- Purpose of use of personal information
- Name or title of the personal information handling business operator
- Procedures for responding to requests for notification of purpose of use, disclosure, correction, suspension of use, etc. from the individual
- Complaint contact
In addition, in cases such as joint use within group companies, which is called sharing personal information, and handling anonymized processed information, which will be explained later, there are items that are required to be disclosed for each specific operation stipulated by law.
Definition of Personal Information
Personal information refers to information about a living individual that can identify a specific individual based on the name, date of birth, and other descriptions contained in the information (including information that can be easily compared with other information and can identify a specific individual as a result).
Purpose of Personal Information Use
1. Our company will use the personal information we collect for the following purposes. However, if we have separately defined the purpose of using personal information on our website, the description of that purpose will take precedence.
(1) To allow our company to respond to inquiries from our contact form
(2) To provide and introduce our web services, applications, and other services (hereinafter referred to as “this service”) and new services offered by our company
(3) To improve this service and develop new services
(4) For other purposes related to the above
2. In addition to the purposes defined in the previous paragraph, our company may compile personal information obtained from customers into statistical information in a manner and scope that does not identify or specify individuals, and use it for reference.
Purpose of Use
Anonymously Processed Information
The second paragraph of the clause is a provision regarding anonymously processed information. Anonymously processed information is information that has been processed so that the individual cannot be identified and cannot be restored. It is intended for the effective use of so-called big data.
Use of Personal Information Beyond the Stated Purpose
Our company will handle the acquired personal information within the scope necessary to achieve the purpose of use stated in the previous article. If we handle personal information beyond the scope of its intended use, we will do so only after obtaining the consent of the individual concerned. However, this does not apply in the following cases:
(1) When required by law
(2) When it is necessary to protect the life, body, or property of an individual and it is difficult to obtain the person’s consent
(3) When it is particularly necessary for the improvement of public health or the promotion of sound child development, and it is difficult to obtain the person’s consent
(4) When it is necessary to cooperate with a national institution or local public body, or a person entrusted by them, in performing the affairs stipulated by law, and obtaining the person’s consent would likely hinder the performance of the affairs
As a principle, personal information cannot be used beyond the scope of its intended purpose. However, under the Japanese Act on the Protection of Personal Information, exceptions are allowed in cases that fall under the above clauses (1) to (4). Clauses (2) and (3) apply when there is a high demand to use personal information, but it is difficult to obtain prompt consent from the individual. Clauses (1) and (4) apply to the use of personal information based on the intentions of national or local public bodies, such as in criminal investigations. The clause regarding the use of personal information beyond its intended purpose is almost standard for all businesses, and it rarely changes depending on the nature of the business.
Provision of Personal Information to Third Parties
Our company, as a principle, does not provide personal information of our clients to third parties without obtaining the client’s consent. Exceptionally, we may provide information to third parties if we have identified the recipient and the content of the information and have obtained the client’s consent. However, this does not apply in the following cases:
(1) When required by law
(2) When it is necessary to protect a person’s life, body, or property, and it is difficult to obtain the client’s consent
(3) When it is particularly necessary for the improvement of public health or the promotion of sound child development, and it is difficult to obtain the client’s consent
(4) When it is necessary to cooperate with a national institution or local public body or a person entrusted by them in performing the affairs prescribed by laws and regulations, and obtaining the client’s consent would likely interfere with the performance of the affairs
(5) When it is necessary to provide personal information to a business contractor who has entered into a confidentiality agreement with our company for the purpose of use
Exceptions to the Provision of Personal Information to Third Parties
This clause example pertains to situations where a business operator provides personal information obtained to a third party. Under the Japanese Act on the Protection of Personal Information, consent must be obtained from the individual before providing their personal information to a third party. However, it is legally stipulated that personal information can be provided to a third party without the individual’s consent in the cases specified in clause examples (1) to (5). Therefore, like the clause on the use of personal information for purposes other than those intended, the clause on third-party provision also becomes a standard clause for most companies. In practice, the most commonly used is case (5), where personal information is provided to a business contractor. However, even if a business is outsourced, the business operator who obtained the personal information is responsible for supervising the contractor. Therefore, caution is required as the business operator who outsourced the work may also be held responsible if personal information is leaked from the contractor. Therefore, the selection of contractors and the management and supervision after outsourcing should be done carefully.
Difficulty in Opting Out Due to Legal Amendments
Regarding the provision of personal information to third parties, before the amendment law enacted in 2017 (Heisei 29), it was stipulated that personal information could be provided to third parties without obtaining the individual’s prior consent, on the condition that “the provision of personal information to third parties is stopped at the request of the individual”. This is called opting out. However, with the amendment law enacted in 2017, the rules have been tightened so that personal information cannot be provided to third parties by opting out unless a prior notification is made to the Personal Information Protection Commission.
It may seem that all you have to do is notify the Personal Information Protection Commission, but this notification system is primarily intended for business operators who deal with personal information itself as a product, such as list brokers, and the notifier is to be made public, so there are not many companies that have actually made the notification. Therefore, in practice, the provision of personal information to third parties without the individual’s consent has become difficult, except in cases where it is permitted as an exception, such as outsourcing.
Disclosure, Correction, etc. of Personal Information
With the growing societal concern for personal information protection, legal regulations are gradually becoming stricter. Of course, it is necessary to manage information securely within the company to prevent leakage of personal information, but it is also important to establish privacy policies and internal regulations in accordance with these legal regulations. The Japanese Act on the Protection of Personal Information is scheduled to be revised regularly every three years. Each time the rules for handling personal information change, not only may changes to the internal system be necessary, but there may also be a need to reconsider the business methods themselves. In this sense, the Japanese Act on the Protection of Personal Information can be said to be a law that affects the core of the business, so it is especially important for businesses that handle a lot of personal information to always keep track of the revision trends.
Contract Creation and Review Services by Our Firm
At Monolith Law Firm, we leverage our strengths in IT, Internet, and business law to provide a wide range of services to our advisory and client companies, including the creation and review of various contracts, in addition to privacy policies.