Sompo Holdings, Inc.
Sompo Holdings also shall review and strive to improve its management approaches to protection of personal information on a continual basis.
- For our address and the name of our representative, please see the company profile below.
Sompo Holdings Inc. Corporate Profile
Handling of Personal Information
- Acquisition and Use of personal information
Sompo Holdings shall acquire and use personal information within the scope required for its business operations, through fair and lawful means. We shall retain personal information thus acquired for the period required to accomplish its purposes of use or the period required or authorized under laws and regulations.
- Purposes of use of personal information
Sompo Holdings shall use personal information, excluding the case as stipulated in the regulations, only to the extent necessary to accomplish the following (1) to (4), or the purposes stated in item 5 below.
We shall define the purposes of use specifically as set forth below so that customers should understand them clearly, and strive to limit the purposes of use to the extent relevant to specific cases where personal information is obtained.
If there are any changes in the purposes of use to the extent reasonably deemed relevant to the purpose of use before the change, we shall either notify individuals of the details of the changes or publish them on our website or in other publications.
In the case the handling of personal information exceeds the extent necessary to accomplish the purposes, excluding the case as stipulated in Article 18, Paragraph 3 of the Act on the Protection of Personal Information, Sompo Holdings shall gain a consensus from an individual concerned.
- Providing of personal data to and collecting it from third parties
- Provision of personally referable information to a Third Party
- Joint use of personal data
Sompo Holdings may use personal data jointly as outlined below with member companies of the Group and the specific partners.
Please refer to this for more details.
- Handling of special care-required personal information
Sompo Holdings shall obtain special care-required personal information such as race, creed, social status, medical history, criminal history, criminal victimhood status, physical or mental disabilities, a result of medical checkup, instruction/ treatment/ prescription by physician, not including the case as stipulated in the regulations, only after gaining a consensus from an individual concerned.
And we shall not use the opt-out method to provide such special care-required personal information with a third party.
The Company may obtain special care-required personal information without a consensus from an individual concerned in the following cases:
- In the case the matter is abided by the regulations;
- In the case it is necessary to protect human lives and bodies, or properties;
- In the case there is a special need to improve the public hygiene;
- In the case Sompo Holdings is required to cooperate with a national agency, a local public body, or a party under contract to carry out administrative work prescribed in the regulations for these organizations;
- In the case the designated information has been publicly released by an individual concerned, a national agency, a local public body or media outlets;
- In the case it is clearly visible when viewing the individual or an image of him or her;
- In the case the Company is provided such information as a third-party, when an information provider gains a consensus on distribution from the person, in a request of handling personal data, or as a business succession due to M&A and a joint use of such data;
- Cases where special care-required personal information is acquired from an academic research organization, etc., and it is necessary to obtain such special care-required personal information for academic research purposes (including cases in which part of the purpose of acquiring such special care-required personal information is for academic research purposes, and excluding cases in which the rights and interests of individuals may be unreasonably infringed) (limited to cases where the Company and the relevant academic research institution, etc. jointly conduct academic research)
In addition to the above, the Company will never obtain, use (including a joint use), or provide “sensitive information” as stipulated in the Guidelines (Personal Information Protection Commission/Financial Services Agency Notification No. 1 of 2017) for the protection of personal information in the financial sector (hereinafter referred to as “Financial Guideline”) to a third-party, except for the case of exchange among group companies following the Financial Guideline, and the case permitted by the Guidelines
- Handling of Pseudonymously Processed Information
- Appropriate processing in accordance with the standards set forth in laws and regulations.
- Take security control measures to prevent leakage of the deleted information or information regarding the method of processing, in accordance with the standards set forth in laws and regulations.
- Not provide pseudonymously processed information to third parties, except in cases where required by law, or in cases of outsourcing, business succession, or joint use.
- Not take any action to identify the person whose personal information is the source of creation
- Not use the contact information contained in the pseudonymously processed information for the purpose of contacting the person in question, etc.
- Handling of anonymously processed information
- We process such information properly in accordance with standards stipulated in laws and regulations
- We implement security measures to prevent leakage of information concerning the information that has been deleted and methods of processing used, in accordance with standards stipulated in laws and regulations
- We disclose the items of information contained in such anonymously processed information
- We do not act in ways that would identify the individuals concerned by the personal information on which such anonymously processed information is based
- Requests for notification, disclosure, revision, suspension of use, etc. of retained personal data and disclosure of records of provision to third parties in accordance with the Personal Information Protection Law, etc.
Sompo Holdings will respond appropriately to requests such as those for notification, disclosure, revision, and suspension of use of retained personal data and disclosure of records of provision to third parties in accordance with the Personal Information Protection Law, etc. Please direct such requests to the contact point identified below. After confirming that the requesting party is the individual concerned by the information, we will ask him or her to complete Sompo Holdings’ prescribed request form and then we will process the request. In principle, we will respond at a later date by the method requested by the person in question among the methods specified by the Company. Sompo Holdings’ designated fees will apply to requests for notification and disclosure of purposes of use.
