Page 1

Guidelines for the protection of personal information in the telecommunications business
(2017 Ministry of Internal Affairs and Communications Notification No. 152. Final Amendment 2017 Ministry of Internal Affairs and Communications Notification No.
297) commentary

September 2017 (updated January 2019)
Ministry of Internal Affairs and Communications

1

Page 2

table of contents

Explanation of guidelines for personal information protection in the telecommunications business

table of contents

1 Purpose and application target .................................................................. .............. 6
Purpose ................................................. ................. 6
Applicable target (related to Article 2, Paragraph 1) .................................................. .... 8
Applicability (Article 2, Paragraphs 2 and 3) ..................... 9
2 Definition ................................................ ..................... 1 1
Telecommunications carriers, etc. (related to Article 3) .................................................. . 11
personal information ................................................ ............. 1 2
Personal identification code (related to Article 2, Paragraph 2 of the Law) ..................... 14
Personal information requiring consideration (related to Article 2, Paragraph 3 of the Law) .................................. 18
Personal information database, etc. (related to Article 2, Paragraph 4 of the Law) ..................... 23
Businesses handling personal information (related to Article 2, Paragraph 5 of the Law) ........................ 25
Personal data (related to Article 2, Paragraph 6 of the Law) 26
Retained personal data (related to Article 2, Paragraph 7 of the Law) .................................. 26
Anonymously processed information (related to Article 2, Paragraph 9 of the Law) ..................... 28
Anonymously processed information handling business operator (related to Article 2, Paragraph 10 of the Law) ..................... 29
"Notify the person" ..................................... ........... 2 9
"Publication" ..................................................... .............. 3 0
"Personal consent" .................................................. ........... 3 1
"Provided" ..................................................... .............. 3 2
3 Obligations of telecommunications carriers (Chapter 2 related) ..................................... ... 34
Purpose of use of personal information (related to Articles 4 to 5 and Article 8 Paragraph 3) ................ 34
Identification of purpose of use (related to Article 4, Paragraph 1) ................................................ 34
Change of purpose of use (related to Article 4, Paragraph 2, Paragraph 3, Article 8, Paragraph 3) .......... 35
Scope of purpose of use (related to Article 4, Paragraph 3) ................................................ 36
Restrictions on purpose of use (related to Article 5, Paragraph 1) ............................ 36
Business succession (related to Article 5, Paragraph 2) ..................... 37
Exceptions to restrictions depending on the purpose of use (related to Article 5, Paragraph 3) ...................... 37
Exceptions to personal information related to confidentiality of communications in restrictions based on the purpose of use (Article 5, Paragraph 4)
Relationship) ................................................................ ........... 4 0
Acquisition of personal information (related to Articles 6 to 8) .................................. 40
Acquisition restrictions (related to Article 6) ..................................... . 40
3-2-2 Appropriate acquisition (related to Article 7, Paragraph 1) .................................. ..... 41

2

Page 3

table of contents

3-2-3 Acquisition of sensitive personal information (related to Article 7, Paragraph 2) ........................... 42
Acquisition of personal information related to confidentiality of communications (related to Article 7, Paragraph 3) ................ 45
Notification or publication of purpose of use (related to Article 8, Paragraph 1) ........................ 46
Obtained directly in writing (related to Article 8, Paragraph 2) ..................... 46
When it is not necessary to notify the purpose of use (related to Article 8, Paragraph 4) ............ 48
Management of personal data, etc. (related to Articles 9 to 13) ........................ 50
Ensuring the accuracy of data contents (related to Article 9) ..................... 50
Storage period, etc. (related to Article 10, Paragraph 1) ..................... 51
Exceptions to personal information related to confidentiality of communications during the retention period (related to Article 10, Paragraph 2)
................................................................. ............... 5 3
Safety management measures (related to Article 11) .................................................. 53
Employee supervision (related to Article 12, Paragraphs 1 and 2) ..................... 54
Supervision of contractors (related to Article 12, Paragraph 3) .................. 55
Personal information protection manager (related to Article 13) ................................. 57
Privacy Policy (Article 14) ................................... 58
Publication of privacy policy (related to Article 14, Paragraph 1) ..................... 58
Privacy Policy for Application Software (Article 14, Paragraph 2,
(Section 3) .................................................................. ........ 5 9
Provision of personal data to a third party (related to Articles 15-18) ..................... 60
Principle of restriction of provision to third parties (related to Article 15, Paragraph 1) ....................... 60
Provided to a third party by opt-out (related to Article 15, Paragraphs 2 to 7 and 9 of the Act)
................................................................. ............... 6 3
Exceptions to personal information related to confidentiality of communications in restrictions on provision to third parties (Article 15, Paragraph 8)
Relationship) ................................................ ........... 6 9
When not applicable to a third party (related to Article 15, Paragraph 10) ...................... 69
Restrictions on provision to third parties in foreign countries (related to Article 16) ..................... 74
Creation of records related to provision to a third party (related to Article 17) ....................... 76
Confirmation when receiving a third party (related to Article 18) ....................... 79
Disclosure, correction, etc., suspension of use of retained personal data, such as publication of matters related to retained personal data
Etc. (related to Articles 19 to 26) .................................................. .... 8 3
Publication of matters related to retained personal data (related to Article 19) .................. 83
Disclosure of retained personal data (related to Article 20) ......................... 87
Correction of retained personal data (related to Article 21) ............................. 90
Suspension of use of retained personal data (related to Article 22) ..................... 92
Explanation of the reason (related to Article 23) ..................................... 94
Procedures for responding to requests for disclosure, etc. (related to Article 24) ..................... 95

