Official Regulations on the Protection of Personal Information
Article 1. Purpose
These Regulations aim to protect personal information.
Article 2. Definition of Terms
The following terms shall be defined as prescribed in said respective items.
(1) “Personal Information”, “Special Care-Required Personal Information”, “Personal data”, “Principal” and “Employees” shall be defined as prescribed in the Act on the Protection of Personal Information (Act No. 17 of 2003, hereinafter referred to as the “Act”).
(2) “EU” shall mean member states of European Union and European Union according to the Agreement on the European Economic Area including Iceland, the Principality of Liechtenstein and Norway.
(3) “GDPR” shall mean “Regulation of the European Parliament and of the Council” on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(4) “Adequate Security Level Decision” shall mean a decision of the European Commission that a country or region has an adequate level of security to protect Personal Data.
Article 3. Policy on the Protection of Personal InformationOur company has established the following Policy on the Protection of Personal Information as follows. Our Employees and Officers will properly handle Personal Information according to this Policy.
- (1) Specification of Purpose of Utilization
- When our company acquires Personal Information, our company will specify the purpose of utilization and publicly announce or personally notify the Principal. In case of changing the purpose of utilization, our company will do so within the scope substantially relevant to the previous purpose of utilization unless required by laws and regulations, etc.
- With regard to personal data transferred from within the EU, our company will confirm the circumstances under which it was acquired, including the purpose of use. The scope of this purpose of use is to be specified initially or at the time of receiving such recorded Personal Data and the data must be utilized only within that scope.
- (2) Proper Acquisition
- When our company acquires Personal Information it will specify its purpose and use and only acquire it by appropriate means.
- When our company receives Personal Data from with the EU according to Adequate Security Level Decision, our company will make sure of and record the process of acquisition including the purpose of utilization specified in receiving such Personal Data from within the EU according to article 26 (1) and (3) of the Act.
- (3) Utilization of Personal Information
- Our company will take measures to handle Personal Information within the scope of the purpose of utilization and will not utilize Personal Information beyond that scope. When our company needs to utilize Personal Information beyond the purpose of utilization, our company will do so after notifying the Principal and obtaining the Principal’s consent in advance.
- (4) Trust
- When our company entrusts a third party with the handling of Personal Information, our company will choose a third party with adequate level of protection of Personal Information and set necessary measures to protect Personal Information by contract and strictly control the third party.
- (5) Provisions for transferring Personal Information to Third Parties
- Our company will not provide Personal Information to third parties except in cases where a Principal’s consent is obtained or it is required by laws and regulations.
- Notwithstanding the preceding paragraph, when our company provides Personal Information received from within the EU according to the Adequate Security Level Decision to a third party in a foreign country, our company will obtain the Principal’s consent in advance, after providing information of the third party necessary to make a decision about consent, except for in one of the following cases:
- when the third party is in a country where Enforcement Rules for the Act on the Protection of Personal Information (Rules of the Personal Information Protection Commission No. 3 of October 5, 2016) set forth that the country maintains an equal level of systems to protect Personal Information with Japan regarding the protection of individual rights and interests;
- when a business operator who handles Personal Information takes proper and reasonable measures to meet the meaning of Section 1 of Chapter 4 of the Act;
- when (7) 1), 2), 3) or 4) of this article are applicable.
- (6) When our company provides Personal Information to a third party with consent of the Principal, our company will record the following matters and store them for a certain period.
- year, month and date when our company provided the Personal Information;
- matters sufficient to specify the third party such as name, etc. (If there is a fact that our company provides Personal Information to unspecified large number of people, said matters sufficient include that fact );
- matters sufficient to specify the Principal such as name, etc.
- (7) Special Care-Required Personal Information
- Our company will not acquire Special Care-Required Personal Information without prior consent of the Principal except for one of the following cases:
- when required by laws and regulations;
- when necessary to protect a human life, body or property, and yet it is difficult to obtain the Principal’s consent;
- when necessary to enhance public hygiene or promote healthy fostering of children, and yet it is difficult to obtain the Principal’s consent;
- when there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining the Principal’s consent would interfere with the performance of said affairs;
- when said Special Care-Required Personal Information is opened to the public by the Principal, a government organization, a local government, a person set forth in any item of Article 76, paragraph (1) or other persons prescribed by rules of the Personal Information Protection Commission;
- when said Special Care-Required Personal Information is obtained by witnessing or photographing such information ;
- when our company acquires said Special Care-Required Personal Information which falls within Personal Data according to any item of article 23(5) of Act; provided however, if Personal Data which our company acquires from within EU according to Adequate Security Level Decision contains information of sexual life, sexual orientation or labor union which is defined as “special categories of personal data” in GDPR, our company will handle such information as Special Care-Required Personal Information.
- (8) Compliance
- Our company will specify laws and regulations and other rules, establish the procedure to be referred to by Employees, comply with and make efforts to properly manage the laws and regulations and other rules.
- (9) Proper Management
- Our company will take necessary and proper measures and make efforts for security control to prevent the leakage, loss or damage of the Personal Data it handles. Also, our company will analyze risks, etc. and recognize the importance of all Personal Information and implement security control and corrective measures corresponding to it.
- (10) Continuous Improvement
- Our company will review our Personal Information protection management system and strive for continuous improvement in the business of our company, social environment, laws and regulations, and information technology, etc. surrounding our company.
- (11) Manager of Personal Information Protection
- Our company will appoint a Manager of Personal Information Protection and order the manager to take necessary measures for the proper management of Personal Information in our company. Our company will designate a manager of Personal Information Protection as a section manager of General Affairs who is in charge of implementing proper management, educating Employees, regularly evaluating necessary measures for proper management reviewing or improving management, etc.
- (12) Inquiry for Personal Information
- Our company will establish a contact point to receive complaints, inquiry or requests of disclosure, correction, deletion, suspension of use, etc.
Article 4. Management of Physical Security
Management of physical security will be set forth in compliance with security management rules.
Article 5. Handling of Facial Information
Using our AsReaderOne application, we will collect human facial images and facial feature data for comparison. The acquired facial feature data will be compared with the actual human faces and used for facial identification and authentication. The comparison results will be only used for the services we provide.
For example, we provide a service that unlocks doors using the user’s face. Instead of registering facial information for each service, each user manages his/her own facial information using the “AsReaderOne” application.
Recognizing that the facial information used for identification and authentication is important personal information, we have established a system that prevents even our system personnel from viewing such information. In addition, no one other than the user himself/herself can share his/her personal information with others.
The facial information obtained is stored on a cloud server and is retained until the user deletes the data or the account himself/herself.
If the user does not use the app for 10 years, the app will automatically delete the user’s facial information.