Overview of security control actions

1. Establishment of a basic policy

To ensure the proper handling of personal information, we have established a basic policy for compliance with relevant laws, regulations, and guidelines, matters related to security control measures,’ and contact information for inquiries and complaints.

2. Development of disciplines regarding the handling of personal data

We have established internal rules for the handling of personal information at each stage of use, including the acquisition, use, storage, provision, deletion and disposal of personal information, and take measures in accordance with these rules.

3. Institutional security control actions

1. We have (i) appointed a person responsible for the handling of personal information; (ii) designated employees in charge of handing personal information and the extent of the personal information to be handled by such employees; and (iii) established a system of reporting to the person responsible for the handling of personal information in the event of a violation of the Act on the Protection of Personal Information or company regulations (including the occurrence of a personal information leakage) or any indication of such violation.
2. The usage of databases containing personal information is recorded and managed by using system logs to ensure that personal information is handled in accordance with applicable regulations.
   

4. Human security control actions 

1. We regularly train employees regarding the handling of personal information and strive to ensure that employees handle personal information in accordance with relevant laws and internal regulations.
2. Matters concerning the confidentiality of personal information are stipulated in our Working Regulations and other internal rules.
   

5. Physical security control actions 

1. We manage the entry and exit of employees to and from the areas where personal information is handled. In addition, we take actions to prevent unauthorised persons from viewing personal information, such as locking and managing the areas where personal information is stored.
2. We take actions to prevent the loss or theft of equipment, electronic media, and documents that contain personal information, and take measures to prevent personal information from being easily identified when transporting such equipment and electronic media and documents, including transportation within our premises.
3. We have adopted methods to be used when disposing of documents, equipment or electronic media containing personal information to ensure that deleted personal information cannot be restored.

6. Technological security control actions

1. To limit the number of employees who access personal information and the extent of the personal information databases they handle, we properly manage access rights and certify employees who have such rights.
2. We have introduced and implemented a mechanism to protect information systems that handle personal information from unauthorised access from outside sources or unauthorised software.
   
3. To prevent the leakage of personal information via the use of information systems, we regularly check and review the security of such systems.
   

7. Understanding the external environment

When handling personal information outside of Japan, we take the necessary and appropriate measures for security management based on an understanding of the applicable laws and regulations related to personal information protection in the country or countries in question.

8. Supervision of contractors

When contracting the handling of personal information to third parties, we select contractors that meet our standards and execute the necessary agreements.

In addition, we ensure that we are able to understand the handling status of personal information by the contractor by imposing reporting obligations in the agreement.