Action Guidelines for Protection of Personal Information

SB C&S Corp. (hereinafter the “Company”) strives for thorough compliance with the Act on the Protection of Personal Information (Act No. 57, 2003), Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27, 2013), and Personal Information Protection Management System – Requirements (JIS Q 15001) and endeavors to execute the following respective items in order to protect personal information.

1. Enhancement of Employee Training

The Company will prepare learning materials pertaining to the treatment of personal data, distribute the same to all employees and dispatched employees of the Company, and execute training at least once a year for all employees and dispatched employees of the Company who handle personal data.

2. Preparation of Internal Regulations Pertaining to the Protection of Personal Data

The Company will prepare internal regulations pertaining to the treatment of personal data indicating a clear policy pertaining thereto. The Company will also make it clear inside the Company that the Company will adopt a severe attitude on personal data leakage and implement the proper measures against leakage, including disciplinary actions, in accordance with the Rules of Employment.

3. Deployment of Personal Information Protection Manager and Enhancement of Its Function

The Company will deploy a personal information protection manager, assign the Chief Information Security Officer to that post, and prepare a system clearing the roles to execute compliance with the laws, regulations, and guidelines, establishment of internal regulations, preparation of inspection system, and supervision of treatment of personal data.

4. Implementation of Proper Information Security Measures

The Company will control access to personal data, restrict the removal of personal data, and implement measures to prevent wrong access from the outside and other necessary and appropriate measures to prevent leakage, loss, or damage to personal data and to control the safety of personal data. Also, personal data will be kept only for the period of time (including the period provided for in the laws and regulations) required to accomplish the purposes of use.

5. Regarding Outsourcing of Operations

(1) The Company may outsource the whole or part of the handling of personal data in various service sales operations, inquiry-response operations, marketing operations, and other operations.
(2) In concluding an outsourcing contract, the Company will sufficiently check the eligibility of a party to whom the operation is outsourced. In the operation outsourcing contracts, the Company will prescribe matters pertaining to the proper treatment of personal data, including security control measures, confidentiality, and terms and conditions for subcontracting, and appropriately supervise the Company’s outsourcing contractors by carrying out regular monitoring of the state of the outsourced operations.
(3) When personal data are provided (deposited) by an outsourcer together with any operation outsourced to the Company, the Company will use such personal data to the extent required to accomplish the purposes of the contract with the said outsourcer.

6. Preparation and Enhancement of Inspection System

The Company will prepare a system to audit the organizations of the Company as to whether the protection of personal data is properly carried out or not. In addition, since the inspection utilizing access log is considered effective to find out a leaker of personal data and prevent leakage by exerting a deterrent effect thereof, the Company will study an execution method of such inspection.

7. Proper Collection, Use, Provision, and Publication of Personal Information

The Company will collect personal information by identifying the purposes of use and utilizing legal and fair means, such as documents that include application forms, computer displays that include websites, or verbal. The Company will also properly use, provide, and publish its retained personal information, taking the contents and size of businesses into consideration. When the Company receives any personal information from a third party, the Company will treat such personal information in compliance with the Act on the Protection of Personal Information and other related laws, respecting the principles penetrating protection of personal information of the provider of personal information, and in accordance with terms and conditions of a contract to be executed between such provider and the Company.

8. Continuous Improvement of Actions Pertaining to Protection of Personal Information

The Company will continuously review and improve actions pertaining to the protection of personal information set forth in the above clauses 1 to 7.

9. Revisions

The Company may revise the whole or part of the Action Guidelines for the Protection of Personal Information. Material revisions will be notified on the Company’s website or other accessible means.

Scope of Application of Action Guidelines for the Protection of Personal Information

“Personal information”, “personal data” and “retained personal data” as used in the Action Guidelines for the Protection of Personal Information shall have those meanings defined in the Act on the Protection of Personal Information respectively. The covered principal of these information or data shall include, but shall not be limited to, customers, employees of client companies, and employees of the Company. The Action Guidelines for the Protection of Personal Information is applied to all personal information in the possession of the Company unless otherwise notified herein.

Supplementary Provisions

– The Action Guidelines for the Protection of Personal Information is in force as of April 1, 2014.

– Revised as of December 1, 2015.

– Revised as of May 1, 2017.

– Revised as of April 1, 2022.

SB C&S Corp.
President & CEO
Yasuo Mizoguchi