Privacy Policy(Customer Protection)

CITY EXPRESS MONEY TRANSFER JAPAN CO., LTD.

Internal Regulations for User Information Management

(Regulations for Handling Personal Information)

 

Chapter 1        General Provisions

(Purpose)

Article 1

          The purpose of these Regulations is to ensure the appropriateness of information management and protect the rights and interests of users by stipulating matters necessary for management of information about the users of the Company’s money transfer service.

 

(Definitions)

Article 2

          The following terms used in these Regulations shall have the following meanings defined in each item below.

  1. “User Information” shall mean information about the users of the Company’s money transfer service, including not only information about the facts such as name, gender, date of birth, address, age, occupation, but also information representing judgment and evaluation on attributes such as body, property and occupation as well as transaction history of our money transfer service and balance account information of an individual person.
  2. “Personal Information” shall mean information about existing individual persons out of User Information that can identify a certain individual by name, date of birth or other description, etc., contained in such information (including information that can easily be checked with other information and identify a certain individual by such information).
  3. “Principal” shall mean a certain individual who can be identified by Personal Information.
  4. Unless otherwise specified, any terms other than the terms listed above shall follow the definitions provided by the Act on the Protection of Personal Information and its enforcement order(s).

 

Chapter 2        Management System of User Information

 

(Department Responsible for User Information Management, etc.)

Article 3

  1. The department responsible for User Information management shall be the Customer Service Department. The general manager of the Customer Service Department shall be the overall controller of User Information management (hereinafter called the “Information Overall Controller”). Monitoring the Customer Service Department shall be taken on by the Business Integration Headquarters as the internal management department.
  2. The controller of audit on the management of User Information (hereinafter called “Audit Controller”) shall be the Internal Audit Department.

 

(Duties of Department Responsible for User Information Management)

Article 4

          The department responsible for User Information control and the Information Overall Controller shall fulfill their respective duties in accordance with the purpose and provisions of these Regulations.

 

Chapter 3        Management of User Information

Paragraph 1    Acquisition and Input of User Information

 

(Acquisition of User Information)

Article 5

          User Information shall be acquired in an appropriate and fair manner to the extent required for accomplishing the intended use of the information by limiting such intended use as practical as possible.

 

(Notification and Publication of Intended Use in Acquiring Personal Information, etc.)

Article 6

  1. If Personal Information out of User Information is acquired, its intended use shall be immediately notified to the Principal or published, except the case where such intended use is published in advance.
  2. Notwithstanding the above provision, if Personal Information contained in a contract or any other document is acquired in connection with execution of such a contract with the Principal, its intended use shall be clearly notified to the Principal in advance.
  3. If the intended use is changed, such changed intended use shall be notified to the Principal or published.
  4. The provisions set forth in the above three clauses shall not apply to any of the following cases:
  1. if the notification to the Principal or publication of the intended use may do harm to the life, body, property or any other rights and interests of the Principal or any third party;
  2. if the notification to the Principal or publication of the intended use may do harm to the rights or fair profits of the Company;
  3. in the case where it is required to assist any government agency or local government in performing its clerical work required by law, if the notification to the Principal or publication of the intended use may interfere with the performance of such clerical work;
  4. if the intended use is evident in view of the acquiring situation.

 

(Input)

Article 7

          If User Information is input, careful attention shall be paid to prevent incorrect input, etc., and ensure the exactness of information.

 

(Person in Charge of Acquisition and Input of User Information, etc.)

Article 8

  1. The Information Overall Controller shall appoint a person in charge of acquisition and input of User Information depending on business needs, and any persons other than the person in charge shall not acquire or input User Information.
  2. The Information Overall Controller shall set a limit on information to be acquired and input depending on business needs, and the person in charge of acquisition and input of User Information shall not acquire or input any information other than such information.
  3. If the person in charge of acquisition and input of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

 

(Confirmation Procedures of Information Related to Acquisition and Input)

Article 9

  1. The Information Overall Controller shall formulate procedures to check and confirm the number and content, etc., of User Information acquired and input, and shall cause the person in charge to implement the procedures.
  2. The Information Overall Controller shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time, as necessary.
  3. The Information Overall Controller shall check such records as stored in accordance with the above clause regularly.