3

Page 4

table of contents

Fees (related to Article 25) ..................................................... .. 9 8
Prior Request for Settlement Action (Article 26) ............................. 99
Grievance regarding the handling of personal information (related to Article 27) ...................... 100
Obligations of businesses handling anonymously processed information (related to Articles 28 to 31) ............... 101
4 Response in case of leakage, etc ..................................... 108
5 Handling of various information (Chapter 3 related) .................................................. .... 108
Recording of communication history (related to Article 32) .................................................. 108
Recording of communication history (related to Article 32, Paragraph 1) ........................ 108
Provision of communication history (related to Article 32, Paragraph 2) ........................................ 109
Usage details (related to Article 33) ..................................................... .... 11 0
Description of usage details (related to Article 33, Paragraph 1) ........................ 110
Viewing usage details, etc. (related to Article 33, Paragraph 2) ............................ 111
Caller information (related to Article 34) ..................................... .... 11 1
Notification of caller information (related to Article 34, Paragraph 1) ............................ 111
Provision of caller information (related to Article 34, Paragraph 2) ............................ 112
Restrictions on the provision of caller information (related to Article 34, Paragraph 3) ...................... 112
Location information (related to Article 35) ..................................................... .... 11 3
Acquisition of location information (related to Article 35, Paragraph 1) ........................................ 113
Use of location information (related to Article 35, Paragraph 2) ........................................ 114
Measures necessary to prevent unjustified infringement (related to Article 35, Paragraph 3) .... 115
Acquisition of location information at the request of the investigative agency (related to Article 35, Paragraph 4) .......... 116
Acquisition of location information at the request of the rescue organization (Article 35, Paragraph 5) ........ 116
Exchange of information on non-payers, etc. (related to Article 36) ..................... 117
Exchange of information on non-payers, etc. (related to Article 36, Paragraphs 1 to 3) ................ 117
Restrictions on the purpose of use of information such as non-payers (related to Article 36, Paragraph 4) .............. 118
Appropriate management of information on non-payers, etc. (related to Article 36, Paragraph 5) .................. 119
Subscriber information related to sending junk mail (related to Article 37) ..................... 119
Exchange of subscriber information related to sending junk e-mail, etc. (related to Article 37, Paragraphs 1 to 3)
................................................................. .............. 11 9
Restrictions on the purpose of use of subscriber information related to sending junk e-mail, etc. (Article 37, Paragraphs 4 to 4)
Item 5) .................................................................. ......... 12 1
Phone number information (related to Article 38) ..................................... . 121
Posting of telephone number information in the telephone directory, etc. (Article 38, Paragraph 1) .................. 121
Restrictions on the provision of telephone number information (related to Article 38, Paragraph 2) ..................... 122
Form of provision of telephone number information (related to Article 38, Paragraph 3) ...................... 122
External provision of telephone number information (related to Article 38, Paragraph 4) ...................... 123

Four

Page 5

table of contents

Provision of telephone number information to those who issue telephone directories or provide directory assistance services (Article 38)
(Section 5) ....................................................... ........ 12 3
6 Review of guidelines (related to Article 39) ................................................ 124
7 (Attachment) Details of safety management measures to be taken ...................................... . 125
Formulation of basic policy ........................................................ ......... 12 6
Development of discipline regarding the handling of personal data, etc .................................... 126
Organizational safety management measures .................................................. ...... 12 6
Human safety management measures ........................................................ ........ 13 1
Physical safety management measures ........................................................ ...... 13 2
Technical safety management measures ........................................................ ...... 13 5

【Usage Guide】
"Law"

Law Concerning Protection of Personal Information (Law No. 57 of 2003)

"Cabinet Order"

Ordinance for Enforcement of Law Concerning Protection of Personal Information (Cabinet Order No. 507 of 2003)

"Rules"

Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information Protection Commission Regulations)
Rule No. 3)

* Unless otherwise specified, the contents of laws and regulations shown in the explanation of this guideline are the same.
As of January 1, 2019.

Five

Page 6

1 Purpose and application target

1 Purpose and application target
Purpose
Article 1
This guideline is based on the public nature of the telecommunications business and personal information as the advanced information and telecommunications society progresses.
In view of the remarkable expansion of the use of information, matters belonging to the confidentiality of communications and other personal information
By stipulating the basic matters that telecommunications carriers should comply with regarding the proper handling of
The purpose is to improve the convenience of ki-communication services and protect the rights and interests of users.
To do.

