Privacy Policy

Sompo Holdings, Inc.

Recognizing its social responsibility to handle personal information properly, Sompo Holdings, Inc. shall handle personal information in compliance with the Act on the Protection of Personal Information (“Personal Information Protection Act” hereinafter), the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (“Numbers Act” hereinafter), and other applicable laws and regulations. This Privacy Policy describes Sompo Holdings’ policies on the protection of personal information, under which we strive to protect such information. Sompo Holdings also shall train and guide its employees thoroughly to ensure that they handle personal information properly.
Sompo Holdings also shall review and strive to improve its management approaches to protection of personal information on a continual basis.

  • For our address and the name of our representative, please see the company profile below.

Handling of Personal Information

For the scope of the Privacy Policy, the Company shall handle personal information as outlined below.

Note: The Policy applies to the overall treatment of personal information and personal data handled by the Company, but does not cover among which are information related to individual numbers and specific personal information. “Handling of Specific Personal Information” below applies to the handling of individual numbers and specific personal information in the Company.

  1. Acquisition and Use of personal information
    Sompo Holdings shall acquire and use personal information within the scope required for its business operations, through fair and lawful means. We shall retain personal information thus acquired for the period required to accomplish its purposes of use or the period required or authorized under laws and regulations.

  2. Purposes of use of personal information
    Sompo Holdings shall use personal information, excluding the case as stipulated in the regulations, only to the extent necessary to accomplish the following (1) to (4), or the purposes stated in item 5 below.
    We shall define the purposes of use specifically as set forth below so that customers should understand them clearly, and strive to limit the purposes of use to the extent relevant to specific cases where personal information is obtained.
    If there are any changes in the purposes of use to the extent reasonably deemed relevant to the purpose of use before the change, we shall either notify individuals of the details of the changes or publish them on our website or in other publications.
    In the case the handling of personal information exceeds the extent necessary to accomplish the purposes, excluding the case as stipulated in Article 18, Paragraph 3 of the Act on the Protection of Personal Information, Sompo Holdings shall gain a consensus from an individual concerned.

  3. (1)Execution of business management operation of the Group Companies;

    (2)Exercise of rights, fulfillment of obligation, management and execution of various types of action plans in accordance with laws and regulations concerning to shareholders;

    (3) Response to contacts and opinions;

    (4)Others; auxiliary business related to the (1) to (3) above, and business operation that enables us to carry out transactions with customers as well as the Company’s business management in a smooth and appropriate manner.


  4. Providing of personal data to and collecting it from third parties

    (1)Except as provided for under laws and regulations, Sompo Holdings shall not provide personal data to third parties without the consent of the individual concerned.

    (2)Except as provided for under laws and regulations, when Sompo Holdings has provided personal data to a third party, it records matters related to such providing (e.g. when, and to whom, the personal data were provided, and the type of data provided), and when it has acquired personal data from a third party (including the case where personally referable information is acquired as personal data), it confirms and records matters related to such acquisition of data (e.g., when and from whom the personal data were acquired, the type of data acquired and how the third-party provider acquired the data).


  5. Provision of personally referable information to a Third Party

    (1)Except as otherwise provided by law, when a third party is expected to acquire personally referable information as personal data, the Company will not provide such information without first confirming that the third party has obtained consent from the person whose personally referable information is being acquired.

    (2)In case the Company, except as otherwise provided by law, provide personally referable information to a third party based on the confirmation in the preceding paragraph, it will confirm and record matters related to the provision of such information (such as when, to which party and what kind of personal referable information is provided, and how the third party obtains the consent of the person concerned).


  6. Joint use of personal data
    Sompo Holdings may use personal data jointly as outlined below with member companies of the Group and the specific partners.

  7. Handling of special care-required personal information
    Sompo Holdings shall obtain special care-required personal information such as race, creed, social status, medical history, criminal history, criminal victimhood status, physical or mental disabilities, a result of medical checkup, instruction/ treatment/ prescription by physician, not including the case as stipulated in the regulations, only after gaining a consensus from an individual concerned.
    And we shall not use the opt-out method to provide such special care-required personal information with a third party.
    The Company may obtain special care-required personal information without a consensus from an individual concerned in the following cases:
    • In the case the matter is abided by the regulations;
    • In the case it is necessary to protect human lives and bodies, or properties;
    • In the case there is a special need to improve the public hygiene;
    • In the case Sompo Holdings is required to cooperate with a national agency, a local public body, or a party under contract to carry out administrative work prescribed in the regulations for these organizations;
    • In the case the designated information has been publicly released by an individual concerned, a national agency, a local public body or media outlets;
    • In the case it is clearly visible when viewing the individual or an image of him or her;
    • In the case the Company is provided such information as a third-party, when an information provider gains a consensus on distribution from the person, in a request of handling personal data, or as a business succession due to M&A and a joint use of such data;
    • Cases where special care-required personal information is acquired from an academic research organization, etc., and it is necessary to obtain such special care-required personal information for academic research purposes (including cases in which part of the purpose of acquiring such special care-required personal information is for academic research purposes, and excluding cases in which the rights and interests of individuals may be unreasonably infringed) (limited to cases where the Company and the relevant academic research institution, etc. jointly conduct academic research)

