduced beyond the necessary limits.
  • When disposing of personal data no longer needed, a document will be completely destroyed by shredder, fire, or dissolution, and for a storage medium, the data will be erased by specialized software or by physically destroying the medium.

Technical security control measures

  • Having provided the Maruha Nichiro Group Information Security Control Regulations, the Group has adopted a system that protects an information system handling personal data from unauthorized external access or illegal software.
  • The Group implements access control to limit persons and personal information databases handling personal data.

6. Retention period

A Group company will retain retained personal data to the extent necessary for the purpose of use and will delete retained personal data promptly when such data is no longer necessary for the purpose of use.

7. Webpage access and cookies

(1) Access to the webpage

When a user accesses the website of a Group company, the browser may send specific data (IP address etc.) to the webserver of the Group company. This is made for technical reasons to provide the website user with required information. Such data will be stored and used for a short time so that access to the website will become easier. The collected data will not be used to identify personal data of the website user.

(2) Use of cookies

The website of a Group company may use cookies. Cookies are universally used technology for website browsing, which will store specific information that a website user’s browser may pass on to the website of the Group company when the user returns to the website (depending on the expiration date of the cookie). A cookie may identify the browser of a user, optimize the website, and make the use easier. If the website of a Group company uses analysis cookies using a cookie that assigns a randomly generated ID to a website user’s device, the website may identify the website user’s device when the user returns to the website. The data collected by cookies will not be used to identify the personal data of the website user.

8. Revision

The Group companies will continue to work on further improvement of personal data protection by reviewing the above handling of personal data as the occasion requires. Incidental to this, this publication may be subject to revision. Upon any revision, we will inform you by publishing the contents of the revision.

9. About the point of contact accepting opinions and complaints concerning the handling of personal information of Group companies

Please submit the inquiries to the point of contact below for any opinions, complaints, and comments you may have regarding the handling of personal information by Group companies.

Point of contact

Legal Affairs & Risk Management Department, Maruha Nichiro Corporation
Address: 3-2-20 Toyosu, Koto-ku, Tokyo 135-8608
E-mail address: houmu@maruha-nichiro.co.jp

Please note that we cannot respond to inquiries, requests, and comments when made in person.

Date of establishment: November 1, 2022