The telecommunications business is a business that is directly related to the secrecy of communications and has extremely high publicity.
In addition, since it is assumed that we will handle information that requires privacy protection, we will take it there.
There is a great need to protect the personal information handled. In addition, the sophistication and diversification of telecommunications services
Advanced information communication that enables rapid and wide-ranging distribution and use of large amounts of highly processed information
It has realized a society and, as a result, has brought great convenience to people's lives, but on the other hand, these
Personal information acquired in connection with the provision of telecommunications services may be handled improperly, or these
If personal information is improperly handled using telecommunications services, it will be irreparable to the individual.
There is a risk of causing serious damage.
Based on this, this guideline is based on the law and the provisions of Article 7, Paragraph 1 of the Law.
Basic Policy on Information Protection ”(Cabinet decision in April 2004. Partially changed in June 2018), Communication
Article 4 of the Telecommunications Business Law (Law No. 86 of 1984) and other related provisions related to the secrets of
From the perspective of protecting privacy, for telecommunications carriers, matters belonging to the secrecy of communications and other matters
By showing as specific guidelines as possible regarding the proper handling of personal information, within that range
While ensuring free distribution in Japan to improve the convenience of telecommunications services, user rights and interests
For the purpose of protecting profits, in Articles 6 and 8 of the Act and related provisions of the Telecommunications Business Act
It is defined as a concrete guideline based on this.

In this guideline, it is stated that "must" and "must not"
If you do not comply with these matters, it may be judged as a violation of the law or the Telecommunications Business Law.
There is sex.
On the other hand, matters that describe "appropriate", "must strive", "desirable", etc.
If you do not comply with these, it is immediately judged to be a violation of the law or the Telecommunications Business Law.
Although it never happens, "Personal information should be handled with caution under the principle of respect for the personality of an individual.
In view of this, proper handling must be achieved. The basic principle of the law
Characteristics of telecommunications carriers based on the precautions (Article 3 of the Act) and the purpose of the Telecommunications Business Act (Article 1 of the Act)
We shall endeavor to comply as much as possible according to the scale and scale. However, the purpose of the law (Article 1 of the law) and electricity
Activities necessary for the public interest and legitimate business activities in light of the purpose of the Telecommunications Business Law (Article 1 of the same law)

6

Page 7

1 Purpose and application target

It does not limit even such things.

The specific examples described in this guideline are intended to help telecommunications carriers understand.
It shows a typical one as, and does not cover all cases, but the contents described.
It is not described to the effect of limiting to. In addition, even in the specific examples described, in individual cases
Therefore, it should be noted that there may be other factors to be considered separately.

In addition, the authorized personal information protection organization (*) has created or changed the personal information protection guideline, and the business group
Voluntary targeting member companies, etc. of the relevant business association, etc., based on the actual conditions and characteristics of the business
It is possible to create or change rules (business group guidelines, etc.), but in that case,
Businesses subject to certified personal information protection groups and member companies such as business groups handle personal information
In addition to the law and this guideline, it is necessary to take measures in accordance with the guideline or rule.
To In particular, for certified personal information protection groups, due to the revision of the law, certified personal information protection groups are targeted.
Businesses must take necessary measures to comply with the Personal Information Protection Guidelines
It is also important to keep in mind that (see Article 53, Paragraph 4 of the Act).

(*) The certified personal information protection organization system is for businesses that handle personal information or businesses that handle anonymously processed information.
For the purpose of proper handling of personal information or anonymously processed information, grievance processing and handling of complaints of the target business operator
A system certified by the Personal Information Protection Commission for private organizations that provide information to elephant businesses
Therefore, we will ensure the reliability of the business concerned and promote the protection of personal information by private organizations.
It is a thing.

(reference)
Article 1 of the law
This law shows that the use of personal information has expanded remarkably with the development of the advanced information and communication society.
Only, regarding the proper handling of personal information, preparation of basic principles and basic policies by the government and other individuals
Establish basic matters for information protection measures and clarify the responsibilities of the national and local governments
At the same time, by stipulating the obligations, etc. to be observed by businesses that handle personal information, personal information
Appropriate and effective utilization will create new industries and create a vibrant economic society and affluent people's lives.
Preserving the rights and interests of individuals while considering the usefulness of other personal information that contributes to realization
The purpose is to protect.

Article 3 of the law
Personal information should be handled with caution under the principle of respect for the individual's personality.
Only, it must be handled properly.

7

Page 8

1 Purpose and application target

Article 6 of the law
The government aims to further protect the rights and interests of individuals in view of the nature and usage of personal information.
Especially for the protection of personal information that needs to ensure strict implementation of its proper handling
In addition to taking necessary legal and other measures to ensure that special measures are taken, international organizations
Internationally consistent personality in collaboration with governments through cooperation with other international frameworks
The necessary measures shall be taken to establish a system for reporting.

Article 8 of the law
The national government is a measure or thing regarding the protection of personal information formulated or implemented by local public bodies.
Providing information and matters in order to support activities carried out by traders, etc. regarding ensuring the proper handling of personal information.
Formulation of guidelines for appropriate and effective implementation of measures to be taken by contractors, etc. and other necessary measures
Shall be taken.