- For details on procedures for disclosure, revision, etc., please refer to "Procedure for Requesting Disclosure"
Procedure for Requesting Disclosure
- Implementation of Security Control Measures
Sompo Holdings shall implement appropriate security measures for purposes such as preventing leakage of, loss of, and damage to personal data as follows.
|(1) Formulation of the Basic Policy
- Establish basic policy to ensure appropriate handling of personal data as an organization.
|(2) Maintenance of rules regarding the handling of personal data
- Establish handling methods for acquisition, use, storage, provision, deletion/disposal, etc.
|(3) Security management measures as an organization
- Assign a person responsible for handling personal data and clarify responsibilities.
- Clarify who is handling personal data and what responsibilities are held by such personnel.
- Clarify the scope of personal data handled by employees.
- Establish a reporting system to the person in charge in case that a fact or a sign of violation of laws or internal regulations are detected.
- Conduct a self-inspection for the status of handling of personal data and validation by the person in charge.
- Maintain a method to check the status of handling of personal data.
- Establish a framework to respond to incidents such as leakage.
- Monitor handling status, review and improve the security management measures
|(4) Human security management measures
- Provide regular training concerning the noted items and security management measures when handling personal data.
- Stipulate items related to confidentiality regarding personal data into work rules.
|(5) Physical security management measures
- Manage areas where personal data is handled.
- Prevent theft, etc. of equipment and electronic media, etc.
- Prevent leakage, etc., when carrying electronic media, etc.
- Disposing equipment, electronic media, etc., on which personal data is recorded.
|(6) Technical security management measures
- Control access to limit the scope of person in charge and personal information databases, etc. handled.
- Identify and authenticate accessors.
- Prevent unauthorized access from outside, etc.
- Prevent leaks, etc. associated with the use of information system.
|(7) Supervision of employees
- Monitor the handling of personal data by employees through periodic self-inspections and confirmation by supervisors and oversee employees to ensure that personal data is securely managed.
|(8) Supervision of contractors
- Supervise contractors to ensure that they implement security management measures by establishing selection criteria for contractors and checking their information management structures.
|(9) Understanding of external environment
- Implement security management measures based on an understanding of system in a country, where personal data is handled, for the protection of personal information.
- Management of personal data and subcontracting the handling of personal data
To the extent necessary to achieve the purpose of use, the Company may outsource the handling of customers' personal data to other domestic or foreign businesses. In such cases, we will establish criteria for selecting the contractor, check their information management system in advance, and otherwise supervise them as necessary and appropriately.
In the case of outsourcing to an entity located in a foreign country, the Company will do so only when it meets the requirements required by laws and regulations, and it will provide such information upon request from the person in question.
For instance, we may subcontract the handling of personal data in the following cases:
- Subcontracting an administrative work of shareholder registry;
- Business assignment related to information system development and operation;
- Process and analysis of personal data including statistical data, anonymizing the data as well as analysis on the anonymized data etc.
- Handling of personal information of non-residents of Japan
Personal information of non-residents of Japan is handled in accordance with the applicable laws and regulations of each country concerned.
When transferring personal information on residents of the European Economic Area (EEA) from inside the EEA to outside the EEA, the Sompo Group employs strict information controls and thorough security measures. In some cases, data are transferred from Sompo Holdings to third-party service providers, subcontractors, and partners in joint use of personal information, and then such data are stored on servers in Japan or in other countries outside the EEA. While such countries may be ones for which the European Commission has not determined that data security measures are adequate, the personal data that we provide are managed appropriately under sufficient security management measures.
- Contact point
Sompo Holdings will respond swiftly and appropriately to any complaints or concerns regarding the handling of personal information. Please contact the contact point below with any inquiries regarding Sompo Holdings’ handling of personal information, anonymously processed information, pseudonymously processed information and the personal data that we hold.
Sompo Holdings, Inc.
26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo 160-8338, Japan
Handling of Specific Personal Information
Sompo Holdings handles individual numbers and specific personal information as described below.
- Proper acquisition of individual numbers and specific personal information
Sompo Holdings shall acquire individual numbers and specific personal information through lawful and fair means. We shall never request the provision of individual numbers and specific personal information except as provided for in laws and regulations.
- Handling and scope of use of individual numbers and specific personal information
Sompo Holdings shall handle the individual numbers and specific personal information that it has acquired only within the scope of use restricted by laws and regulations. The scope of use by Sompo Holdings is shown below. We shall never acquire, use, or provide to third parties individual numbers and specific personal information beyond this scope.
- Requests for notification, disclosure, revision, suspension of use, etc. of individual numbers and specific personal information
Sompo Holdings will respond to requests such as those for notification, disclosure, revision, and suspension of use of individual numbers and specific personal information in the manner described under Part 9 of “Handling of Personal Information”.
- Security measures
Sompo Holdings shall implement appropriate security measures for purposes such as preventing leakage of, loss of, and damage to individual numbers and specific personal information, such as establishment of rules on handling them and maintaining structures for implementation of security controls. When subcontracting administration related to individual numbers to an outside party, we will employ necessary and appropriate supervision, including checking on the subcontractor’s approach to information controls.
- Contact point for inquiries
Sompo Holdings, Inc.
26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo 160-8338, Japan