Handling of Customers' Personal Information (Public matters based on the "Act on the Protection of Personal Information")

※Note: The contents of this page are intended only for the readers in Japan. The original Japanese page prevails as the official page. This English translation is provided solely for the convenience of reference.

Updated on June 15, 2023

NTT DATA INTELLILINK Corporation hereby publicly discloses (Note 1) the following matters in accordance with the "Guidelines Regarding the Protection of Personal Information in the Telecommunications Business" established by the Japan Data Communications Association (JADAC), the "Act on the Protection of Personal Information" (hereinafter referred to as the "Act"), "Guidelines stipulated by the competent ministries and agencies" and "Personal Information Protection Management Systems -- Requirements (JIS Q 15001)."

(Note 1) Includes matters that are required to be "in a state where a principal can easily know to that effect" and "in a state where a principal can know (including cases in which the company, at the request of a principal, responds without delay)".

Business operator handling personal information: NTT DATA INTELLILINK CORPORATION
Pacific Marks Tsukishima, 1-15-7, Tsukishima Chuo-ku, Tokyo 104-0052
Representative: Toshi Fujiwara, President and CEO
Personal Information Protection Manager: Masateru Yamaoka, Director and Executive Officer

1.Matters relating to Public Disclosure of the Purpose of Use of Personal Information

1) Purpose of use in the case where personal information is obtained directly other than in the form of a written document or in the case where personal information is obtained indirectly (Article 21, Paragraph 1 of the Act) and the purposes of use of customers' personal information held by the Company (Article 32, Paragraph 1 of the Act)

Types of Personal Information
Purpose of Use

(1) Personal information acquired in connection with contracts for the purchase or use of our products and services

To fulfill our contractual rights and obligations and to inform our customers about our products, services and events

(2) Personal information acquired when the Company procures goods and services from outside the Company

To fulfill our contractual rights and obligations

(3) Personal information of participants and visitors at events and shows hosted or held by the Company

To provide information regarding various services and related events

(4) Personal information of those who enter the Company's employment selection process and those who wish to receive recruitment related information

For the process of employment screening

(5) Personal information obtained from publications, websites, etc. that are generally available on the market or publicly available

To provide information regarding various products, services and events

(6) Personal information of visitors visiting the Company

To ensure the security of the Company

(7) Personal information of persons contacting us

To confirm and respond to inquiries

(8) Personal information obtained with the consent of the purpose for which it is to be used as specified by the Company

To fulfill the specified purpose of use

In the case of directly receiving personal information from customers in writing, we shall clearly specify the purpose of use each time.
However, this shall not be applicable in the following cases:

if notifying the principal of or publicly announcing the purpose of use would harm the life, body, property, or other rights and interests of the principal or a third party;
if notifying the principal of or publicly announcing the purpose of use would harm the rights and legitimate interests of the Company;
in the case where it is necessary to cooperate with a governmental body or a local public body in the execution of its legally prescribed duties, and notifying the principal of or publicly announcing the purpose of use would interfere with the performance of such duties; or
if the purpose of use is found to be clear in light of the circumstances of acquisition.

2) Purpose of use of entrusted "personal information" (Article 21, Paragraph 1 of the Act, Article 27, Paragraph 5, Item 1 of the Act)

Types of Personal Information
Purpose of Use

(1) Personal information entrusted to the Company in relation to undertaking the entrustment of business

To carry out the entrusted operations

2.Provision of Personal Information to Third Parties (Article 27, Paragraphs 1, 2 and 3 of the Act)

Personal information collected by the company shall be managed appropriately and shall not be provided to third parties without prior consent of the customers. However, this shall not be applicable in the following cases:

if it is required by laws and regulations;
in the case where the provision of information is needed for the protection of the life, body, or property of the principal and it is difficult to obtain the consent of the principal;
in the case where the provision of information is needed to improve public hygiene or promote fostering healthy children, and it is difficult to obtain the consent of the principal;
in the case where it is necessary to cooperate with a governmental body or a local public body, or a person or entity entrusted by them to execute affairs prescribed by laws and regulations, and obtaining the consent of the principal is likely to interfere with the performance of such affairs

In addition, in the cases set forth in Paragraph 5 of Article 27 of the Act, a person receiving personal data shall not fall under the category of third parties in regard to obtaining consent from the principal in advance for the provision of personal information.

3.Sharing of Personal Information (Article 27, Paragraph 5 of the Act)

We may share personal information obtained from its customers as necessary. The items and scope of sharing shall be as follows:

(1) Items of personal information to be shared

The minimum amount of personal information necessary to carry out the purpose of use

(2) Scope of sharing

A corporation or other organization, etc., with whom an appropriate contract has been entered into. The name of the specific entity using the shared information shall be notified or announced to the principal for each service.

(3) Purpose of use of shared information

The information shall be used for the purpose of use specified for each service.

(4) The name and address of the person responsible for the management of the shared personal information, and in the case of a corporation, the name of its representative

The name and address of the person responsible for each service, and in the case of a corporation, the name of its representative, shall be notified to the principal or published.

