Personal Information Handling Standards

Article 1 (Purpose)

The purpose of these standards is to gain the trust of society and to improve the quality of our corporate activities by establishing and practicing basic items for the proper handling of personal information held by the Company and for the protection of the rights and interests of individuals.

Article 2 (Subject)

These standards shall apply to all personal information handled by the Company, regardless of whether it is electronic or non-electronic information.
However, with regard to specified personal information related to the "Act on the Use of Identification Number to Identify Specific Individuals in Administrative Procedures, etc.", the separately stipulated "Standards for Handling Specified Personal Information" shall apply.

Article 3 (Definitions)

The definitions of terms used in these standards are as follows, and unless otherwise specified, shall be in accordance with the provisions of the "Act on the Protection of Personal Information" " and other related laws and regulations (hereinafter referred to as "Related Laws and Regulations, etc."). Unless otherwise specified, the terms used in these standards are defined as follows.

  • (1) Personal information
    Information about a living individual that can identify the specific individual by name, date of birth, or other description, etc., contained in the information, that can be easily cross-checked with other information and thereby identify the specific individual, or that contains a personal identification code.
  • (2) Personal information requiring special consideration
    Personal information requiring special consideration (health information, etc. is defined in a separate document based on the Occupational Health and Safety Law). (Health information, etc. is specified in a separate document in accordance with the Occupational Health and Safety Law).
  • (3) Personal information database, etc.
    Personal information databases, etc. : A collection of information containing personal information that includes the following
    • (i) A systematically organized collection of specific personal information so that it can be retrieved using a computer
    • (ii) In addition to those listed in (i) above, a collection of information that is systematically organized so that specific personal information can be easily retrieved by organizing personal information according to certain rules, and that has a table of contents, index, or other items to facilitate retrieval.
  • (4) Personal Data
    Personal data means personal information that constitutes a personal information database, etc.
  • (5) Retained personal data
    Personal data for which MHI has the authority to disclose, correct, add or delete content, suspend use, erase, and suspend provision to third parties, other than those listed below.
    • (i) Personal data that is likely to cause harm to the life, body, or property of the individual concerned or a third party if its existence or nonexistence is revealed.
    • (ii) Data that is likely to encourage or induce illegal or unjust acts if its existence or nonexistence is revealed
    • (iii) Cases in which the disclosure of the existence or nonexistence of the relevant personal data is likely to cause harm to national security, damage the relationship of trust with other countries or international organizations, or cause disadvantages in negotiations with other countries or international organizations
    • (iv) Cases in which disclosure of the existence or nonexistence of the relevant personal data is likely to cause hindrance to the prevention, suppression, or investigation of crimes or the maintenance of other public safety and order.
  • (6) Anonymous Processed Information
    Anonymous Processed Information means information on individuals obtained by processing personal information so that specific individuals cannot be identified by deleting Departments of descriptions, etc., included in the personal information, so that the personal information cannot be restored.
  • (7) Anonymous processed information database, etc.
    Means a collection of information that is systematically organized so that specific anonymized processed information can be easily retrieved by organizing anonymized processed information according to certain rules, and that has a table of contents, index, or other items to facilitate retrieval.
  • (8) Pseudonymized information
    means information on an individual obtained by processing personal information so that the individual cannot be identified unless the information is cross-checked with other information by deleting Departments of descriptions, etc., contained in the personal information.
  • (9) Pseudonymized information database, etc.
    "Pseudonym information database, etc. " means a collection of information that is systematically organized so that specific pseudonymized information can be easily retrieved by organizing it according to certain rules, and that has a table of contents, index, or other items to facilitate retrieval.
  • (10) Person-related information
    " Person-related information" means information on living individuals that does not fall under any of the categories of personal information, anonymized processed information, and pseudonymized processed information.
  • (11) Individual
    A specific individual identified by personal information.

2.The Company shall not use the information or databases, etc. listed in items 6, 7, 8, 9, and 10 of the preceding paragraph for business purposes, and if necessary, the Company shall comply with the relevant laws and regulations and publicly disclose such information.

Article 4 (Scope of Application)

These Standards shall apply to Directors (including Directors and Audit & Supervisory Board Members), Executive Officers, and employees as defined in the Employment Regulations (hereinafter referred to as "Employees, etc.").

Article 5 (Specification of Purpose of Use)

The Company shall use personal information for the following purposes (hereinafter referred to as "Purposes of Use")

  • (1) Collection and provision of information related to products handled by the Company
  • (2) To identify suppliers of products sold by the Company and to perform administrative tasks, etc.
  • (3) Examination of and response to consultations, communications, etc. received from business partners
  • (4) Notification and reporting to government and municipal offices in accordance with the Pharmaceuticals and Medical Devices Act
  • (5) Implementation of measures to ensure the health of employees, etc. and fulfillment of safety consideration obligations

2.If the Company changes the purpose of use, it shall not do so beyond the extent that is reasonably deemed to be relevant to the purpose of use before the change.