 

(Storage of Information Related to Acquisition and Input, etc.)

Article 10

  1. The Information Overall Controller shall specify the place and method for storing the information related to acquisition and input, and shall cause the person in charge of acquisition and input to comply with such stipulations.
  2. Limitation on access to the information stored in accordance with Clause 2 of the previous article and the above clause shall be imposed on any persons other than the Information Overall Controller and the person in charge of acquisition and input.

 

 

Paragraph 2    Stage of Use and Processing

 

(Use and Processing of User Information)

Article 11

  1. The use and processing of User Information shall be carried out within the scope of the intended use at the time of its acquisition in principle, unless the consent of the Principal is obtained.
  2. If User Information is used outside the scope of the intended use to which the Principal gave its consent, such use shall be notified to the Principal in writing or in other manners, and shall be made with the prior consent of the Principal.
  3. The use and processing of User Information shall be limited to the minimum necessary, and reasonable efforts shall be made to prevent proliferation of information.
  4. If User Information is used and processed, such use and processing shall be made with the consent of the Information Overall Controller in principle, unless the use of the information is permitted under the access right granted in advance, etc.

 

(Person in Charge of Use and Processing of User Information, etc.)

Article 12

  1. The Information Overall Controller shall appoint a person in charge of use and processing of User Information depending on business needs, and any persons other than the person in charge shall not use or process User Information.
  2. The Information Overall Controller shall set a limit on information to be used and processed depending on business needs, and the person in charge of use and processing of User Information shall not use or process any information other than such information.
  3. If the person in charge of use and processing of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

 

(Confirmation Procedures of Information Related to Use and Processing)

Article 13

  1. The Information Overall Controller shall formulate procedures to check and confirm the number and content, etc., of User Information used and processed, and shall cause the person in charge to implement the procedures.
  2. The Information Overall Controller shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time, as necessary.
  3. The Information Overall Controller shall check such records as stored in accordance with the above clause regularly.

 

(Storage of Information Related to Use and Processing, etc.)

Article 14

  1. The Information Overall Controller shall specify the place and method for storing the information related to use and processing, and shall cause the person in charge of use and processing to comply with such stipulations.
  2. Limitation on access to information stored in accordance with Clause 2 of the previous article and the above clause shall be imposed on any persons other than the Information Overall Controller and the person in charge of use and processing.

 

(Taking-Out of User Information Outside the Controlled Area at a Stage of Use and Processing)

Article 15

  1. If User Information is taken out from the specified storage place at a stage of use and processing of information, the person in charge of use and processing of the information shall obtain the approval of the Information Overall Controller by submitting a written request indicating the following items:
  1. Name of the person in charge related to taking-out
  2. Details of User Information intended for taking-out
  3. Purpose of taking-out
  4. Devices or media that contain a record of the information to be taken out
  5. Period during which the information is taken out
  1. If the Information Overall Controller gives approval as set forth in the above clause, the Information Overall Controller shall make a record of the status of such taking-out, and shall store such a record in a specified place for a specified period of time, as necessary.

 

(Technical Safety Management Measures at a Stage of Use and Processing)

Article 16

  1. The Information Overall Controller shall establish management classifications depending on the importance of User Information, and shall appoint a person with authority to have access to each piece of information according to each management classification.
  2. Any persons other than the person with authority to have access to each piece of information shall not access any information beyond their authorization, and the Information Overall Controller shall restrict access by any persons other than the person with authority by setting a password or any other method.
  3. The Information Overall Controller shall maintain a record on access to each piece of information as well as a record on the operational status of a system that handles User Information, and shall check the actual situation regularly.
  4. The documents and media, etc., that contain a record of User Information shall be kept in a depository that can be locked, and the Information Overall Controller shall take necessary measures to prevent leak of or damage to the information at a stage of use and processing, including limitation on persons who are permitted to unlock/lock the depository.

 

 

Paragraph 3    Handling at a Stage of Storage and Preservation

 

(Storage and Preservation of User Information)

Article 17

          In storing and preserving User Information, the Information Overall Controller shall maintain a ledger, etc., depending on the confidentiality level of such information to make a record of the status of its storage and preservation.

 

(Person in Charge of Storage and Preservation of User Information, etc.)

