Handling of Customer Personal Information

1. Name of the Business Operator Handling Personal Information

7-1, Nihonbashi 2-chome, Chuo-ku, Tokyo (Tokyo Nihombashi Tower, 34th floor)
Concordia Financial Group, Ltd.

2. Declaration of the Protection of Personal Information

The Company (hereinafter, “we,” “our” or “us”) declares as follows with regard to the policy on the protection of personal information:

  • 1.
    We comply with relevant laws and regulations, etc. regarding the protection of personal information. Accordingly, we establish various regulations regarding the handling of personal information, thoroughly convey the regulations to our employees, and revise those regulations as necessary.
  • 2.
    We specify the purpose of use in advance with regard to the handling of personal information. Except as required by laws and regulations, we do not use it for any purposes other than the specified purpose.
  • 3.
    When acquiring personal information, we promptly notify or announce the purpose of use to the individual who is identified by personal information (hereinafter, “the Person”), unless the purpose of use has been announced in advance. Announcements are made by posting on the Company’s website. When acquiring personal information regarding the Person in writing, we clearly state the purpose of use in advance.
  • 4.
    We acquire personal information by appropriate and lawful means.
  • 5.
    We do not use undisclosed and special information, including personal information comprising descriptions as required by laws and regulations regarding a Person’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the Person, which may come to our knowledge in the course of the business, for any purposes other than ensuring appropriate business operations and other purposes deemed necessary.
  • 6.
    We strive to keep personal data accurate and up-to-date within the scope necessary for the achievement of the purpose of use.
  • 7.

    We implement the following security management measures, which are of an appropriate and reasonable level, to prevent leaks etc. of personal information. We are continually trying to improve those measures.

    • (1)
      Establishment of rules for handling personal information
      For each stage, including acquiring, using, storing, providing, deleting, and disposing of personal information, we have established rules for handling personal information regarding how the information is handled, responsible parties and staff, their duties, and other aspects.
    • (2)
      Organizational security management measures
      In addition to appointing a person in charge of handling personal information, we have clarified the scope of not only employees handling personal information but also the personal information handled by these employees and we have created a system for submitting reports to the person in charge in the case it is ascertained, or there are signs that, there has been a violation of laws or handling rules.
    • (3)
      Human security management measures
      We provide employees with regular training regarding what to keep in mind when handling personal information.
    • (4)
      Physical security management measures
      In addition to measures to prevent the theft, loss, etc., of devices, electronic media, documents, etc., used when handling personal information, we also implement measures that make it difficult to identify personal information when these devices, electronic media, etc., are moved, including moving within the office.
    • (5)
      Technical security management measures
      We use access controls to limit the scope of use by staff of personal information databases etc.
    • (6)
      External environment scope
      Personal information is not stored in foreign countries.
  • 8.
    When contracting out the handling of personal data to outside parties, we select appropriate contractors and supervise them as necessary and properly so as to ensure security control of personal data.
  • 9.
    We do not provide personal data to third parties, unless the Person’s prior consent is obtained, except as required by laws and regulations.
  • 10.
    When requested to disclose, correct, add, delete, discontinue the use of, or erase retained personal data, we properly respond to such request in accordance with the relevant laws and regulations.
  • 11.
    We sincerely treat opinions and inquiries regarding the handling of personal information.

3. Purpose of Use of Customers’ Personal Information

In accordance with the Act on the Protection of Personal Information, we use customers’ personal information (retained personal data) with the following business description and within the scope necessary for the achievement of the purpose of use.

Business description Management and controls of banks and other companies that can be held as subsidiaries in accordance with the Banking Act, and all operations incidental or relating thereto
Purpose of use

We use customers’ personal information for the purposes of management and controls, etc. related to the following operations of the Company and our subsidiaries and affiliates (hereinafter, “the Group”). If the purpose of use of specific personal information is limited by laws and regulations, etc., we do not use it for any purposes other than the designated purpose:

  • Reception of applications for financial products and services, such as opening accounts for various financial products of the Group;
  • Verification of the Person’s identity under the Act on Prevention of Transfer of Criminal Proceeds and/or confirmation of entitlements, etc. for using the Group's financial products and services;
  • Management of ongoing transactions, such as due date control for deposits and loans, etc.;
  • Determination on applications for loans or other ongoing transactions;
  • Determination on the appropriateness of the Group's provision of financial products and services, such as judgments in light of the suitability principles, etc.;
  • Provision of personal information to a third party to the extent necessary for the execution of appropriate business, such as the cases of providing personal information to an affiliate personal credit information agency in the credit business;
  • Appropriate performance of entrusted operations, in the cases where all or part of the processing of personal information is entrusted from other business operators, etc.;
  • Exercise of rights and fulfillment of obligations in accordance with contracts concluded with customers and laws, etc.;
  • Research and development of the Group's financial products and services through market research, data analysis and conducting questionnaires;
  • Various proposals related to the Group's financial products and services;
  • Various proposal of products and services of partner companies, etc.;
  • Cancellation of various customers’ transactions and post-cancellation management;
  • Management and controls, various risk management, compliance with laws and regulations, etc., and operations related thereto; and/or
  • Ensuring proper and smooth performance of customer transactions.
Limit of the purpose of use
  • We do not use information on customers’ repayment ability provided by personal credit information agencies for any purposes other than investigating customers’ repayment ability, in accordance with Article 13-6-6 of the Ordinance for Enforcement of the Banking Act and other applicable provisions.
  • In accordance with Article 13-6-7 of the Ordinance for Enforcement of the Banking Act and other applicable provisions, we do not provide information on race, creed, family origin, registered domicile, health and medical care or criminal records, or any other undisclosed and special information which may come to our knowledge in the course of the business, for any purposes other than ensuring appropriate business operations and other purposes deemed necessary.

4. Procedures for Discontinuation of Sending Materials

When a customer requests a suspension of sending disclosure magazines and other reference items, we discontinue the delivery of future materials. (It takes up to two months from the reception of the request to the said discontinuation).

5. Outsourcing of the Handling of Personal Date

We contract out the handling of customers’ personal data to outside parties in, for example, the cases listed below. When using outsourcing services, we select appropriate contractors and supervise them as necessary and properly to ensure safety management of customers’ personal data.
(Examples of outsourced administrative work)

  • Administrative work related to the management of shareholder registers, etc.;
  • Administrative work related to the delivery of materials, etc.; and/or
  • Business related to the operation and maintenance of information systems

6. Provision of Personal Data to Third Parties

Unless stipulated by law, the Company will not provide a customer's personal data to a third party without the prior consent of the customer.
If a third party resides in a foreign country, we will provide information on that country where the third party resides in accordance with the provisions of the Personal Information Protection Law if consent of the person is obtained.
If the foreign country where the third party exists cannot be specified at the time of obtaining consent of the person, and if it can be specified later, we will provide information on the specified foreign country etc. at the request of the customer.

7. Procedures for Requesting Disclosure, Correction, etc. and Discontinuation of Use, etc. of Retained Customers’ Personal Data

We respond to customers’ requests to disclose, correct/add or delete, discontinue its use of, erase, or discontinue to provide third parties with customers’ personal data that we retain by the following methods (hereinafter, “Disclosure, etc.”):

  • 1.
    For request for Disclosure, etc.
    Please send your request to our office shown below in Section 7.
  • 2.

    Documents, etc. to be submitted when requesting for Disclosure, etc.

    • A.
      “Disclosure Request of Retained Personal Data,” “Request for Correction, etc. of Retained Personal Data” or “Request for Discontinuation of Use of Retained Personal Data” which we established; or
    • B.
      Documents for verifying the Person’s identity (we verify the Person’s identity in accordance with the Act on Prevention of Transfer of Criminal Proceeds).
  • 3.

    Those who can request Disclosure, etc.

    • A.
      The Person;
    • B.
      If the Person is a minor or an adult ward, a statutory agent; and
    • C.
      Agent that the Person delegates for the procedure for requesting Disclosure, etc.
  • 4.
    Information subject to Disclosure, etc.
    Our retained personal data (excluding information related to examination, evaluation, etc.)

8. Inquiries regarding the Handling of Personal Information, etc.

Concordia Financial Group, Ltd. Risk Management Department
Tel. 03-5200-8204 (open hours) 9:00 a.m. - 5:00 p.m. on weekdays except Saturdays, Sundays and national holidays

9. Joint Use of Customers’ Personal Data

Companies of the Concordia Financial Group jointly use customers’ information as follows mainly for the purposes of providing comprehensive financial services, etc. Meanwhile, if the customer’s consent is required separately for delivering and receiving personal data by laws and regulations, etc., we obtain the said consent before jointly using the information in accordance with such laws and regulations, etc.

  • 1.

    Scope of joint users
    Concordia Financial Group, Ltd. and its Group companies listed below:

    • The Bank of Yokohama, Ltd.
    • The Higashi-Nippon Bank, Limited
    • THE KANAGAWA BANK, LTD.
    • Hamagin Tokai Tokyo Securities Co., Ltd.
    • Hamagin Finance Co., Ltd.
    • Hamagin Research Institute, Ltd.
    • Sky Ocean Asset Management Co., Ltd.
    • Yokohama Capital Co., Ltd.
    • Yokohama Guarantee Co., Ltd.
    • Hamagin Business Challenged Co., Ltd.
    • The Higashi-Nippon Business Service Co., Ltd
    • The Higashi-Nippongin JCB Card Co., Ltd
    • THE KANAGIN BUISINESS SERVICE CO.,LTD.
  • 2.