(5) Method of acquisition

Obtained through web forms, contracts, e-mail, fax, postcards, questionnaires, orally (e.g., by telephone), or in other written form, etc.

In the event of sharing of personal information, we shall notify the principal by obtaining consent for each individual service in advance or by other means, such as creating a state where a principal can easily know that the information will be shared.

4.Matters concerning Security Control of Personal Information (Article 32, Paragraph 1 of the Act)

The Company appropriately implements the following safety control measures to handle the personal information of its customers appropriately and to prevent loss, damage, breach and unauthorized access, etc.

(1) Formulation of basic policy

We have established a "Privacy Policy" to ensure appropriate handling of personal information.

(2) Rules for handling personal information

Based on the Privacy Policy mentioned in item (1) above, we have established a personal information protection management system to appropriately handle the acquisition, use, provision and management of personal information, and have established rules and related documents to implement the establishment of management system, identification of handled personal information, risk analysis, implementation of measures, development of operational procedures, confirmation and improvement of operational status, etc..

(3) Implementation of organizational security control measures

Based on the regulations and related documents established in item (2), we have undertaken the following actions:

Establishment of a system for the management of personal information
Maintenance of operational procedures for handling personal information
Establishment of systems and procedures to respond to incidents of information breach, etc.
Development of procedures to check the status of handling of personal information
Implementation of appropriate handling of personal information in accordance with various procedures
Review of the status of handling personal information, and improvement of operational procedures and security control measures based on the results of the review

(4) Implementation of personnel safety management measures

Based on the regulations and related documents established in item (2), we have undertaken the following actions:

Necessary and appropriate supervision of employees to ensure that they handle personal information appropriately
Giving strict instructions to the employees who handle personal information to maintain the confidentiality of personal information
Regularly educating employees on the proper handling of personal information and the implementation of the personal information management system.

(5) Implementation of physical security control measures

Based on the regulations and related documents established in item (2), we have undertaken the following actions:

Access control in areas where personal information is managed and handled
Locking of equipment, electronic media, and documents that handle personal information in server racks and storage facilities
Implementation of data encryption or use of traceable transportation services when transporting electronic media or documents containing personal information
Disposal of equipment and electronic media used for recording personal information in a manner that makes the personal information unrecoverable

(6) Implementation of technical security control measures

Based on the regulations and related documents established in item (2), we have undertaken the following actions:

Restricting the access to personal information or use of information systems that handle personal information to a minimum number of authorized employees, and performing identification and authentication
Blocking external unauthorized access
Detection and quarantine of malware in information systems
Fixing vulnerabilities in information systems and equipment when they are discovered
Encryption of communications containing personal information

(7) Understanding the external environment

When handling personal information in a foreign country, we shall understand the laws and regulations concerning protection of personal information in that country and implement appropriate security control measures in accordance with those laws and regulations.

5."Request for Disclosure, etc." of Personal Information

With regard to personal information in our possession (described in (2.-1 )) that conforms to "retained personal data" (Note), the principal or their representative (legal representative or an agent) may contact us regarding disclosure "request for notification of purpose of use, disclosure, correction, cessation of use or deletion of personal information, record of provision to a third party, or cessation of provision to a third party" (hereinafter collectively referred to as "Request for Disclosure, etc."), with the exception of personal information of our employees*, and we will respond in accordance with the procedure stated below.

The procedures for the disclosure of personal information concerning our Company's employees (including directors, auditors, advisors, counselors, employees (including employees seconded to the company), temporary employees, contract employees, temporary agency employees, and contract employees, including those who seek to become employees, those who have sought to become employees, and those who have been employees in the past) have been stated separately. Please contact the Personal Information Complaints Desk for further information.

(Note) "Retained Personal Data"
Personal data for which we have the authority to respond to all requests for disclosure, correction, addition, or deletion of content, cessation of use or erasure, and cessation of provision to third parties, as requested by the principal. However, the data will not be treated as "retained personal data" if any of the following items apply:

if there is a possibility of harm to the life, body or property of the principal or a third party if the existence or nonexistence of such personal data becomes known;
if there is a possibility that revealing the existence or nonexistence of such personal data is likely to encourage or induce illegal or unjust acts;
if there is a possibility that revealing the existence or nonexistence of such personal data is likely to cause harm to national security, damage the relationship of trust with other countries or international organizations, or cause disadvantages in negotiations with other countries or international organizations.
Revealing existence of such personal data is likely to hinder the prevention, suppression, or investigation of crimes or the maintenance of other public safety and order.

(1) How to apply for "Request for Disclosure, etc."

When making a "Request for Disclosure, etc.," please enclose

"Application form (fill in all the specified items in the form designated by the Company)" as specified in (3)
"Documents to verify the identity of the applicant and his/her representative" as specified in - (3)

and send it by mail to the address for "Request for Disclosure, etc." specified in (2) above.
Please understand that we will not accept any application that does not follow the method described in this section, such as application by telephone, e-mail, or application made in person.
Please note that any documents submitted (by mail) when making a "Request for Disclosure, etc." will not be returned.

(2) Contact for sending application of "Request for Disclosure, etc."