Article 18

  1. The Information Overall Controller shall appoint a person in charge of storage and preservation of User Information depending on business needs, and any persons other than the person in charge shall not store or preserve User Information.
  2. The Information Overall Controller shall set a limit on information to be stored and preserved depending on business needs, and the person in charge of storage and preservation of User Information shall not store or preserve any information other than such information.
  3. If the person in charge of storage and preservation of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

 

(Confirmation Procedures of Information Related to Storage and Preservation)

Article 19

  1. The Information Overall Controller shall formulate procedures to check and confirm the number and content, etc., of User Information stored and preserved, and shall cause the person in charge to implement the procedures.
  2. The Information Overall Controller shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time.
  3. The Information Overall Controller shall check such records as stored in accordance with the above clause regularly.

 

(Technical Safety Management Measures at a Stage of Storage and Preservation)

Article 20

  1. The Information Overall Controller shall establish management classifications depending on the importance of User Information, and shall set up the storage and preservation methods according to each management classification.
  2. The Information Overall Controller shall appoint a person with authority to access each piece of information.
  3. Any persons other than the person with authority to access each piece of information shall not access any information beyond their authorization, and the Information Overall Controller shall restrict access by any persons other than the person with authority by setting a password or any other method.
  4. The Information Overall Controller shall maintain a record on access to each piece of information as well as a record on the operational status of a system that handles User Information, and shall check the actual situation regularly.
  5. The documents and media, etc., that contain a record of User Information shall be kept in a depository that can be locked, and the Information Overall Controller shall take necessary measures to prevent leak of or damage to information at a stage of storage and preservation, including limitation on persons who are permitted to unlock/lock the depository.

 

(Response to Trouble in Storage and Preservation)

Article 21

          In the event of trouble in storage and preservation of User Information, the Information Overall Controller shall immediately report to the department responsible for User Information management, and shall respond to such trouble in accordance with the instructions of the department.

 

 

Paragraph 4    Handling at a Stage of Transfer and Transmission

 

(Transfer and Transmission of User Information)

Article 22

          Transfer and transmission of User Information and media that contain and record User Information shall be carried out in an appropriate manner depending on its importance, and its delivery and receipt shall be clarified.

 

(Person in Charge of Transfer and Transmission of User Information)

Article 23

  1. The Information Overall Controller shall appoint a person in charge of transfer and transmission of User Information depending on business needs, and any persons other than the person in charge shall not transfer or transmit User Information.
  2. The Information Overall Controller shall set a limit on information to be transferred and transmitted depending on business needs, and the person in charge of transfer and transmission of User Information shall not transfer or transmit any information other than such information.
  3. If the person in charge of transfer and transmission of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

 

(Confirmation Procedures of Information Related to Transfer and Transmission)

Article 24

  1. The Information Overall Controller shall formulate procedures to check and confirm the number and content, etc., of User Information transferred and transmitted, and shall cause the person in charge to implement the procedures.
  2. The Information Overall Controller shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time, as necessary.
  3. The Information Manager of each department shall check such records as stored in accordance with the above clause regularly.

 

(Technical Safety Management Measures at a Stage of Transfer and Transmission)

Article 25

  1. The Information Overall Controller shall establish management classifications depending on the importance of User Information, and shall set up the methods of transfer and transmission according to each management classification.
  2. The Information Overall Controller shall appoint a person with authority to access each piece of information.
  3. Any persons other than the person with authority to access each piece of information as set forth in the above clause shall not access any information beyond their authorization, and the Information Overall Controller shall restrict access by any persons other than the person with authority by setting a password or any other method.
  4. The Information Overall Controller shall maintain a record on access to each piece of information as well as a record on the operational status of a system that handles User Information, and shall check the actual situation regularly.
  5. The documents and media, etc., that contain a record of User Information shall be kept in a depository that can be locked, and the Information Overall Controller shall take necessary measures to prevent leak of or damage to information at a stage of transfer and transmission, including limitation on persons who are permitted to unlock/lock the depository.

 

(Response to Trouble in Transfer and Transmission)

Article 26

          In the event of any trouble in transfer and transmission of User Information, the Information Overall Controller shall immediately report to the department responsible for User Information management, and shall respond to such trouble in accordance with the instructions of the department.