    Purpose of use

    • A.
      Joint research and joint development on financial products and services, etc.;
    • B.
      Proposals and guidance to individual customers regarding financial products and services, etc., and determination of validity of those activities; and
    • C.
      Appropriate operation of management and controls as a group, such as identifying and managing various risks.
  • 3.

    Items of personal data to be used jointly

    • A.
      Address;
    • B.
      Name and operating name;
    • C.
      Date of birth;
    • D.
      Contact information, including phone number;
    • E.
      Occupation/workplace;
    • F.
      Transaction status;
    • G.
      Information on assets and liabilities;
    • H.
      Information on transaction needs;
    • I.
      Information on the transaction history; and/or
    • J.
      Information on judgments of credit transactions.
  • 4.
    Name of the person responsible for the management of personal data for joint use:
    7-1, Nihonbashi 2-chome, Chuo-ku, Tokyo (Tokyo Nihombashi Tower, 34th floor)
    Concordia Financial Group, Ltd.
    Tatsuya Kataoka, President and Representative Director

10. Proper Handling of Specific Personal Information, etc.

In accordance with the Act on the Use of Numbers to Identify a Specific Individuals in the Administrative Procedures (hereinafter, "the Act") and other applicable regulations, we set forth a basic policy regarding the handling of individual numbers (hereinafter, “Individual Number”; called My Number in Japanese)”) and specific personal information of customers, etc. (hereinafter, “Specific Personal Information, etc.”) as follows:

  • 1.
    Compliance with relevant laws and guidelines, etc.
    When handling Specific Personal Information, etc. of customers and other stakeholders, we comply with the Act and other related laws and guidelines, including the Act on the Protection of Personal Information as well as the Declaration of the Protection of Personal Information and other regulations that we have established and publicized separately. In addition, we strive to continuously improve the handling of Specific Personal Information, etc. of customers and other stakeholders.
  • 2.

    Purpose of use of Individual Numbers

    • A.
      When obtaining an Individual Number of customers, etc., we notify, publicize or clearly state the purpose of use thereof, and handle the Individual Number within the scope necessary for the achievement of the purpose of use. Individual Numbers are not used for any purposes other than those permitted by the Act.
    • B.

      The purpose of use of Individual Numbers in the Company is as follows:

      • [1]
        Preparation of statutory documents related to payment of remuneration, fees, etc.;
      • [2]
        Preparation of payment records for distribution of dividends and surplus, and interest on funds;
      • [3]
        Preparation of payment records for real estate usage fees, etc.;
      • [4]
        Preparation of payment records for the transfer of real estate, etc.; or
      • [5]
        Preparation of other statutory documents that require the inclusion of the Individual Numbers by laws and regulations, etc.
  • 3.

    Security management measures
    We implement the following security management measures necessary and appropriate for managing specific personal information, etc., of customers, etc., so as to prevent leaks, losses, damage, etc. In addition, we implement the necessary and appropriate supervision of employees and contractors (including subcontractors) who handle specificpersonal information, etc.

    • (1)
      Establishment of rules for handling specific personal information, etc.
      For each stage, including acquiring, using, storing, providing, deleting, and disposing of specific personal information, etc., we have established rules for handling specific personal information, etc., regarding how the information is handled, responsible parties and staff, duties, and other aspects.
    • (2)
      Organizational security management measures
      In addition to appointing a person in charge of handling specific personal information, etc., we have clarified the scope of not only employees handling specific personal information, etc. but also the specific personal information, etc. handled by these employees and we have created a system for submitting reports to the person in charge in the case it is ascertained, or there are signs that, there has been a violation of laws or handling rules.
    • (3)
      Human security management measures
      We provide employees with regular training regarding points to consider when handling specific personal information, etc.
    • (4)
      Physical security management measures
      In addition to measures to prevent the theft, loss, etc., of devices, electronic media, documents, etc., used when handling specific personal information, etc., we implement measures that make it difficult to identify specific personal information, etc., when these devices, electronic media, etc., are moved, including within the office.
    • (5)
      Technical security management measures
      We use access controls to limit the scope of use by staff of specific personal information databases etc.
    • (6)
      External environment scope
      We do not store specific personal information in foreign countries.
  • 4.

    Response to your opinions and requests

    • A.
      We strive to properly and promptly respond to your opinions or requests regarding the handling of Specific Personal Information, etc.
    • B.
      For opinion and requests regarding the handling of Specific Personal Information, etc., please contact the section in charge of inquiries regarding the handling of personal information, etc.

(As of April 28, 2023)