Article 47 of the law
1 Businesses listed below for the purpose of ensuring the proper handling of personal information, etc. of businesses handling personal information
(Including non-corporate organizations with a designated representative or administrator. Article 3 of the next article.
Same for No. b. ) Can be certified by the Personal Information Protection Commission.
(1) Personal information, etc. of business operators handling personal information, etc. (hereinafter referred to as "target business operators") that are the targets of business
Handling of complaints pursuant to the provisions of Article 52 regarding the handling of
(2) For target businesses regarding matters that contribute to ensuring the proper handling of personal information, etc.
Providing information
(3) In addition to the items listed in item 2 above, regarding ensuring the proper handling of personal information, etc. of the target business operator
Necessary work
2 A person who intends to obtain the certification set forth in the preceding paragraph applies to the Personal Information Protection Commission pursuant to the provisions of a Cabinet Order.
Must.
3 When the Personal Information Protection Commission has made the certification set forth in paragraph 1, it must publicly announce that fact.

Law Article 53 (Section 4)
4 Authorized personal information protection organizations are eligible when the personal information protection guidelines are published pursuant to the provisions of the preceding paragraph.
Guidance, recommendations and other measures necessary for businesses to comply with the personal information protection guidelines
I have to take it.

Applicable target (related to Article 2, Paragraph 1)
Article 2 (Section 1)
1 The provisions of this guideline are the compliance of telecommunications carriers regarding the proper handling of personal information.

8

Page 9

1 Purpose and application target

It is interpreted and operated as defining the basic matters to be taken.

This guideline is applicable to personal information regardless of the type of business or scale of the telecommunications carrier.
Information handling business operator or anonymous processing information handling business operator (hereinafter referred to as "personal information handling business operator, etc.")
Applies to applicable telecommunications carriers.
The term "telecommunications carrier" in this guideline is defined in Article 3, Item 1.
Refers to a person who engages in the telecommunications business stipulated in Article 2, Item 4 of the Telecommunications Business Law.
The Shin Business Law is for those who install telecommunications equipment only overseas and who do not have a base in Japan.
It is understood that there is no discipline against such persons, and such persons are referred to as Article 3, Article 1 of this Guideline.
Since it does not fall under the "telecommunications carrier" specified in the issue, it is not covered by this guideline.
It is believed that there is.

Applicable relationship (Article 2, Paragraph 2, Paragraph 3 relationship)
Article 2 (paragraphs 2 and 3)
2 Telecommunications carriers are responsible for the provisions of the Act on the Protection of Personal Information (hereinafter referred to as the "Act") and
Comply with Article 4 and other related provisions of the Telecommunications Business Law (Law No. 86 of 1984) concerning secrecy of communications.
In addition to observing, personal information must be handled properly in accordance with the provisions of this guideline.
I.
3 Telecommunications carriers, regarding various information specified in Chapter 3, personal information specified in Chapter 2.
In addition to observing the common principles regarding the handling of information, it must be handled properly in accordance with the provisions of Chapter 3.
Must be.

This guideline clarifies the criteria for applying the law to telecommunications carriers and also communicates
Based on Article 4 of the Telecommunications Business Law and other related provisions related to the confidentiality of trust, personal information is particularly appropriate.
Telecommunications carriers that are required to handle personal information strictly should comply with it when handling personal information.
It clarifies the basic matters. In addition, this guideline is "related to the protection of personal information"
In the provisions of "Guidelines for Laws to be Conducted" (November 30, 2016, Personal Information Protection Commission)
While complying with the regulations, it is also necessary in consideration of confidentiality of communications and other circumstances peculiar to the telecommunications business.
At the same time, it centrally shows the discipline that applies to telecommunications carriers. Therefore, electricity

If the telecommunications carrier complies with the provisions of this guideline, the law and individuals regarding the telecommunications business
You have complied with the provisions of the guidelines for information protection laws.
Sufficiency certification from within the EU (based on Article 45 of the GDPR (*), the European Commission is responsible for the country or region.
Etc. are decisions that recognize that a sufficient level of protection is secured for personal data. ) Moved by
When handling personal data that has been received, "For the protection of personal information" established by the Personal Information Protection Commission
Regarding the handling of personal data transferred by sufficiency certification from within the EU related to related laws
Please refer to "Complementary Rules" (2018 Personal Information Protection Commission Notification No. 4).

9

Page 10

1 Purpose and application target

On the other hand, regarding Article 4 of the Telecommunications Business Law and other related provisions related to the secrecy of communications, the communications
It is not possible to distinguish whether the matters belonging to the secret are personal information or information of corporations or other organizations.
Since it is protected, corporations and other organizations are also protected.
(Refer to the figure below), etc., regarding the subject and content of discipline, beyond the scope of this guideline.
In some cases.
In addition, the provisions of Chapter 3 (Articles 32 to 38) are the provisions of Chapter 2 ( Articles 4 to 31) .
It is a fixed special provision, especially for various information provided in Chapter 3 (Articles 32 to 38).
For matters that are not stipulated, the provisions of Chapter 2 ( Articles 4 to 31) shall apply.
To do.
(*) Protection of natural persons related to the handling of personal data and free transfer and directive of the data
European Parliament and European Council Regulations on the Abolition of 95/46 / EC (General Data Protection Regulation)
(REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection
of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46 / EC (General Data)
Protection Regulation))

