個人情報管理規定 Regulations on the Management of Personal Information
Regulations on the Management of Personal Information
Chapter 1 – General Provisions
Article 1 – Purpose
The purpose of these regulations is to protect the rights and interests of individuals by stipulating basic matters concerning guarantees on the legal and appropriate handling of personal information by the Company in light of the importance of protecting personal information and pursuant to Japan’s Act on the Protection of Personal Information (Act No. 57, May 30, 2003; final revision: Act No. 51, May 27, 2016) and other related laws and ordinances (hereinafter, “laws and ordinances”).
Article 2 – Definitions
The definition of terms used in these regulations shall be as follows:
(1) Personal information
Information that can identify an individual based on the name, address, telephone number, email address, workplace, date of birth or other description obtained in writing, digital media or the Internet, etc., during the process of the Company’s business activities or provision of services (including information that alone does not identify an individual directly, but could easily be matched with other information to identify an individual).
(2) Personal information database, etc.
A collection of information including personal information organized systematically so that specific personal information can be searched using a computer, or a compilation of personal information in paper form such as files or customer ledgers, etc., that is organized or categorized according to certain rules (for example, in alphabetical order, in order of date of birth, in order of creation date, etc.) and by which another person can easily search for specific personal information, even when not using a computer.
(3) Personal data
Personal information contained in the personal information database, etc., administered by the Company.
(4) Retained personal data
Personal data for which the Company retains the right to be able to disclose, revise, make additions to, delete, suspend the use of, dispose, and provide to third parties.
(5) The individual
A specific individual who is identified or can be identified using personal information.
(6) Division head
The head of the division handling personal information.
(7) Employee
A person who engages in the Company’s duties under the orders of the Company.
Article 3 – Obligations of the Company
1. The Company shall comply with laws and ordnances on the protection of personal information and shall strive for the protection of personal information through all forms of its business operations.
Chapter 2 – Specification, etc., of the Purpose of Use of Personal Information
Article 4 – Specification of the Purpose of Use
1. Personal information obtained by the Company shall be used within the scope of the purpose of the Company’s business activities and service provision as well as ancillary operations aforementioned.
2. When changing the purpose of use, the Company shall make the changes within a scope deemed reasonable and with considerable relation to the purpose of use prior to the change.
3. After changing the purpose of use, the Company shall notify the individual or publish the changed purpose of use.
Article 5 - Identification of Purpose of Use, etc., for Each Business Division
The Company shall prepare the “Manual on the Handling of Personal Information” that stipulates the type, purpose of use, methods of use and provision of personal information for each of the following business divisions handling personal information, according to a format stipulated separately.
Study Abroad Division: Japanese Language Training (Osaka): Shiodome Hall: Translation Service Division
Article 6 – Restrictions on Use Beyond the Purpose of Use
1. The Company shall not handle personal information beyond the necessary scope for achieving the purpose of use specified by the provisions of Article 2, without the prior consent of the individual.
2. When it acquires personal information following the succession of a business from another company, etc., due to a merger or other reason, the Company shall not handle personal information beyond the necessary scope for achieving the purpose of use of the said personal information prior to the succession, without the prior consent of the individual.
3. Notwithstanding the provision of Paragraph 2, in either of the following cases, the Company shall be able to handle personal information beyond the scope of the purpose of use specified in the provisions of Article 2 without first obtaining the consent of the individual.
(1) Cases in which the handling of personal information is based on laws and regulations;
(2) Cases in which the handling of personal information is necessary for the protection of the life, physical wellbeing, or property of a person and in which it is difficult to obtain the consent of the individual;
(3) Cases in which the handling of personal information is especially necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the individual; and
(4) Cases in which the handling of personal information is necessary for cooperating with a state organ, a local government, or an individual or a business operator entrusted by either of the former two in executing the affairs prescribed by laws and regulations and in which obtaining the consent of the individual is likely to impede the execution of the affairs concerned.
4. When handling personal information beyond the scope of the purpose of use due to the provisions of the preceding paragraph, the Company shall limit the scope of this handling to that truly necessary.