Please send the application of "Request for Disclosure, etc." to the reception desk of the service, etc. to which you have directly provided your personal information. If you have any questions about the reception desk above, please send application at the following address.

　Pacific Marks Tsukishima, 1-15-7, Tsukishima Chuo-ku, Tokyo 104-0052
　General Manager, Corporate Planning Department, NTT DATA INTELLILINK Corporation

(3) Documents to be submitted when making a "Request for Disclosure, etc."

a. If the application is made by individual

i. Application form (Our designated form: You can download it from below)

Personal Information Protection Related Application Form (for the individual)(PDF: 224KB)

ii. Identification documents

A copy of official identification document (driver's license or passport (with expiration date))

(Note) If any of the above documents include information on "legal domicile," please submit the documents after masking (filling out) the relevant part.
If you cannot provide the above documents, please consult with the contact to whom you wish to make a request for disclosure, etc.
Please note that even if you have submitted the above documents, we may not be able to respond to your request if we cannot confirm your identity.

a. If the application is made by representative

If the request for disclosure, etc. is made by a legal representative of a minor or an adult guardian, or by a representative authorized by the individual, please submit the following documents.

i. Application form (Our designated form: You can download it from below)

ii. Documents to verify the identity of the individual or representative

Verification of the applicant (individual): A copy of applicant's (individual) official identification document (driver's license or passport (with expiration date))
Document which proves that the representative is the legal representative of the individual (*)
If application is made by a representative with a power of attorney:
- Original seal registration certificate of individual applicant (within the last 3 months): 1 copy
- Official identification of the representative (a copy of either a valid "driver's license" or "passport")
(*) For persons other than guardian: Original family register (within 3 months)
For guardian: Copy of insurance card, etc. with dependents listed (valid)

(Note) If any of the above documents include information on "legal domicile," please submit the documents after masking (filling out) the relevant part. When submitting the abstract of family register of individual as described in 2., please submit the abstract keeping the following necessary items and masking out rest of the information.
[Required Information] Name of the first person in the family register, first name of the applicant, date of birth, names of father and mother (adoptive father, adoptive mother, etc.), and relationship with the applicant
Regarding 3., please copy the side of the insurance card that lists the insured person's symbol/number after masking the symbol/number.
If you cannot provide the above documents, please consult with the contact to whom you wish to make a request for disclosure, etc.
Please note that even if you have submitted the above documents, we may not be able to respond to your request if we cannot confirm your identity or confirm that your representative is a legal representative.

(4) Fees and payment method (only in the case of "Application for disclosure of personal information/application for notification of purpose of use")

Among fees and method of payment for various applications, you need to pay the fees for "Application for Disclosure of Personal Information/Application for Notification of Purpose of Use" of each application.

Fees: JPY 1,000 per application (including consumption tax and transfer fee)
Payment method: Please transfer JPY 1,000 minus bank transfer fee to the following account.
NTT DATA INTELLILINK Corporation Mizuho Bank, Head Office, Ordinary 2556890

(Note 2) If the fees are not paid or less amount is paid, we will, in principle, notify the applicant at the address stated in the application form to that effect. Please note that if payment is not made within 30 days from the notification, the application for disclosure will be deemed withdrawn as of the day after that date.

(5) Response method

You may specify the following method for disclosure of retained personal data.

By delivery of written documents (by "personal delivery mail" to the applicant's address stated in the application form)
By electronic data (electromagnetic record)

However, if it is difficult to disclose the information by the method specified by the applicant, we will respond by the method specified by the Company ("personal identification mail" to the applicant's address stated in the application form).

(6) Personal information obtained by the Company in connection with the request for disclosure, etc.

Personal information obtained by the Company upon a request for disclosure, etc. shall be handled only for the purpose of responding to the request for disclosure, etc. The documents and other data submitted shall be retained for three years after the completion of the procedure, after which the documents will be discarded.

6.Matters concerning the "complaints" reception desk (related to Article 32, Paragraph 1, Item 4 of the Law, Article 8 of the Enforcement Order, and Article 40 of the Law)

(1) Contact for complaints regarding the handling of personal information

For complaints regarding the handling of personal information, please contact the complaint desk of the service to which you have directly provided your personal information. If you have any questions about the reception desk above, please send application at the following address.

　Pacific Marks Tsukishima, 1-15-7, Tsukishima Chuo-ku, Tokyo 104-0052
　General Manager, Corporate Planning Department, NTT DATA INTELLILINK Corporation

　General Manager, Corporate Planning Department, NTT DATA INTELLILINK Corporation
　

(Note) Please note that we cannot accept requests made in person at our office.

(2) Name of the "authorized personal information protection organization" to which the Company belongs and the contact for filing complaints

Name of authorized personal information protection organization
Japan Institute for Promotion of Digital Economy and Community (JIPDEC)
Contact for resolution of complaints
Personal Information Protection Complaints Office

Roppongi First Building, 1-9-9 Roppongi, Minato-ku, Tokyo 106-0032

03-5860-7565
0120-700-779

(Note) This is not a contact for inquiries regarding our products or services.