Personal Information Protection Principles
Dentsu Group Inc. (hereinafter referred to as the “Company”) believes that balancing the utilization and protection of personal information is one of the most important issues for the Company. The evolution of communication technology is drastically changing the Company’s fields of business and there are increasingly more areas of business processing such personal information.
These Principles set out principal matters which the Company complies with upon processing personal information. The Company declares its commitment to managing and protecting personal information in compliance with Japan’s “Act on the Protection of Personal Information” (“Japan’s Personal Information Protection Act”) as well as applicable personal information protection laws of each country, pursuant to the Dentsu Group Basic Policy for Information Security, and these Principles.
Please refer to the following policy for processing of personal information if the personal information protection laws of the following areas apply. If there is any inconsistency between these Principles and the policy, the provisions of the policy will prevail to the extent of such inconsistency.
Unless otherwise defined in these Principles, the following terms have the following meanings.
|Personal Information||Information defined as personal information in light of the applicable personal information protection laws of each country.
The Personal Information under Japan’s Personal Information Protection Act means information relating to a living individual that (1) contains a name, date of birth or other descriptions contained in such information whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual), and (2) contains an individual identification code.
|Informative Data (Note)||Information regarding an individual such as log information on the use of internet that cannot identify a specific individual by itself, including, but not limited to, identifier information such as terminal identification ID, location information, and browsing history.|
|Processing||Any and all operations conducted with respect to the Personal Information, whether automatically conducted or not, including acquisition, storage, recording, editing, disclosure, and deletion.|
|Data Controller||A natural or legal person, or other body which, solely or jointly with others , decides the purpose and form of Processing the Personal Information.|
|Data Processor||A natural or legal person, or other body which, Processes the Personal Information on behalf of the Data Controller.|
Note: Informative Data may or may not constitute Personal Information depending on the applicable personal information protection laws of each country. As long as the Informative Data constitutes the Personal Information under the applicable personal information protection laws of each country, it is interpreted that the Informative Data constitutes the Personal Information under these Principles. Under Japan’s Personal Information Protection Act, the Informative Data does not constitute Personal Information in principle unless it can be readily collated with other information and thereby identify a specific person.
2. Purpose of Processing, Type, and Method of Collection, of Personal Information
The Company shall obtain Personal Information in a fair and appropriate manner, and Process the Personal Information within the scope of the purpose of Processing after such purpose is made known or publicized and upon consent of the data subject(s).
The purpose of Processing, type, and method of collection, of the Personal Information that the Company Processes as Data Controller are as set out in the following table.
|Purpose of Processing||Type of Personal Information||Method of Collection|
|Invitation and/or communication of the services including events, seminars and surveys||
|Delivery of newsletters, publications, newspapers, seasonal greetings, etc.|
|Provision and proposal of information regarding the Company’s products and services, and development and improvement of products and services||
|Improvement of the Company’s website||
|Notification of arrival of the visitor at the Company’s Offices to the person visited and gatekeeping at office entrances||
|Handling of the exercise of shareholders’ rights, implementation of various measures for shareholders, and other shareholder management||
|Operation and communication of job posting, recruitment and screening. Survey for the purpose of future recruitment activities. Personnel database after enrollment.||
|Handling of inquiries, requests, complaints, etc.||
|Other use that is deemed to be reasonably necessary for the Company’s business||Other information necessary for the purpose of use described in the left column including the above information||Method of collecting from the data subject, or method of collecting indirectly from a third party including the above method of collection|
3. Retention Period of Personal Information
The Company will decide the appropriate retention period on a case-by-case basis taking into account the purpose of use, volume, nature, confidentiality, and legal or business necessity of holding the Personal Information that the Company acquired. If the retention period expires, the Company will delete the Personal Information in a secure manner, or anonymize the Personal Information pursuant to the applicable personal information protection laws of each country. If it is not possible, the Company will securely store the Personal Information, and then preclude new use of the Personal Information until it becomes possible to delete the Personal Information.
4. Security Control Measures for Personal Information
The Company handles the Personal Information in accordance with these Principles, and takes following security control measures.