Chapter 3 – Restrictions, etc. on the Acquisition of Personal Information
Article 7 – Restrictions on Acquisition
1. When it acquires personal information, the Company shall clearly specify the purpose of use and shall acquire personal information according to legal and appropriate methods.
2. The Company shall not acquire any personal information that concerns beliefs, creed and/or religion, or personal information that could be a cause of social discrimination.
3. In principle, the Company shall acquire personal information directly from the individual, and not from any other person. However, this need not apply in either of the following cases.
(1) When the individual gives consent;
(2) When pursuant to the provisions of laws and ordinances, etc.;
(3) When deemed to be urgent and unavoidable for protecting a person’s life, physical well-being or property;
(4) When unable to acquire from the individual due to reasons such as uncertainty over their whereabouts or his/her inability to make decisions, etc.;
(5) When determined that acquiring it from the individual will not achieve the purpose of the business, including consultations, assistance, instructions, agency, proxy, etc.
4. When it acquires personal information from a person other than the individual per the provisions of (4) or (5) in the preceding paragraph, the Company shall strive to notify the individual of the acquisition and the purpose of use of said personal information.
Article 8 - Notification, etc., of Purpose of Use upon Acquisition
1. After it acquires personal information, the Company shall notify the individual or publish the purpose of use immediately, except for instances where the purpose of use has already been published.
2. Notwithstanding the provisions of the preceding paragraph, when it acquires personal information of the individual contained in contracts or other documents following the conclusion of an agreement with the individual or acquires personal information of the individual contained in documents directly from the individual, the Company shall clearly notify the individual of the purpose of use in advance. However, this need not apply in urgent and unavoidable cases for protecting a person’s life, physical well-being or property.
3. The provisions of Paragraph 2 shall not apply to any of the following cases.
(1) When there is cause for concern that notifying the individual or publishing the purpose of use will harm the life, physical well-being, property or other rights or interests of the individual or a third party; and
(2) When necessary for cooperating with the work of a national institution, local government, or person commissioned by such, as stipulated in laws and ordinances, and when notifying the individual of the purpose of use or making an official announcement could inhibit the execution of said work.
Chapter 4 – Management of Personal Information
Article 9 – Appropriate Management of Personal Data
1. The Company shall always maintain personal data in a correct and up to date condition within the scope necessary for achieving the purpose of use.
2. The Company shall take necessary and appropriate measures for preventing the leakage, destruction and/or damage to personal data and other measures for the secure management of personal data.
3. The Company shall carry out necessary and appropriate supervision of employees handling personal data for the secure management of personal data.
4. The Company shall surely and promptly discard or delete personal data that no longer needs to be retained for the purpose of use.
5. When commissioning the handling of personal information in part or its entirety to another party, in principle, the Company shall specify within an outsourcing agreement the measures to be taken by the commissioned party with regard to the secure management of personal data and shall carry out necessary and appropriate supervision of the commissioned party.
Chapter 5 – Provision of Personal Data to Third Parties
Article 10 – Provision of Personal Data to Third Parties
1. The Company shall not provide personal data to a third party without the prior consent of the individual except in the following cases.
(1) When it is necessary for the Company to do so in order to fulfill the purpose of the agreement with the individual;
(2) When pursuant to laws and ordinances;
(3) When it is difficult to obtain the individual’s consent in situations necessary for the protection of a person’s life, physical well-being or property;
(4) When it is difficult to obtain the individual’s consent in situations where it is particularly necessary for the improvement of public health or the sound development of children; and
(5) When necessary for cooperating with the work of a national institution, local government, or person commissioned by such, as stipulated in laws and ordinances, and when obtaining the consent of the individual could inhibit said work.
2. In the following cases, parties receiving the provision of said personal data shall not be a third party for the application of the provision of the preceding paragraph.
(1) When the Company commissions the handling of personal data in part or its entirety within the scope necessary for achieving the purpose of use;
(2) When provided with personal data following the succession of a business due to merger or other reasons; and
(3) When personal information is used in common with a specific party, and there has been prior notification to the individual or the information has been made easily available to the individual, of this fact, and of the items of personal data to be used in common, the range of the use in common, the purpose of use to which the party will put the use, and the name of the person or organization having responsibility for managing this personal data.