    In addition to the above, the Company will never obtain, use (including a joint use), or provide “sensitive information” as stipulated in the Guidelines (Personal Information Protection Commission/Financial Services Agency Notification No. 1 of 2017) for the protection of personal information in the financial sector (hereinafter referred to as “Financial Guideline”) to a third-party, except for the case of exchange among group companies following the Financial Guideline, and the case permitted by the Guidelines

    Note:Sensitive Information refers to the following personal information (not including information disclosed by the individual concerned, a national agency, a local public body, academic research institutions etc. or a party as stipulated in any of the subparagraphs to Article 57, Paragraph 1, of the Personal Information Protection Act or in any of the paragraphs of Article 6 of the Enforcement Regulations thereof, or information clearly visible when viewing the individual or an image of him or her): special care-required personal information such as race, creed, social status, medical history, criminal history and criminal victimhood status as well as information related to labor union membership, family lineage, legal domicile, health or medical treatment and sex life (not including information that qualifies as special care-required personal information).


  8. Handling of Pseudonymously Processed Information

    (1)Creation of pseudonymously processed Information
    In the case the Company create pseudonymously processed information (individual information by processing personal information so that the individual cannot be identified unless the information is cross-checked with other information by taking measures prescribed by law), it will take the following actions.

    • Appropriate processing in accordance with the standards set forth in laws and regulations.
    • Take security control measures to prevent leakage of the deleted information or information regarding the method of processing, in accordance with the standards set forth in laws and regulations.
    • Not provide pseudonymously processed information to third parties, except in cases where required by law, or in cases of outsourcing, business succession, or joint use.
    • Not take any action to identify the person whose personal information is the source of creation
    • Not use the contact information contained in the pseudonymously processed information for the purpose of contacting the person in question, etc.

    (2)Purpose of Use of Pseudonymously Processed Information
    In the event that the Company establishes or changes the purpose of use of the Pseudonymously-Processed Information, it shall specify the purpose of use after the change as much as possible, clarify that it is related to such processed Information, and make a public announcement.


  9. Handling of anonymously processed information

    (1)Preparation of anonymously processed information
    Sompo Holdings employs the following handling procedures when preparing anonymously processed information (i.e., personal information on individuals that has been processed, through means stipulated in laws and regulations, so that it is not possible to identify the individuals concerned or to restore such personal information):

    • We process such information properly in accordance with standards stipulated in laws and regulations
    • We implement security measures to prevent leakage of information concerning the information that has been deleted and methods of processing used, in accordance with standards stipulated in laws and regulations
    • We disclose the items of information contained in such anonymously processed information
    • We do not act in ways that would identify the individuals concerned by the personal information on which such anonymously processed information is based

    (2)Providing of anonymously processed information
    When providing anonymously processed information to third parties, Sompo Holdings discloses the items of information concerning individuals contained in such anonymously processed information to be provided and the methods of provision, and it clearly informs the third party of the fact that the information to be provided has been anonymized.


  10. Requests for notification, disclosure, revision, suspension of use, etc. of retained personal data and disclosure of records of provision to third parties in accordance with the Personal Information Protection Law, etc.
    Sompo Holdings will respond appropriately to requests such as those for notification, disclosure, revision, and suspension of use of retained personal data and disclosure of records of provision to third parties in accordance with the Personal Information Protection Law, etc. Please direct such requests to the contact point identified below. After confirming that the requesting party is the individual concerned by the information, we will ask him or her to complete Sompo Holdings’ prescribed request form and then we will process the request. In principle, we will respond at a later date by the method requested by the person in question among the methods specified by the Company. Sompo Holdings’ designated fees will apply to requests for notification and disclosure of purposes of use.
    • For details on procedures for disclosure, revision, etc., please refer to "Procedure for Requesting Disclosure"

  11. Implementation of Security Control Measures
    Sompo Holdings shall implement appropriate security measures for purposes such as preventing leakage of, loss of, and damage to personal data as follows.
    (1) Formulation of the Basic Policy
    • Establish basic policy to ensure appropriate handling of personal data as an organization.
    (2) Maintenance of rules regarding the handling of personal data
    • Establish handling methods for acquisition, use, storage, provision, deletion/disposal, etc.
    (3) Security management measures as an organization
    • Assign a person responsible for handling personal data and clarify responsibilities.
    • Clarify who is handling personal data and what responsibilities are held by such personnel.
    • Clarify the scope of personal data handled by employees.
    • Establish a reporting system to the person in charge in case that a fact or a sign of violation of laws or internal regulations are detected.
    • Conduct a self-inspection for the status of handling of personal data and validation by the person in charge.
    • Maintain a method to check the status of handling of personal data.
    • Establish a framework to respond to incidents such as leakage.
    • Monitor handling status, review and improve the security management measures
    (4) Human security management measures
    • Provide regular training concerning the noted items and security management measures when handling personal data.
    • Stipulate items related to confidentiality regarding personal data into work rules.
    (5) Physical security management measures
    • Manage areas where personal data is handled.
    • Prevent theft, etc. of equipment and electronic media, etc.
    • Prevent leakage, etc., when carrying electronic media, etc.
    • Disposing equipment, electronic media, etc., on which personal data is recorded.
    (6) Technical security management measures
    • Control access to limit the scope of person in charge and personal information databases, etc. handled.
    • Identify and authenticate accessors.
    • Prevent unauthorized access from outside, etc.
    • Prevent leaks, etc. associated with the use of information system.
    (7) Supervision of employees
    • Monitor the handling of personal data by employees through periodic self-inspections and confirmation by supervisors and oversee employees to ensure that personal data is securely managed.
    (8) Supervision of contractors
    • Supervise contractors to ensure that they implement security management measures by establishing selection criteria for contractors and checking their information management structures.
    (9) Understanding of external environment
    • Implement security management measures based on an understanding of system in a country, where personal data is handled, for the protection of personal information.

