Personal Information Protection Principles
Dentsu Group Inc. (hereinafter referred to as the "Company") believes that balancing the utilization and protection of personal information is one of the most important issues for the Company and the Company's consolidated subsidiaries. The evolution of communication technology is drastically changing the Company's field of business and there are increasingly more areas of business dealing with such personal information.
The Company declares its commitment to managing and protecting personal information through "Personal Information Protection Principles" in compliance with Japan's "Act on the Protection of Personal Information," "Guidelines Pertaining to the Act on the Protection of Personal Information" and "The General Data Protection Regulation (EU) 2016/679; GDPR."
1. Handling of Personal Information
- Purpose of Use
The Company shall obtain personal information in a fair and appropriate manner for the purposes defined within the range described in Table 1. Should there be any kind of personal information outside the list of "Types of Personal Information" in Table 1, such information will be put to use after the purpose of each use is made known or publicized and upon consent of the relevant individual(s).
- Outsourcing Management
The Company will outsource part of its operations pertaining to personal information to its supplier companies as described in "Status of Outsourcing" and "Scope of Outsourcing" in Tables 1. The Company regards management of supplier companies as top priority, selecting only those supplier companies who meet or exceed the Company's standard of personal information protection and specifying their responsibilities in written contracts before awarding them projects. The Company also demands of its supplier companies appropriate handling of personal information and will continue to supervise and evaluate them to safeguard operations.
- Provision to Third Party
The Company shall not, in principle, disclose and/or provide personal information to any third parties. If any such disclosure and/or provision of personal information should be conducted, it is to be done appropriately and in compliance with the relevant laws.
- Shared Usage
The Company will share personal information on occasions such as businesses conducted jointly with an affiliate company(s) of the Company and/or with other company(s) in a business relationship with the Company. On such an occasion, the Company shall inform and/or publicize the purpose of its use, the kind of personal information to be used, with whom the personal information would be shared, and the person in charge prior to the event. The Company shall also make sure that all participating companies take the strictest of security measures.
- Disclosure and Inquiries
Any request or inquiry as to where and how to retrieve or to be advised of personal information which the Company has directly obtained, such as that included in Table 1, can be addressed to the contact person to whom the relevant personal information was originally given or to the Group Corporate Communication Office of the Company. Information will then be provided as to the specific procedure of the request form and the required fee. Upon a formal request, the requester will be asked to present personal identification or proof of representation of the relevant individual. The Company does not currently participate in an authorized personal information protection organization.
The information stored using cookies by the Company includes the Client's IP address. The Company does not use stored IP addresses as personally identifiable information.
3. Compliance with the Law
The Company shall strictly abide by any and all applicable laws and regulations, contracts and other policies pertaining to protection of personal information.
4. Security Measures
The Company shall implement security measures to manage and prevent leakage and other mishandling of personal information by specific actions including maintaining and improving its internal information management system, educating and inspiring its employees, controlling access to office spaces, IT security measures and so forth. Also, in general, personal information that is no longer to be used or retained shall be destroyed or deleted in a secure and appropriate manner after three (3) years from the date on which the Company obtained such information.
5. Continuous Improvements
The Company shall continuously evaluate and improve its personal information management system, including this set of principles, to reflect any changes in the demands of its clients and other business partners as well as those of the social environment and thus maintain its standard of excellence in handling and protecting personal information.
Table 1: Personal Information to Be Obtained by the Company
|Type of Personal Information||Purpose of Use||Method of Acquisition||Status of Outsourcing||Scope of Outsourcing|
|Personal Information of Clients||Invitation and/or communication of the services including proposals, special offers, seminars, questionnaires, etc.||Obtain directly from individual (via business card, email, etc.)||Yes||Delivery of invitation letters, operation of events and seminars|
|Delivery of publications, newspapers, seasonal greetings, etc.||Yes||Delivery of publications, newspapers and goods|
|Personal Information of Business Partners||Invitation and/or communication of the services including proposals, special offers and information services directed to outsourced companies, etc.||Obtain directly from individual||Yes||Delivery of invitation letters, event operations, and other|
|Delivery of publications, newspapers, seasonal greetings, etc.||Yes||Delivery of publications, newspapers and goods|
|Visitors at the Company's Offices||Notification of arrival of the visitor to the person visited and gatekeeping at office entrances||Obtain directly from individual||Yes||Reception and related services|
|Personal Information of Shareholders||Execution of the Company's rights and responsibilities in accordance with the Japanese Companies Act, provision of various benefits by the Company, activities for betterment of relationship between shareholders and the Company, management of shareholders for creating shareholder statistics as regulated and standardized by the relevant laws and regulations||Via Japan Securities Depository Center or obtained directly from individual||Yes||Preparation of list of shareholders, notification of dividends, shareholders meetings and other share-related administrative operations and procedures|
|Personal Information of People Who Make Inquiries to the Company||Handling of inquiries, requests, complaints, etc.||Obtain directly from individual (via telephone, email, fax, letter, etc.)||No|
|Personal Information of Employees of Dentsu Group Companies||Organization of business operations, personnel systems, and business development activities (details announced separately internally)||Obtain directly from individual or via each Group company||Yes||Application differs case by case (announced separately internally)|
|Personal Information of Job Applicants to the Company||Operation and communication of job posting, recruitment, and screening; surveys for the purpose of future recruitment activities; personnel database management after hiring.||Obtain directly from individuals or via staffing agencies||Yes||Operations of recruitment activities, including screening, scheduling, communication, and execution/tabulation of surveys|
6. Handling of Anonymized Processing Information
The Company shall stipulate the handling of "anonymously processed information" as set forth in the Act on the Protection of Personal Information, as follows:
- Compliance with Related Laws
The Company will properly handle the anonymously processed information in compliance with the Personal Information Protection Law, other laws and regulations, the Personal Information Protection Law Guidelines, and other guidelines.