Article 6 (Restriction by Purpose of Use and Prohibition of Improper Use)

The Company shall not handle personal information beyond the scope necessary to achieve the purpose of use specified in the preceding Article without obtaining the prior consent of the individual.

2.In the event that SBM acquires personal information as a result of succeeding to the business of another business operator handling personal information, SBM shall not handle such personal information beyond the scope necessary to achieve the purposes of use of such personal information prior to such succession, without obtaining the prior consent of the individual.

3.The provisions of Paragraphs 1 and 2 shall not apply to the following cases

  • (1) When required by law
  • (2) When it is necessary for the protection of a person's life, body, or property, and it is difficult to obtain the consent of the person
  • (3) Cases in which the provision of personal information is particularly necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the person
  • (4) When it is necessary to cooperate with a national agency, a local government, or an individual or entity entrusted by either a national agency or local government to execute affairs prescribed by law, and obtaining the consent of the individual is likely to impede the execution of such affairs.

4.The Company shall not use personal information in a manner that may encourage or induce illegal or unjust acts.

Article 7 (Proper Acquisition)

The Company shall not acquire personal information through deception or other wrongful means.

2.The Company shall not acquire any personal information without obtaining the prior consent of the individual to whom the information pertains.
However, the Company shall not acquire personal information without obtaining the prior consent of the individual, except in the cases listed in each item of Paragraph 3 of the preceding Article, in cases where the information is publicly disclosed, and in other cases equivalent thereto.

Article 8 (Notification, etc. of Purpose of Use at the Time of Collection/Acquisition)

Whenever the Company acquires personal information in the course of performing its business, the Company shall promptly notify the person of the purpose of use or publicly announce the purpose of use, except in cases where the Company has publicly announced the purpose of use in advance.

2.If the Company changes the purpose of use, the Company shall notify the person of the changed purpose of use or publicly announce it.

3.The provisions of Paragraphs 1 and 2 shall not apply to the following cases

  • (1) Cases in which notifying the person of the purpose of use or publicly announcing it may harm the life, body, property, or other rights or interests of the person or a third party
  • (2) Cases in which notifying the person of the purpose of use or publicly announcing it may harm the Company's rights or legitimate interests
  • (3) Cases in which it is necessary to cooperate with a national agency, a local government, or an individual or entity entrusted by either a national agency or local government to execute affairs prescribed by law, and in which obtaining the consent of the individual is likely to impede the execution of such affairs
  • (4) Cases in which the purpose of use is recognized to be clear in light of the circumstances of acquisition

Article 9 (Ensuring Accuracy of Personal Data, etc.)

The Company shall keep personal data accurate and up-to-date to the extent necessary to achieve the purpose of use, and shall endeavor to delete said personal data without delay when there is no longer a need to use it.

Article 10 (Security Control Measures)

The Company shall take necessary and appropriate security control measures to prevent the loss, destruction, alteration, leakage, etc. of personal data.

Article 11 (Training and Supervision of Employees, etc.)

The Company shall educate and supervise its employees, etc. in the handling of personal data to ensure that such personal data is properly and securely managed.

Article 12 (Supervision of Subcontractors, etc.)

In the event that the Company outsources all or part of the handling of personal data, the Company shall exercise necessary and appropriate supervision over the outsourced party to ensure the safe management of said personal data.

Article 13 (Restriction on Provision to Third Parties)

Except in the cases listed in each item of Article 6, Paragraph 3, the Company shall not provide personal data in its possession to a third party without obtaining the prior consent of the individual concerned.

2.In the following cases, the person to whom such personal data is provided shall not fall under the category of a third party with respect to the application of the provisions of the preceding paragraph.

  • (1) Cases in which the Company outsources all or part of the handling of personal data within the scope necessary to achieve the Purposes of Use
  • (2) Where personal data is provided in connection with the succession of business from another business operator handling personal information
  • (3) our parent company and subsidiaries under the Companies Act who jointly use the information for the purpose of proper distribution of products and planning and reviewing effective management and sales measures of our group. The items of information to be jointly used shall be the name, location, title, name, telephone number, and information on the products handled by the suppliers held by the Company.

3.If the Company changes the purpose of use or the name or title of the person responsible for the management of personal data of any of the persons stipulated in the preceding paragraph (3), the Company shall notify the person in advance of the change or make the change readily accessible to him or her.