● Relationship between personal information and confidentiality of communication
Corporate information
Communication secret

personal information

Unrelated to individual communication
Contractor's address and name

personal information

Secret of communication
Keeping close
Mamoru vs.

elephant

Contents of communication
Arrival Shin Turn issue
Date of communication
etc

Of protection
Target

Payment method
Fee

MoneyStagnation
Payment
amount
etc

Ten

Page 11

2 Definition

2 Definition
Telecommunications carriers, etc. (related to Article 3)
Article 3
The terms used in this guideline are based on the examples of terms used in Article 2 of the Act.
Or, the meanings of the terms listed in the following items shall be as specified in each item.
(1) Telecommunications carrier Telecommunications business (telecommunications stipulated in Article 2, Item 4 of the Telecommunications Business Law)
Refers to a business. ).
(2) Telecommunications services This refers to telecommunications services stipulated in Article 2, Item 3 of the Telecommunications Business Law.
(3) Telecommunications services Telecommunications services and services provided by telecommunications carriers as a business.
A service that accompanies this.
(4) User A person who uses telecommunications services.
(5) Conclude a contract with a subscriber telecommunications carrier to receive telecommunications services.
To say a person.

The terms used in this guideline broadly refer to personal information handled by telecommunications carriers.
Since it is an elephant, it does not necessarily match the example of terms in the Telecommunications Business Law.

A "telecommunications carrier" is registered under the Telecommunications Business Law for operating a telecommunications business.
A person who has undergone an administrative procedure called notification, but must be provided with the same service.
It is unreasonable to be excluded from the guidelines because they have not gone through the necessary procedures.
Therefore, in this guideline, regardless of the presence or absence of such procedures, electricity under the Telecommunications Business Law
It is intended for those who engage in the air communication business. In addition, the telecommunications business law is exempted from the application of the law No.
The provisions of Article 4 (Protection of Confidentiality) of the same law also apply to those who run the business specified in each item of Article 164, Paragraph 1.
Since there is no difference in the necessity of personal information protection, it is subject to this guideline. In addition,
Proper handling of personal information is required even for those who engage in telecommunications business without the purpose of profit.
Therefore, it is subject to this guideline. The discipline of the Telecommunications Business Law is the scale of business.
Regardless of the above, the measures required of telecommunications carriers in this guideline are the business rules.
It will be the same regardless of the model.
"Telecommunications service" means using telecommunications equipment to mediate the communication of others, and other telecommunications equipment.
Is defined as being used for others (Telecommunications Business Law, Article 2, Paragraph 3).
"Telecommunications services" are telecommunications services provided by telecommunications carriers in response to the needs of others.
In addition, the services associated with this are also included. As a service associated with telecommunications services, electricity
A service that is provided integrally with the air communication service and cannot be separated (on the network)
Filtering, lending of connected devices such as routers, system development / maintenance, etc.) and telecommunications carriers
Services (terminal location search, security) that are premised on the use of telecommunications services provided by
I, payment agency, terminal sales / guarantee, application software / video / music distribution, electronic

11

Page 12

2 Definition

Money point return service, telephone directory issuing business, etc.) are applicable.
In addition to the above, the same ID as personal information related to telecommunications services provided by telecommunications carriers, etc.
In the case of linking with, it corresponds to the telecommunications service.
A "user" is provided with telecommunications services with a telecommunications carrier under the Telecommunications Business Law.
A person who concludes a contract, but as seen in subscriber telephones, even if he is not a contractor, he is a telecommunications carrier.
Since it is possible to use business, it is just a telecommunications officer to protect the personal information of these persons.
The users of business are subject to the guidelines as "users".

"Subscriber" means a person who falls under the category of "user" under the Telecommunications Business Law.

(Note) This guideline covers personal information related to telecommunications services provided by telecommunications carriers.
(*). However, especially when the personal information is used in other businesses
Therefore, personal data related to telecommunications services and personal data related to other businesses can be shared with the same ID, etc.
When linking and managing in the same database, follow the purpose of this guideline.
Eh, it is appropriate to handle it under appropriate safety management.

(*) Regarding the handling of personal information related to business closely related to the provision of telecommunications services
Especially necessary cases include cases specified individually in this guideline.

personal information
"Personal information" (* 1) is "information about an individual" (* 2) (* 3) that survives, and "the information concerned".
A specific individual can be identified by the name, date of birth, or other description contained in.
(It can be easily collated with other information (* 4), thereby identifying a specific individual.
Including what will be cut. ) ”(Article 2, Paragraph 1, Item 1 of the Law) or“ Personal identification code (* 5) is included.
"What is done" (No. 2 of the same paragraph).
This guideline states that information about the dead, except for information about both the dead and the survivors.
Not covered, but properly handles information about the dead handled by telecommunications carriers
The need is the same as the information about the survivors, and the information about the dead is also cheap.
Implementation of all management measures, etc. Basically, it is stipulated in this guideline as well as information on survivors.
It is desirable to take measures and handle it properly.
Under the Telecommunications Business Law, confidentiality of communications is not subject to protection even after the death of the telecommunications party.
To
"Personal information" is information that identifies an individual, such as name, address, gender, date of birth, and facial image.
All that represent facts, judgments, and evaluations regarding attributes such as individual body, property, occupation, title, etc.
Information that is publicly available through evaluation information, publications, etc., as well as video and audio information.
Information is also included, regardless of whether it is concealed by encryption or the like.