 

 

Paragraph 5    Handling at a Stage of Erasure and Disposal

 

(Erasure and Disposal)

Article 27

          If any paper or magnetic media, etc., that contain User Information are erased or disposed of, it shall be carried out in an appropriate manner by means of shredding, incineration, melting, magnetic erasure or destruction in accordance with the instructions of the Information Overall Controller depending on the content of the relevant information. If erasure or disposal work is assigned to any party other than the Company, a certificate of erasure or disposal shall be obtained, and the fact of erasure or disposal shall be checked as necessary.

 

(Person in Charge of Erasure and Disposal of User Information, etc.)

Article 28

  1. The Information Overall Controller shall appoint a person in charge of erasure and disposal of User Information depending on business needs, and any persons other than the person in charge shall not erase or dispose of User Information. The Information Overall Controller shall restrict access to User Information by any persons other than the person in charge of erasure and disposal.
  2. The Information Overall Controller shall set a limit on information to be erased and disposed of depending on business needs, and the person in charge of erasure and disposal of User Information shall not erase or dispose of any information other than such information.
  3. If the person in charge of erasure and disposal of User Information performs any work other than the work specified by the Information Overall Controller, the person in charge shall notify the Information Overall Controller of such work in advance for approval.

 

(Confirmation Procedures of Information Related to Erasure and Disposal)

Article 29

  1. The Information Overall Controller shall formulate procedures to check and confirm the number and content, etc., of User Information erased and disposed of, and shall cause the person in charge to implement the procedures.
  2. The Information Overall Controller shall review the records checked and confirmed in accordance with the above procedures, and shall store such records in a specified place for a specified period of time, as necessary.
  3. The Information Overall Controller shall check such records as stored in accordance with the above clause regularly.

 

 

Paragraph 6    Prohibition of Acquisition, etc., of Sensitive Information

 

(Prohibition of Acquisition, etc., of Certain Sensitive Personal Information)

Article 30

          Any Personal Information that contains any of the following items shall not be acquired, used or provided:

  1. Matters concerning thought, belief and religion
  2. Race, ethnicity, place of origin, registered domicile (excluding information about present address), physical and mental disability, criminal history and any other matters that cause social discrimination
  3. Matters concerning the right to organize, bargain collectively and any other work in groups of working persons
  4. Matters concerning participation in demonstration and exercise of the right of petition and any other political rights
  5. Matters concerning health and medical care and sex life

 

Chapter 4        Confirmation of Handling Status of User Information

 

(Confirmation and Inspection on Handling Status)

Article 31

  1. The department responsible for User Information management shall maintain a means for confirming the handling status of User Information, such as storage place, method and period of User Information at each department, etc.
  2. The Information Overall Controller shall appoint a responsible person and person in charge of inspection, develop an inspection plan on the handling status of User Information, and shall conduct inspection regularly and on a temporary basis.
  3. If the Information Overall Controller finds any violation of these Regulations, etc., at the time of inspection set forth in the previous clause, the Information Overall Controller shall report to the department responsible for User Information management, and the department shall take remedial measures.

 

Chapter 5        Provision of User Information to Third Party

 

(Restriction on Provision to Third Party)

Article 32

  1. Unless otherwise specified by law and these Regulations, User Information including Personal Information shall not be provided to any third party.
  2. If any employee who handles User Information deems it necessary to provide User Information to any third party, such an employee shall give notice to the Information Overall Controller for approval, whether it contains Personal Information or not.
  3. Unless otherwise permitted by law, if Personal Information is included in the information to be provided with respect to such notice as set forth in the previous clause, the Information Overall Controller shall give approval after obtaining the informed consent from the Principal on the following items:
  1. Name of a third party to which User Information is provided
  2. Intended use by the third party who receives User Information
  3. Content of the information to be provided to the third party

 

Chapter 6        Management and Supervision of Employees, etc.

 

(Management and Supervision of Employees, etc.)