- ●Establishment of regulations
Formulating the Dentsu Group Information Security Policy, and otherwise establishing various internal rules for the purpose of securing information and protecting Personal Information
- ●Systematic security control measures
Acquiring the ISO/IEC27001 and JISQ27001 information security management standards, appointing Chief Privacy Officers for Personal Information on a company-wide level, establishing the Personal Information Protection Program Office, appointing Data Protection Officers, appointing persons responsible for Personal Information management and Personal Information Data Controllers in each division, establishing a reporting system in the event of a leakage or other problems, and otherwise implementing a system for managing operations pertaining to handling of Personal Information in an integrated manner
- ●Personnel security control measures
Executing internal information security training, including Personal Information security management training at the time of the review of renewal of ISO/IEC27001 and JISQ27001
- ●Physical security control measures
Controlling entry and exit by ID, storing Personal Information in a locked storage space or server to which can only be accessed by the Data Controller, and otherwise transmitting Personal Information by using encryption and dedicated servers, etc.
- ●Technical security control measures
Limiting access from outside by firewalls, regularly monitoring unauthorized access, installing anti-virus software, continually updating pattern files, managing application installation, limiting multiple directory access, and otherwise executing URL filtering
- ●Ascertainment of external environment
Checking systems for the protection of Personal Information in foreign countries where the Company outsources the storage or handling of Personal Information, and otherwise establishing internal systems and preparing written contracts, etc. necessary for such systems
5. Outsourcing Management for Processing of Personal Information
The Company will outsource part of its operations pertaining to Processing of Personal Information to its supplier companies. The Company regards management of supplier companies as one of the top priorities, selecting only those supplier companies who meet or exceed the Company’s standard of Personal Information protection and specifying their responsibilities in written contracts before awarding them the operations pertaining to Processing of Personal Information. The Company also demands of its supplier companies appropriate Processing of Personal Information and will continue to supervise and evaluate them to safeguard operations.
6. Disclosure to, or Sharing with, Recipients of Personal Information
The Company may share with, or disclose to (including outsourcing of sharing or disclosure), a third party Personal Information in compliance with the applicable personal information protection laws of each country. The principal entities receiving the Personal Information are as follows:
- ●Company’s group companies
- ●Companies who have a business relationship with the Company
- ●Internet and IT-related service providers, system developers, service providers such as website builders and maintenance service providers, and platform business operators
- ●Attorneys, certified public accountants, tax accountants, consultants and other external professional advisers
- ●Other service providers and supplier companies that are reasonably related to achieve the purpose of Processing the Personal Information as set out in these Principles
- ●Other third parties if the Company obtains prior consent from the data subject or it is otherwise permitted to share with, or disclose to, such third parties the Personal Information under the applicable personal information protection laws of each country
If the Company shares with, or discloses to, a third party the Personal Information on the grounds of joint use under Japan’s Personal Information Protection Act, the Company shall inform and/or publicize the purpose of its joint use, the kind of Personal Information to be jointly used, with whom the Personal Information would be jointly used, and the person in charge prior to the event. The Company shall also make sure that all participating companies take the strictest of security measures for handling the Personal Information.
7. Transfer of Personal Information to Foreign Countries
For the purpose of Processing the Personal Information, the Company will transfer to, or store in, countries other than the countries or areas where the data subject resides the Personal Information. In such case, the Company will comply with the applicable personal information protection laws of each country.
8. Rights of Data Subjects
A data subject will be permitted to have various rights if the Personal Information held by the Company as Data Controller satisfies certain requirements under the applicable personal information protection laws of each country.
Rights under Japan’s Personal Information Protection Act
A data subject will be permitted to have the right to demand disclosure, correction, addition or deletion, utilization cease or deletion, or suspension of a third-party provision, of the Personal Information that the Company holds, or disclosure of records of the Personal Information provided to a third party. For requests and inquiries regarding the exercise of those rights to demand or notice of the purpose of use, please contact the contact address to which the data subject provides the Personal Information or the following address. The Company will inform of the method of the application procedure, fees for notice of disclosure or purpose of use, and other matters. In responding to the request, the Company will confirm that the person who makes the request is the data subject or the representative thereof.
Rights under the applicable personal information protection laws of each country other than Japan’s Personal Information Protection Act
9. Continuous Improvements
The Company shall continuously evaluate and improve its Personal Information management system, including these Principles, to reflect any changes in the demands of its clients and other business partners as well as those of the social environment and thus maintain its standard of excellence in handling and protecting Personal Information. In addition, the Company may change these Principles as needed. The Company will inform of any change in these Principles at an appropriate time on this website or a website managed by the Company, or by such method as the Company determines to be appropriate.
10. Contact Information
For questions and inquiries regarding these Principles, please contact us as set forth below.
Group Corporate Communication Office
Dentsu Group Inc.
Please find the address and name of the representative of the Company on the ‘About Us’ page of our website.
Last updated: April 1, 2022