4.Apart from the preceding three paragraphs, the Company shall not provide personal data to a third party located in a foreign country (meaning a country or region outside of Japan), except in the cases listed in each item of Article 6, Paragraph 3. In the event of such provision, the Company shall obtain the prior consent of the individual concerned in accordance with the relevant laws and regulations.

Article 14 (Preparation of Records Related to Provision to Third Parties, etc.)

When personal data is provided to a third party with the consent of the individual, the Company shall create and preserve a record of the date of provision, the name of the recipient, etc. However, the Company shall not provide personal data to a third party without the consent of the individual.
However, this excludes the cases listed in each item of Article 6, Paragraph 3.

Article 15 (Confirmation, etc. upon Receipt of Provision to a Third Party)

When receiving personal data from a third party, the Company shall confirm the name of the third party (in the case of a corporation, its representative) and the circumstances of acquisition of the relevant personal data, and shall prepare and preserve a record of such confirmation.
A record of this confirmation shall be prepared and preserved; provided, however, that this shall not apply to the cases listed in each item of Article 6, Paragraph 3.

Article 16 (Publication of Matters Concerning Retained Personal Data, etc.)

With respect to retained personal data, the Company shall make the following matters available to the individual concerned

  • (1) Purposes of use of retained personal data (excluding cases falling under Article 8, Paragraph 3, Items (1) through (4))
  • (2) Procedures for responding to requests pursuant to Paragraph 2 of this Article, Article 17, Paragraph 1, Article 18, Paragraph 1, or Article 19, Paragraphs 1 through 3 (including the amount of fees when the amount of fees is specified pursuant to Article 21)
  • (3) Contact information for inquiries regarding various procedures, etc. concerning retained personal data conducted by the Company
  • (4) Our name, address and the name of our representative

2.When we receive a request from an individual for notification of the purpose of use of retained personal data that identifies that individual, we will notify the individual without delay.
However, this shall not apply in any of the following cases

  • (1) Where the Purpose of Use of the Retained Personal Data by which the Individual Concerned is identified is clear pursuant to Paragraph 1 (1) of this Article
  • (2) Cases falling under Article 8, Paragraph 3 (1) through (4).

3.(3) If the Company decides not to notify the Purpose of Use of the Retained Personal Data for which a request has been made pursuant to Paragraphs 2 (1) and (2) of this Article, the Company shall notify the Individual to that effect without delay.

Article 17 (Disclosure)

In the event that the Company receives a request from the Individual(s) for disclosure of the Retained Personal Data that identifies the Individual(s) (including notification to that effect when the Retained Personal Data that identifies the Individual(s) does not exist. When we receive a request from an individual for disclosure of retained personal data that identifies that individual (including notification to that effect when the retained personal data that identifies that individual does not exist; the same shall apply hereinafter) and disclosure of records, etc. as stipulated in Articles 14 and 15, we shall disclose the retained personal data in writing (including electromagnetic disclosure) to the individual without delay. However, if disclosure would result in any of the following cases, the Company may choose not to disclose all or a portion of the Retained Personal Data

  • (1) If there is a risk of harm to the life, body, property, or other rights or interests of the individual concerned or a third party
  • (2) If there is a risk of causing significant hindrance to the proper conduct of our business
  • (3) If it would violate laws and regulations.

2.If the Company decides not to disclose all or part of the Retained Personal Data requested in accordance with the provisions of Paragraph 1, the Company shall notify the Individual to that effect without delay.

Article 18 (Correction, etc.)

When we receive a request from an individual for correction, addition, or deletion, etc. (hereinafter referred to as "Correction, etc.") of retained personal data that identifies the individual on the grounds that the content of such retained personal data is not true, we will conduct the necessary investigation without delay to the extent necessary to achieve the Purpose of Use, and based on the results of such investigation, we will make the necessary correction, addition, or deletion to the retained personal data without delay. Based on the results, the Company shall correct, etc. the content of such retained personal data.

2.When the Company corrects, etc., or decides not to correct, etc., the Retained Personal Data requested in accordance with the provisions of Paragraph 1, the Company shall notify the Individual(s) to that effect without delay.

Article 19 (Suspension of Use, etc.)

If we receive a request from the Individual for suspension of use or deletion (hereinafter referred to as "Suspension of Use, etc.") of Retained Personal Data that identifies the Individual on the grounds that the Retained Personal Data is handled in violation of the provisions of Article 6 or that the Retained Personal Data was obtained in violation of the provisions of Article 7, and we have reason to believe that the Individual is in violation of such provisions, we shall notify the Individual of such suspension of use or deletion without delay. (2) If a request for suspension of use or deletion of retained personal data (hereinafter referred to as "Suspension of Use, etc.") is received on the grounds that the personal data was obtained in violation of Article 6 or Article 7, and the request is found to be reasonable, the Company shall, to the extent necessary to correct the violation, without delay, suspend use of such retained personal data.
However, this shall not apply in cases where it is difficult to suspend the use of the Retained Personal Data, etc. and alternative measures necessary to protect the rights and interests of the Individual Concerned are taken.