Article 33

  1. For employees’ handling of User Information, the department responsible for User Information management shall set up an appropriate internal management system to ensure safety management of the information, and shall exercise necessary and appropriate supervision over the employees.
  2. “Necessary and appropriate supervision” as set forth in the previous clause shall be exercised by the following system, etc.:
  1. to enter into an agreement, etc., with employees at the time of recruitment, etc., which obliges the employees not to disclose User Information obtained in connection with the Company’s business, etc., to any third party or use it for any purposes other than the intended purpose while in office and after retirement;
  2. to define the role and responsibility of employees, familiarize officers and employees with, and provide education and training to officers and employees concerning their duties of safety management through development of regulations for appropriate handling of User Information;
  3. to maintain a system to check the compliance status, etc., on the matters specified in the internal safety management measures and conduct inspection and audit on the protection of User Information by employees in order to prevent taking-out of User Information by employees.
  1. The Customer Service Department shall familiarize employees with handling of User Information by the following methods:
  1. Implementation of internal training, etc.
  2. Notification about the contents of internal rules, etc., in writing, via email, or by other means
  3. Method of making internal rules, etc., accessible on the internal information bulletin board
  4. Other methods determined by the Customer Service Department
  1. The Customer Service Department shall make a record of the results of internal training set forth in Item (1) of the above clause.

 

Chapter 7        Response to Leak Accident, etc.

 

(Reporting System)

Article 34

  1. Anyone who becomes aware of a leak accident, etc., of User Information shall immediately report to the Information Overall Controller, and the Information Overall Controller shall immediately make a report in accordance with the procedures of a contact route for emergency.
  2. Each person in charge in the emergency contact route shall take prompt action to ensure prompt reporting to the Information Overall Controller.

 

(Investigation)

Article 35

          The Information Overall Controller shall conduct an investigation on the following items to check the fact situation:

  1. Actions to preserve evidence
  2. Confirmation of the fact of the leak, etc.
  3. Identification of User Information involved in the leak, etc. (object person, attributes, number of items, etc.)
  4. Investigation of the route and cause of the leak, etc.

 

(Prevention of Expansion of Damage)

Article 36

          In the event of a leak accident, etc., the Information Overall Controller shall make efforts to prevent damage from expanding by implementing the following measures, etc.:

  1. Collection of leaked information, etc.
  2. Development and implementation of preventive measures for a case where highly useful information such as card number, password, account number is leaked and there is a high risk of secondary damage, etc.

 

(Report and Consultation with Supervisory Authorities, etc.)

Article 37

          The Information Overall Controller shall implement the following measures to make a report and consultation about the fact situation as necessary:

  1. Report to and consultation with administrative authorities and affiliated associations, etc.
  2. Report to and consultation with the police
  3. Response to judicial authorities

 

(Notification to Principal and Publication)

Article 38

          The Information Overall Controller shall explain the fact situation and apologize to the user who is related to the information involved in a leak accident, etc., and shall publish the fact situation by posting on the website or any other methods as necessary.

 

(Preventive Measures)

Article 39

  1. The Information Overall Controller shall take preventive measures immediately after a leak accident, etc., occurs. The following measures shall be implemented:
  1. Development and implementation of preventive measures
  2. Development and implementation of countermeasures against leak of similar risks and countermeasures for the leak accident, etc., occurred
  3. Verification of validity of preventive measures and countermeasures against similar risks by means of voluntary inspection and audit, etc.
  1. In addition to the above provisions, necessary measures to prevent recurrence of similar cases shall be considered in light of leak accidents of other companies, etc.
  2. The Information Overall Controller shall make efforts to familiarize the “preventive measures” developed in the previous clause.

 

Chapter 8        Audit

 

(Audit Plan)

Article 40

  1. The Audit Controller shall formulate an audit plan for the protection of User Information once a year to obtain the approval of the Board of Directors.
  2. The audit plan shall include the following items:
  1. Audit system
  2. Schedule
  3. Audit method
  4. Form of an audit report

 

(Audit, etc.)

Article 41

  1. The Audit Controller shall supervise and conduct an audit of the company-wide compliance status, etc., of the provisions of these Regulations in accordance with the audit plan once a year (at the end of each fiscal year), and shall prepare an audit report and submit the same to the Board of Directors.
  2. For any improvements pointed out in the above audit report, the Information Overall Controller shall formulate and implement corrective action and remedial measures in accordance with the decision of the Board of Directors.