  12. Management of personal data and subcontracting the handling of personal data
    To the extent necessary to achieve the purpose of use, the Company may outsource the handling of customers' personal data to other domestic or foreign businesses. In such cases, we will establish criteria for selecting the contractor, check their information management system in advance, and otherwise supervise them as necessary and appropriately.
    In the case of outsourcing to an entity located in a foreign country, the Company will do so only when it meets the requirements required by laws and regulations, and it will provide such information upon request from the person in question.
    For instance, we may subcontract the handling of personal data in the following cases:
    • Subcontracting an administrative work of shareholder registry;
    • Business assignment related to information system development and operation;
    • Process and analysis of personal data including statistical data, anonymizing the data as well as analysis on the anonymized data etc.

  13. Handling of personal information of non-residents of Japan
    Personal information of non-residents of Japan is handled in accordance with the applicable laws and regulations of each country concerned.
    When transferring personal information on residents of the European Economic Area (EEA) from inside the EEA to outside the EEA, the Sompo Group employs strict information controls and thorough security measures. In some cases, data are transferred from Sompo Holdings to third-party service providers, subcontractors, and partners in joint use of personal information, and then such data are stored on servers in Japan or in other countries outside the EEA. While such countries may be ones for which the European Commission has not determined that data security measures are adequate, the personal data that we provide are managed appropriately under sufficient security management measures.

  14. Contact point
    Sompo Holdings will respond swiftly and appropriately to any complaints or concerns regarding the handling of personal information. Please contact the contact point below with any inquiries regarding Sompo Holdings’ handling of personal information, anonymously processed information, pseudonymously processed information and the personal data that we hold.

    Contact point:
    Sompo Holdings, Inc.
    26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo 160-8338, Japan
    E-mail: personal_information@sompo-hd.com
    URL  https://www.sompo-hd.com/en/

Handling of Specific Personal Information

Sompo Holdings handles individual numbers and specific personal information as described below.

  1. Proper acquisition of individual numbers and specific personal information
    Sompo Holdings shall acquire individual numbers and specific personal information through lawful and fair means. We shall never request the provision of individual numbers and specific personal information except as provided for in laws and regulations.

  2. Handling and scope of use of individual numbers and specific personal information
    Sompo Holdings shall handle the individual numbers and specific personal information that it has acquired only within the scope of use restricted by laws and regulations. The scope of use by Sompo Holdings is shown below. We shall never acquire, use, or provide to third parties individual numbers and specific personal information beyond this scope.
    (1)

    Individual numbers and specific personal information may be used in the following administrative tasks related to individual numbers as stipulated in laws and regulations:

    (i)Administration of preparation of payment records related to distribution of dividends and surplus, interest on funds, and exercise of stock options

    (ii)Administration of preparation of payment records for compensation, charges, etc., rent on real estate, and prices of purchases of real estate and other property

    (iii)Administration of preparation of tax withholding certificates for income of executives and employees (including their dependents), and administration of various notices and other documents related to employment insurance, workers’ compensation insurance, health insurance, employee pension plans and the National Pension System

    (iv)Other administration related to individual numbers as stipulated in laws and regulations

    (2)

    Pursuant to laws and regulations, we may use individual numbers and specific personal information for the following purposes:

    (i)To make monetary payments in cases such as devastating disasters

    (ii)When necessary to protect human life, health, or property and either the individual concerned has consented to such use or it would be difficult to obtain his or her consent

  3. Requests for notification, disclosure, revision, suspension of use, etc. of individual numbers and specific personal information
    Sompo Holdings will respond to requests such as those for notification, disclosure, revision, and suspension of use of individual numbers and specific personal information in the manner described under Part 9 of “Handling of Personal Information”.

  4. Security measures
    Sompo Holdings shall implement appropriate security measures for purposes such as preventing leakage of, loss of, and damage to individual numbers and specific personal information, such as establishment of rules on handling them and maintaining structures for implementation of security controls. When subcontracting administration related to individual numbers to an outside party, we will employ necessary and appropriate supervision, including checking on the subcontractor’s approach to information controls.

  5. Contact point for inquiries
    Sompo Holdings, Inc.
    26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo 160-8338, Japan
    E-mail: personal_information@sompo-hd.com
    URL  https://www.sompo-hd.com/en/