2.If we receive a request from an individual to suspend the provision of his/her Retained Personal Data to a third party on the grounds that the Retained Personal Data that identifies him/her is being provided to a third party in violation of Article 13, Paragraph 1, and if the request is found to be reasonable, we will, to the extent necessary to correct the violation (2) To the extent necessary, the provision of such retained personal data to a third party shall be suspended without delay.
However, this shall not apply in cases where it is difficult to suspend the use of the Retained Personal Data in question and alternative measures necessary to protect the rights and interests of the Individual Concerned are taken.

3.(2) When there is no longer a need to use the Retained Personal Data that identifies the Individual Concerned, when there is a risk of harm to the rights and interests of the Individual Concerned due to leakage, loss, damage, etc., or when there is a risk that the handling of the Retained Personal Data may harm the rights and interests of the Individual Concerned, and when the Company receives a request from the Individual Concerned to cease Use, etc. or cease provision to third parties (hereinafter referred to as "Suspension of Use, etc."), and it is found that there is a reason for such request as stated above, we will, to the extent necessary to prevent infringement of the rights of the Individual, without delay, Suspend Use, etc. or Suspend Provision to Third Parties of the Retained Personal Data in question.

4.(4) When we have suspended the Use, etc. of all or part of the Retained Personal Data requested under the preceding three paragraphs, or when we have decided not to suspend the Use, etc., or when we have suspended the provision of the Retained Personal Data to a third party, or when we have decided not to suspend the provision of the Retained Personal Data to a third party for justifiable reasons, we shall notify the Individual(s) to that effect without delay, without delay.

Article 20 (Procedures for Responding to Requests for Disclosure, etc.)

With respect to requests pursuant to Article 16, Paragraph 2, Article 17, Paragraph 1, Article 18, Paragraph 1, or Article 19, Paragraphs 1 through 3 (hereinafter referred to as "Requests for Disclosure, etc."), the Company shall establish a Personal Information Handling Desk to which requests for Disclosure, etc. shall be submitted, and the following procedures for receiving Requests for Disclosure, etc. shall be prescribed separately.

  • (1) The method of documents to be submitted when making a Request for Disclosure, etc. and other methods of accepting Disclosure, etc.
  • (2) Method of confirming that the person making the Request for Disclosure, etc. is the principal or the agent prescribed in Paragraph 3.
  • (3) Method of collecting the fee stipulated in Article 21, Paragraph 1

2.(4) The Company may request the Individual Concerned to present matters sufficient to identify the Retained Personal Data that is the subject of the Request for Disclosure, etc. In this case, in order to enable the Individual Concerned to make the Disclosure Request, etc. easily and accurately, the Company shall provide information that contributes to the identification of the Retained Personal Data concerned and take other appropriate measures for the convenience of the Individual Concerned.

3.Requests for Disclosure, etc. may be made by a statutory representative of a minor or guardian of an adult, or by a representative authorized by the principal to make such Requests for Disclosure, etc.

Article 21 (Fees)

When the Company receives a request for notification of the purpose of use pursuant to Article 16, Paragraph 2 or a request for disclosure pursuant to Article 17, Paragraph 1, the Company may charge a fee for the implementation of said measures.

Article 22 (Personal Information Handling Manager and Personal Information Protection Manager)

The person in charge of handling personal information shall be the information manager of the relevant Department. In addition, a Personal Information Protection Manager shall be appointed to supervise the management of personal information held by the Company. The Personal Information Protection Manager shall be the Senior Manager of the CSR Promotion Headquarters.

Article 23 (Duties of the Personal Information Protection Manager)

The Personal Information Protection Administrator shall be responsible for maintaining internal regulations, promoting safety measures, and providing education and training to employees, etc., with respect to the protection of personal information, and shall ensure that all employees are fully aware of these regulations.

Article 24 (Education)

The Personal Information Protection Administrator shall formulate an education plan and endeavor to continuously and regularly provide education and training to employees and others in order to ensure that they understand the importance of protecting the rights of individuals with respect to personal information and to implement personal information protection.

Article 25 (Audit)

The President and Representative Director shall appoint an auditor to audit the status of personal information management.

2.If, based on the results of the audit by the Chief Audit Executive, the Representative Director deems that there are matters that need to be improved in the management of personal information, he/she shall give necessary instructions for improvement to the Personal Information Protection Manager and relevant personnel.

Amended as of Apr 1, 2022

Contact

For more information about PALTAC, please Contact us

Contact us
Official SNS Account
PALTAC Official Instagram