 

(Training of Auditors)

Article 42

          The Audit Controller shall make reasonable efforts to familiarize handling of User Information, including the following items, by providing internal training to the personnel who are engaged in audit activities.

  1. Method of obtaining the consent required to use information
  2. Intended use
  3. Points to remember at the time of acquisition of User Information
  4. Points to remember for safety management measures of User Information to be handled
  5. Appropriate handling of complaints

 

Chapter 9        Outsourcing

 

(Outsourcing of Handling of User Information)

Article 43

  1. If all or any of handling of User Information is outsourced to any third party, the person in charge of handling such User Information shall give prior written notice to the Information Overall Controller for approval.
  2. The Information Manager of each department shall take the following measures, and shall make an application to the department responsible for User Information management for approval of the Information Overall Controller before entering into a contract with a subcontractor:
  1. to conduct an interview with a responsible person of the subcontractor and conduct on-site review at the information processing facility of the subcontractor to ensure that the level of protection and security management of User Information is the same or higher than the Company;
  2. to obtain financial information about the subcontractor to ensure its financial safety;
  3. to set forth necessary provisions in a consignment contract in accordance with the Act on Settlement of Funds, Act on the Protection of Personal Information and any other applicable laws and regulations as well as the policies and guidelines, etc., of the authorities concerned, and also set out necessary provisions concerning confidentiality and safety operation, etc., in such a consignment contract to ensure safety.
  1. During the term of the consignment contract, the person in charge shall check whether the subcontractor complies with the contract with the Company. In the event that any violation of the contract is found, the person in charge shall give notice to the Information Overall Controller to that effect.
  2. The Information Overall Controller who receives such notice as set forth in the above clause shall consult with the department responsible for User Information and take necessary measures against the subcontractor.
  3. The Information Overall Controller shall, at least once a year, conduct an interview with a responsible person of the subcontractor and conduct on-site review and audit at the information processing facility of the subcontractor.
  4. The Information Overall Controller shall keep documents including a consignment contract, audit reports and notice letters, etc., prepared under this Article (including electromagnetic records) for seven (7) years after the termination of the contract.

 

Chapter 10      Response to Request for Disclosure, etc.

 

(Disclosure)

Article 44

  1. If the department responsible for User Information management is requested to make disclosure of Personal Information (limited to information related to the Principal. This phrase shall apply from this article to Article 48) by the Principal, it shall disclose Personal Information to the Principal without delay in accordance with the method permitted by the Principal, except the following cases:
  1. if it may do harm to the life, body, property and any other rights and interests of the Principal or any third party;
  2. if it may significantly interfere with the fair practice of business of the Company;
  3. if it may result in the violation of the applicable laws.
  1. If the department responsible for User Information management cannot disclose Personal Information, it shall give notice to the Principal without delay and explain the reason by indicating grounds for such decision and the facts constituting the grounds.

 

(Correction)

Article 45

  1. If the department responsible for User Information management is requested to correct, add or delete any Personal Information by the Principal on grounds that it is not true (hereinafter called “Correction, etc.”), it shall conduct a necessary investigation, including confirmation of facts, without delay, and shall make a Correction, etc., of such Personal Information based on the results.
  2. If the department responsible for User Information management makes a Correction, etc., or decides not to make a Correction, etc., of any Personal Information requested by the Principal, it shall give notice to the Principal to that effect without delay (including grounds for the decision and the facts constituting the grounds not to make a Correction, etc., if it makes such a decision).

 

(Suspension of Use)

Article 46

  1. If the department responsible for User Information management is requested to suspend the use of Personal Information or delete the same on grounds that the Company has violated its intended use (hereinafter called “Suspension of Use, etc.”) and it is found that there is a good reason for such a request, it shall implement Suspension of Use, etc., of the information without delay.
  2. If the department responsible for User Information management implements Suspension of Use, etc., or makes a decision not to implement Suspension of Use, etc., requested by the Principal, it shall give notice to the Principal to that effect without delay (including grounds for the decision and the facts constituting the grounds not to implement Suspension of Use, etc., if it makes such a decision).