- Items of Personal Information Included in Anonymously Processed Information Prepared by the Company.
The Company has not prepared anonymously processed information at the time of the formulation of "Personal Information Protection Principles".
- Security Control Measures
In the future, when the Company prepares the anonymously processed information, it will take necessary and appropriate safety control measures to prevent leakage, loss, or damage in accordance with the standards set forth in the Rules of the Personal Information Protection Commission.
- Provision to Third Parties
The Company has not provided the anonymously processed information to any third party at the time of the formulation of "Personal Information Protection Principles". In the future, when the Company provides the anonymously processed information to a third party, in accordance with the Rules of the Personal Information Protection Commission, the items of personal information contained in the anonymously processed information provided to a third party and the method of provision thereof shall be publicized in advance, and the fact that the information pertaining to said provision is anonymously processed information shall be clearly indicated to said third party.
- Prohibition of Identifying Acts
When handling anonymously processed information, the Company shall neither (i) acquire the descriptions or individual identification codes deleted from personal information, or information relating to a processing method carried out in the process of producing the anonymously processed information, nor (ii) collate such anonymously processed information with other information in order to identify a principal who could be identified based on the anonymously processed information.
7. Handling of EU Resident Data
The Company shall stipulate the handling of information that identifies, or could be used to identify, residents in the European Union (hereinafter referred to as "EU resident data") including Iceland, Liechtenstein and Norway (hereinafter referred to as "EU") based on the European Union Member States and the European Economic Area Agreement. Each natural person who is a subject of the EU resident data shall be referred to as an "EU resident data subject", as follows. The provisions of 2: "Compliance with the Law,” 3: "Security Measures" and 4: "Continuous Improvements" apply or apply mutatis mutandis to the handling of data of an EU resident.
- As "Data Controller"
- (1)Obtaining consent
In the event that we handle EU resident data as a "Data Controller" in GDPR, the Company shall clearly indicate to the EU resident data subject the purpose of handling the EU resident data as well as other GDPR matters to be notified, and shall obtain the express consent of the EU resident data subject to the use thereof, unless there is a legal basis for handling such data without consent of the subject, such as the acknowledgement of a legitimate interest. Explanations when obtaining consent shall be stated in a clear and plain language and will be clearly distinguishable from other matters in a form that is easy to understand and easily accessible. An EU resident data subject may withdraw his/her consent to the processing of his/her data at any time, without prejudice, to the legality of the data processing based on the consent before the withdrawal.
- (2)Record of consent
The Company shall retain records to enable consent to the handling of EU resident data obtained from EU resident data subjects, to be presented upon request for proof of their consent.
- (3)Requests from EU resident data subject
With respect to the data of EU residents handled by the Company, the Company shall respond in accordance with the provisions of the GDPR when a data subject exercises its rights (right to inquire about data, right to access data, right to correct or delete data, right to restrict data processing, right to object to data processing, and right to data portability) under GDPR.
- As "Data Processor"
If the Company handles the EU resident data as a "Data Processor" in GDPR, the Company shall appropriately handle the relevant EU resident data in accordance with the instructions of Data Controller of the relevant EU resident data. Also, an EU resident data subject has the right to appeal to the data protection superintendent regarding the processing of the EU resident's data by the Company.
- Contact information
For requests and inquiries regarding the exercise of rights recognized as a data subject in GDPR, please contact the following address with respect to the EU resident data handled by the Company as a Data Controller in GDPR.
In responding to your request, the Company will confirm that you are the principal or the representative of the principal.
- Data Protection Officer and contact information:
DPO, Dentsu Group Inc.,
1-8-1 Higashi-Shimbashi, Minato-ku, Tokyo, JAPAN
- Designated representative and contact information:
PLANIT // LEGAL
Jungfernstieg 1, 20095 Hamburg, Germany