12

Page 13

2 Definition

[Cases corresponding to personal information]
Case 1) Name of the person
Example 2) Date of birth, contact information (address, whereabouts, telephone number, email address), job title in the company
Or information about affiliation that combines them with the person's name
Case 3) Video information that can be identified by the person, such as information recorded on a security camera
Case 4) Voice recording information that can identify a specific individual because the name of the person is included, etc.
Case 5) An email address that can identify a specific individual (such as kojin_ichiro@example.com)
Even if the information is only the e-mail address, Kojinichi belonging to example company
If you know that it is Rowe's email address, etc.)
Case 6) Information about an individual added to the personal information after it is acquired (survives at the time of acquisition)
Even if a specific individual cannot be identified, new information will be added after acquisition.
If, or as a result of collation, a specific surviving individual can be identified, then the individual
Corresponds to personal information. )
Case 7) Official bulletin, telephone directory, staff record, legal disclosure documents (securities report, etc.), newspaper, home page
Specific individuals made public on SNS (social network services), etc.
Information that can identify

(* 1) The law is "Personal information", "Personal data" (see 2-7 (Personal data)), "Retained personal day"
"Ta" (see 2-8 (retained personal data)), "personal information requiring consideration" (2-4 (personal information requiring consideration)
(Refer to), "Anonymous processing information" (Refer to 2-9 (Anonymous processing information)), etc. are used properly.
Please note that the obligations imposed on personal information handling businesses are different.
(* 2) Information about the dead is also information about living individuals such as bereaved families.
In some cases, it corresponds to information about the living individual.
(* 3) Corporations and other organizations do not fall under the category of "individuals," so they are related to corporations and other organizations themselves.
The information to be provided does not correspond to "personal information" (however, information about officers, employees, etc.
Corresponds to personal information. ). "Individuals" are not limited to Japanese citizens, but also include foreigners.
(* 4) "It can be easily collated with other information" is immediately based on the actual situation of the telecommunications carrier.
It should be judged on a case-by-case basis, but it is common in normal business.
A state in which it can be easily collated with other information by a method, for example, another business.
In general, when it is difficult to collate, such as when it is necessary to make an inquiry to a person, it is easy to collate.
It is understood that it is in a state where it cannot be done.
(* 5) For the personal identification code, refer to 2-3 (Personal identification code).

(reference)
Law Article 2 (Paragraph 1)
1 In this law, "personal information" is information about living individuals, and is one of the following items.

13

Page 14

2 Definition

Anything that falls under any of these.
(1) Name, date of birth and other descriptions contained in the information (documents, drawings or electromagnetic records)
(Electromagnetic method (electronic method, magnetic method, etc. cannot be recognized by human perception)
Refers to the method. The same applies to item 2 of the next section. ) Is a record made. Article 18 Paragraph 2 Smell
Same. ), Recorded, or represented using voice, action or other methods.
All matters (excluding personal identification code). same as below. ) To identify a specific individual
What you can do (easily collate with other information to identify a particular individual
Including what can be done. )
(2) Those that include a personal identification code

Personal identification code (related to Article 2, Paragraph 2 of the Law)
"Personal identification code" is defined in the Cabinet Order as being able to identify a specific individual from the information alone.
Characters, numbers, symbols and other codes that are given, and the information that includes those that correspond to them is personal information.
It will be a report (see 2-2 (personal information)) (*).
The specific contents are as stipulated in Article 1 of the Cabinet Order and Articles 2 to 4 of the Regulations.
In Article 1, Item 1 of the Cabinet Order, any of the physical characteristics listed in the same items a to g is electronically displayed.
Of the letters, numbers, symbols and other codes converted for use in computers, "a specific individual
Individuals that meet the standards stipulated by the rules of the Personal Information Protection Commission as sufficient to identify
It is said to correspond to the person identification code. The standard is stipulated in Article 2 of the Regulations.
Of course, the ones that meet this standard and fall under the personal identification code are as follows.

B. Sequence of bases constituting deoxyribonucleic acid (also known as DNA) collected from cells
Genome data (bases that make up deoxyribonucleic acid (also known as DNA) collected from cells)
Of the sequence of), whole nuclear genome sequence data, all exo
Sequencing data, whole genome single nucleotide polymorphism (single nucleotide polymorphism:
SNP) data, sequence data consisting of more than 40 SNPs that are independent of each other,
Genotypic information such as a 4-base repeat sequence (STR) at 9 loci or higher
It is possible to authenticate the person by information

(B) Determined by the color of the skeleton and skin of the face and the position and shape of the eyes, nose, mouth and other facial parts
Full appearance
Extracted from facial skeleton and skin color and position and shape of eyes, nose, mouth and other facial parts
The person himself / herself with the device or software intended to authenticate the person himself / herself.
What made it possible to authenticate

14

Page 15

2 Definition

C. A linear pattern formed by the undulations of the surface of the iris.
From the linear pattern formed by the undulations on the surface of the iris, use infrared light, visible light, etc.
The published feature information is published by a device or software that aims to authenticate the person.
What makes it possible to authenticate a person

D. Determined by the vibration of the vocal cords during vocalization, the opening and closing of the glottis, the shape of the vocal tract, and its changes.
Voice quality
Vibration of vocal cords during vocalization extracted from voice, opening and closing of glottis, shape of vocal tract and its
A device that aims to authenticate the person himself / herself, such as a speaker recognition system, for characteristic information related to changes.
It is possible to authenticate the person by using a device or software.