 

(Procedures of Complying with Request for Disclosure)

Article 47

  1. The department responsible for User Information management shall set out the following items with respect to the request for disclosure set forth in Article 44:
  1. Form of a document/documents to be submitted in requesting disclosure;
  2. Method of identification of a person who requests disclosure;
  3. Amount of a fee for the procedures and the method of collection;
  4. Method of answer to the request for disclosure, etc.
  1. The department responsible for User Information management shall publish the procedures of complying with a request for disclosure set forth in the above clause by constantly posting it on the website on the Internet or other means.

 

(Complaint Handling)

Article 48

  1. If the department responsible for User Information management receives a complaint about handling of Personal Information, it shall conduct an investigation into its content, and shall make efforts to settle such a complaint appropriately and swiftly within a reasonable period of time.
  2. The department responsible for User Information management shall make efforts to maintain a necessary system to perform appropriate and swift complaint handling, including development of a complaint handling process, setup of a complaint reception desk, and thorough education and training of the personnel, etc., who are engaged in complaint handling.

 

 

利用者情報管理社内規程(個人情報取扱規程)

 

第1章 総則

(目的)

第1条

本規程は,当社の資金移動サービスの利用者に関する情報について,その管理に必要な事項を定めることにより,情報管理の適切性を確保し,利用者の権利利益の保護を図ることを目的とする。

 

(定義)

第2条

本規程において,以下の各号に掲げる用語の定義は,当該各号に定めるところによる。

(1) 「利用者情報」とは,当社の資金移動サービスの利用者に関する情報をいい,氏名,性別,生年月日,住所,年齢,職業等の事実に関する情報に限られず,個人の身体,財産,職種等の属性に関する判断や評価を表す情報や資金移動サービスの取引履歴や口座残高情報等も含まれる。

(2) 「個人情報」とは,利用者情報のうち,生存する個人に関する情報であって,当該情報に含まれる氏名,生年月日,その他の記述等により特定の個人を識別できるもの(他の情報と容易に照合することができ,それにより特定の個人を識別することができることとなるものを含む。)をいう。

(3) 「本人」とは,個人情報によって識別される特定の個人をいう。

(4)  前各号に定めるほか,本規程における用語は,他に特段の定めのない限り,個人情報の保護に関する法律及び同施行令の定義に従う。

 

第2章 利用者情報の管理体制

 

(利用者情報管理責任部門等)

第3条

利用者情報の管理に係る責任部門は,顧客サービス部とする。顧客サービス部の部長をもって,利用者情報管理に係る統括責任者(以下「統括責任者」という。)とする。顧客サービス部のモニタリングとして、内部管理部門の事業統括本部がこの任にあたる。

2 利用者情報の管理に係る監査責任者(以下「監査責任者」という。)は,監査本部とする。

 

(利用者情報管理責任部門の業務)

第4条

利用者情報統括部門,統括責任者は,本規程の目的及びその定めに応じた業務を行う。

 

第3章 利用者情報の管理

第1節 利用者情報の取得,入力

 

(利用者情報の取得)

第5条

利用者情報の取得にあたっては,当該情報の利用目的をできる限り特定し,その利用目的の達成に必要な範囲で適法かつ公正な手段によって取得しなければならない。

 

(個人情報取得時の利用目的の通知・公表等)

第6条

利用者情報のうち,個人情報を取得した場合は,あらかじめその利用目的を公表している場合を除き,速やかに,その利用目的を本人に通知し,又は公表することとする。

2 前項の規定にかかわらず,本人との間で契約を締結すること等に伴って契約書その他の書面に記載された個人情報を取得する場合は,あらかじめ,本人に対し,その利用目的を明示することとする。

3 利用目的を変更した場合は,変更された利用目的について,本人に通知し,又は公表することとする。

4 前三項の規定は次に掲げる場合については適用しないものとする。

(1) 利用目的を本人に通知し,又は公表することにより本人又は第三者の生命,身体,財産その他の権利利益を害するおそれがある場合

(2) 利用目的を本人に通知し,又は公表することにより当社の権利又は正当な利益を害するおそれがある場合

(3) 国の機関又は地方公共団体が法令の定める事務を遂行することに対して協力する必要がある場合であって,利用目的を本人に通知し,又は公表することにより当該事務の遂行に支障を及ぼすおそれがあるとき

(4) 取得の状況からみて利用目的が明らかであると認められる場合

 