3. When there are changes in the name of the person or organization responsible for managing personal data or the purpose of use of parties using personal data per the provisions of Item 3 of the preceding paragraph, the Company shall notify the individual of the details of the changes or make this information easily available to the individual.
Chapter 6 – Disclosure, Revision, Addition, Deletion, Suspension of Use of Retained Personal Data
Article 11 – Disclosure, etc., of Retained Personal Data
1. When a request is made for the disclosure of the retained personal data of the individual from said individual, either in writing or verbally (including notification of the individual when there is no personal information retained that could identify said individual; hereinafter the same shall apply), the Company shall disclose said personal data after confirming the identity of the individual using an personal identification document or other means. However, the Company shall be able to not disclose said personal information in part or its entirety when disclosure will result in any of the following.
(1) When there is possibility of harm to the individual or a third party’s life, physical well-being, property or other rights and interests;
(2) When there is a possibility of significantly inhibiting the appropriate execution of the Company’s business operations; and
(3) When it will violate other laws and ordinances.
2. Disclosure shall be made in writing. However, disclosure can be made in a form other than writing when the person requesting disclosure so consents.
3. The notification of disclosure or non-disclosure of retained personal data shall be made in writing to the individual without delay.
Article 12 - Revision, Addition, Deletion, Suspension of Use, etc., of Retained Personal Data
1. When there is a request in writing or verbally for the revision, addition to, deletion of or suspension of use of personal data related to disclosure from the person that received disclosure of retained personal data, the Company shall investigate without delay within a scope necessary for achieving the purpose of use and shall notify said person of the results in writing.
2. When there is another request from the person that received the notification per the preceding paragraph, the Company shall carry out the same procedures as the preceding paragraph.
Chapter 7 – Organization and Structure
Article 13 – Personal Information Protection Manager
1. The Company shall designate a Personal Information Protection Manager for the appropriate management of personal information and he/she shall implement measures necessary for the appropriate management of personal information by the Company.
2. The President of the Company shall serve as the Personal Information Protection Manager.
3. The Personal Information Protection Manager shall assume responsibility for the implementation of appropriate management measures and the education and training of employees pursuant to the provisions of these regulations.
4. The Personal Information Protection Manager shall regularly evaluate measures necessary for appropriate management as well as carry out reviews and improvements.
5. The Personal Information Protection Manager shall be able to consign to the division head responsible for each business part of the measures necessary for appropriate management of personal information.
Article 14 – Response to Complaints, etc.
1. The Company shall develop the necessary system for complaints concerning revisions to, additions to, deletion of, suspension of use or other handling of personal information (hereinafter, “complaints, etc.”) and shall strive to respond to complaints in an appropriate and prompt manner.
2. The Personal Information Protection Manager shall be responsible for responses to complaints.
3. The Personal Information Protection Manager shall be able to consign to the division head responsible for the duties of responding to complaints, etc. In such cases, the division head shall be designated in advance and the details of the duties shall be made clear.
4. The department in charge of responding to complaints, etc., shall be as follows.
Information Systems Department TEL: 03-6255-4100
: contact@ccfj.com
Article 15 – Obligations of Employees
1. No employee or former employee of the Company shall disclose the personal information acquired with respect to his or her work to another person without a justifiable ground or use such information for an unjust purpose.
2. An employee who discovers a violation or possible violation of these regulations shall report the matter to the Personal Information Protection Manager.
Article 16 – Implementation of Audits
When receiving a report of the discovery of a violation or possible violation of these regulations, the Personal Information Protection Manager shall investigate the details of said report and shall instruct the relevant division head to take appropriate measures without delay when the violation is found to be a fact.
Article 17 – Reporting to Supervising Authorities
If a violation is found as a result of the investigation per the preceding Article, the Personal Information Protection Manager must report the details of said violation to the supervising authorities without delay.
Chapter 8 - Miscellaneous Provisions
Article 18 - Other
Necessary matters for the implementation of these regulations shall be stipulated separately.
Supplementary Provisions
These regulations shall take effect from January 1, 2017.
These regulations are subject to change as needed without prior notice. When changed, the new provisions shall prevail.