E. Posture during walking, movement of both arms, stride length and other walking modes
Characteristic information extracted from posture during walking, movement of both arms, stride length and other walking modes
To authenticate the person with a device or software intended to authenticate the person.
What you can do

F. The staticity determined by the branching and end points of the veins under the skin of the palm or back of the hand or fingers.
Pulse shape
It is determined by the bifurcation and endpoints of the veins under the skin of the palm or back of the hand or fingers.
To authenticate the person with the characteristic information extracted from the shape of the vein using infrared light, visible light, etc.
To be able to authenticate the person with a device or software for the purpose of
Tate

Fingerprint or palm print
(Fingerprint) The person is authenticated by the feature information extracted from the fingerprint formed by the ridges on the surface of the finger.
You can authenticate yourself with a device or software intended to do this.
Sea urchin
(Palm print) Feature information extracted from the palm print formed by ridges and wrinkles on the surface of the palm,
Authenticate the person with a device or software intended to authenticate the person
What you can do

Chi combination
Combining characteristic information extracted from the items listed in Article 1, Item 1 (a) to (g) of the Cabinet Order
To authenticate the person with a device or software intended to authenticate the person.
What you can do

15

Page 16

2 Definition

(*) "To be different for each user or purchaser or person who receives the issue" (Law
Characters, numbers, symbols and other codes differ from those of Article 2, Paragraph 2, Item 2) depending on the user, etc.
It means to be.

(reference)
Law Article 2 (Paragraph 2)
2 In this law, "personal identification code" means a character, number, or symbol that falls under any of the following items.
Other codes specified by Cabinet Order.
(1) Characters and numbers converted to use the characteristics of a part of the body of a specific individual for use in a computer.
Numbers, symbols and other codes that can identify the specific individual
(2) Assigned for the use of services provided to individuals or the purchase of goods sold to individuals
It is written on a card or other document issued to an individual, or written by an electromagnetic method.
Recorded letters, numbers, symbols and other codes that are used, purchased or issued by the user or purchaser.
Assigned, described, or recorded to be different for each recipient
Can identify a specific user or purchaser or a person who receives the issue

Cabinet Order Article 1
Letters, numbers, specified by Cabinet Order under Article 2, Paragraph 2 of the Act on the Protection of Personal Information (hereinafter referred to as the "Act")
Symbols and other symbols shall be as follows.
(1) Characters converted to use any of the following physical characteristics for use in a computer,
Personal information protection as a number, symbol or other code sufficient to identify a specific individual
Those that meet the standards stipulated by the rules of the protection committee
B. Sequence of bases constituting deoxyribonucleic acid (also known as DNA) collected from cells
(B) Depending on the color of the skeleton and skin of the face and the position and shape of the eyes, nose, mouth and other parts of the face
Appearance to be decided
C. A linear pattern formed by the undulations of the surface of the iris.
D. Vibration of vocal cords during vocalization, opening and closing of glottis, shape of vocal tract and its change
E. Posture during walking, movement of both arms, stride length and other walking modes
F. The staticity determined by the branching and end points of the veins under the skin of the palm or back of the hand or fingers.
Pulse shape
Fingerprint or palm print
(2) Passport number of Article 6, Paragraph 1, Item 1 of the Passport Act (Act No. 267 of 1951)
(3) Basic pension number stipulated in Article 14 of the National Pension Act (Act No. 141 of 1959)
(4) Road Traffic Act (Act No. 105 of 1960), Article 93, Paragraph 1, Item 1 License Number
(5) Resident's card code stipulated in Article 7, Item 13 of the Basic Resident Registration Act (Act No. 81 of 1967)
(6) Act on the Use of Numbers for Identifying Specific Individuals in Administrative Procedures (2013)

16

Page 17

2 Definition

Year Law No. 27) Personal number stipulated in Article 2, Paragraph 5
(7) Individuals listed in the following certificates so that they will be different for each person who receives the issuance.
Characters, numbers, symbols and other codes specified by the rules of the Information Protection Commission
B. Insured person's certificate under Article 9, Paragraph 2 of the National Health Insurance Act (Act No. 192 of 1958)
(B) Coverage under Article 54, Paragraph 3 of the Act on Assurance of Medical Care for the Elderly (Act No. 80 of 1982)
Rogue certificate
C. Insured person's certificate of Article 12, Paragraph 3 of the Long-Term Care Insurance Law (Law No. 123 of 1997)
(8) Other characters, numbers, and symbols specified by the rules of the Personal Information Protection Commission as equivalent to the previous items
Other codes

Rule Article 2
Personal Information Protection Commissioner, Article 1, Item 1 of the Ordinance for Enforcement of the Act on the Protection of Personal Information (hereinafter referred to as the "Ordinance")
The standards stipulated in the rules of the society are within the appropriate range to ensure a level that can identify a specific individual.
Will be converted for use in a computer by an appropriate method.