(入力)

第7条

利用者情報を入力する場合は,誤入力等に十分留意し,情報の正確性の確保に努めなければならない。

 

(利用者情報の取得・入力担当者等)

第8条

統括責任者は,業務上の必要に応じて利用者情報の取得,入力の担当者を選任することとし,当該担当者以外の者は利用者情報の取得,入力を行ってはならない。

2 統括責任者は,業務上の必要に応じて取得,入力する情報を限定することとし,利用者情報の取得,入力の担当者は,当該情報以外の情報の取得,入力を行ってはならない。

3 取得,入力の担当者は,統括責任者により定められた事項以外の作業を行う場合には, あらかじめ統括責任者に対し作業の内容を伝え,その承認を得なければならない。

 

(取得,入力に係る情報の確認手続)

第9条

統括責任者は,取得,入力した利用者情報の件数,内容等を照合,確認する手続を定め,担当者に履行させなければならない。

2 統括責任者は,前項に基づき照合,確認した記録を査閲し,必要に応じ,当該記録を定められた期間,所定の場所に保管しなければならない。

3 統括責任者は,前項に基づき保管された記録を定期的に確認することとする。

 

(取得,入力に係る情報の保管等)

第10条

統括責任者は,取得,入力に係る情報の保管場所及び保管方法を定め,取得,入力担当者をして,遵守させなければならない。

2 前条第2項及び前項に基づき保管された情報については,情報統括責任者及び各情報の取得,入力担当者以外のアクセス制限を設けなければならない。

 

 

第2節 利用,加工段階

 

(利用者情報の利用,加工)

第11条

利用者情報の利用及び加工は,原則として取得時の利用目的の範囲内で行うものとする。ただし, 本人から同意を得た場合はこの限りではない。

2 本人が同意を与えた利用目的の範囲外で利用者情報の利用を行う場合は,書面又はこれに代わる方法によって本人に通知し,本人の事前の同意のもとに行わなければならい。

3 利用者情報の利用及び加工は,必要最小限にとどめ,情報の拡散を防止しなければならない。

4 利用者情報を利用及び加工する場合は,原則として統括責任者の許可を得て行わなければならない。ただし,あらかじめアクセス権の付与等により,該当する情報の利用を認められている場合は,この限りではない。

 

(利用者情報の利用,加工担当者等)

第12条

統括責任者は,業務上の必要に応じて,利用者情報の利用,加工の担当者を選任する。また当該担当者以外の者は,利用者情報を利用又は加工してはならない。

2 統括責任者は,業務上の必要に応じて利用,加工する情報を限定することとし,利用者情報の利用,加工の担当者は,当該情報以外の情報の利用,加工を行ってはならない。

3  利用,加工の担当者は,統括責任者により定められた事項以外の作業を行う場合には, あらかじめ情報統括責任者に対し,作業の内容を伝え,承認を得なければならない。

 

(利用,加工に係る情報の確認手続)

第13条

統括責任者は,利用,加工した利用者情報の件数,内容等を照合,確認する手続を定め,担当者に履行させなければならない。

2 統括責任者は,前項に基づき照合,確認した記録を査閲し,必要に応じ,当該記録を定められた期間,所定の場所に保管しなければならない。

3 統括責任者は,前項に基づき保管された情報を定期的に確認することとする。

 

(利用,加工に係る情報の保管等)

第14条

統括責任者は,利用,加工に係る情報の保管場所及び保管方法を定め,利用,加工担当者をして,遵守させなければならない。

2 前条第2項及び前項に基づき保管される情報については,統括責任者及び各情報の利用,加工担当者以外のアクセス制限を設けなければならない。

 

(利用, 加工段階における利用者情報の管理区域外への持ち出し)

第15条

利用,加工段階において,利用者情報を定められた保管場所から持ち出す場合には,当該情報の利用,加工担当者は,以下の各号に掲げる事由を記載した書面で統括責任者に申請し,承認を得なければならない。

(1) 持ち出しに関する責任者氏名

(2) 持ち出しの対象となる利用者情報の内容

(3) 持ち出す目的

(4) 持ち出す情報が記録されている機器又は媒体

 

(5

News & Events

Important Notice about Service Charge
....
Read More