Rule Article 3
The characters, numbers, symbols and other codes specified in the rules of the Personal Information Protection Commission under Article 1-7 of the Ordinance are as follows.
For each certificate listed in each item of, it shall be specified in each item.
(1) Certificate listed in Article 1, Item 7 (a) of the Ordinance Symbol, number and insurer number of the certificate listed in the same item (a)
issue
(2) Certificates listed in Article 1, Item 7 (b) and (c) of the Ordinance
Insurer number

Rule Article 4
The characters, numbers, symbols and other codes specified in the rules of the Personal Information Protection Commission of Article 1-8 of the Ordinance are as follows.
It shall be listed in.
(1) Health Insurance Law Enforcement Regulations (Ministry of Interior Ordinance No. 36 of 1918) Article 47, Paragraphs 1 and 2
Insurer ID symbol, number and insurer number
(2) Symbol, number and insurer number of the elderly beneficiary certificate in Article 52, Paragraph 1 of the Health Insurance Law Enforcement Regulations
(3) Enforcement Regulations of the Seafarers' Insurance Law (Ministry of Health and Welfare Ordinance No. 5 of 1945) Article 35, Paragraph 1 of the insured person's certificate
Number, number and insurer number
(4) Symbol, number and insurer number of the elderly beneficiary certificate in Article 41, Paragraph 1 of the Enforcement Regulations of the Seafarers' Insurance Law
(5) Passport stipulated in Article 2, Item 5 of the Immigration Control and Refugee Recognition Act (Cabinet Order No. 319 of 1951)
(Excluding those issued by the Government of Japan)
(6) Residence card number of Article 19-4, Paragraph 1, Item 5 of the Immigration Control and Refugee Recognition Act
(7) Participants of Article 1-7 of the Enforcement Regulations of the Private School Faculty and Staff Mutual Aid Law (Ministry of Education Ordinance No. 28, 1958)

17

Page 18

2 Definition

Certificate subscriber number
(8) Participant Dependent Certificate Participant Number in Article 3, Paragraph 1 of the Enforcement Regulations of the Private School Faculty and Staff Mutual Aid Law
(9) Participant number of the elderly beneficiary certificate in Article 3-2, Paragraph 1 of the Private School Faculty and Staff Mutual Aid Law Enforcement Regulations
(10) National Health Insurance Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 53, 1958), Article 7-4, Paragraph 1
Elderly beneficiary certificate symbol, number and insurer number
(11) Membership Certificate of Article 89 of the National Public Employee Mutual Aid Association Law Enforcement Regulations (Ministry of Finance Ordinance No. 54 of 1958)
Symbol, number and insurer number
(12) Symbols, numbers and certificates of member dependents in Article 95, Paragraph 1 of the National Public Employee Mutual Aid Association Law Enforcement Regulations
And insurer number
(13) Symbol, number and elderly beneficiary certificate of Article 95-2, Paragraph 1 of the National Public Employee Mutual Aid Association Law Enforcement Regulations
And insurer number
(14) National Civil Service Mutual Aid Association Law Enforcement Regulations Article 127-2, Paragraph 1 Seamen's Union Membership Card and Seamen's Union
Dependent ID symbol, number and insurer number
(15) Local Public Employee Mutual Aid Association Law Enforcement Regulations (Prime Minister's Office, Ministry of Education, Ministry of Home Affairs Ordinance No. 1) No.
Membership card symbol, number and insurer number in Article 93, Paragraph 2
(16) Symbols and numbers of member dependents in Article 100, Paragraph 1 of the Mutual Aid Association Law Enforcement Regulations for Local Public Employees, etc.
No. and insurer number
(17) Symbol, number of elderly beneficiary certificate of Article 100-2, Paragraph 1 of the Mutual Aid Association Law Enforcement Regulations for Local Public Employees, etc.
No. and insurer number
(18) Seamen's Union Membership Certificate and Seamen's Union Member, Article 176, Paragraph 2 of the Mutual Aid Association Law Enforcement Regulations for Local Public Employees
Dependent ID symbol, number and insurer number
(19) Employment insurance insured under Article 10, Paragraph 1 of the Employment Insurance Law Enforcement Regulations (Ministry of Labor Ordinance No. 3 of 1975)
Insured person number of personal certificate
(20) Special provisions regarding immigration control for persons who have withdrawn from Japanese nationality based on a peace treaty with Japan
Law (Law No. 71 of 1991) Article 8, Paragraph 1, Item 3 Special Permanent Resident Certificate Number

Personal information requiring consideration (related to Article 2, Paragraph 3 of the Law)
"Personal information requiring consideration" is handled so as not to cause unfair discrimination, prejudice or other disadvantages.
Personal information that includes the following descriptions (1) to (11), etc.
U.
As a general rule, the consent of the person is required to acquire sensitive personal information and provide it to a third party.
Third-party provision under the provisions of Article 2 (third-party provision by opt-out) is not permitted.
Therefore, caution is required (3-2-3 (acquisition of sensitive personal information), 3-5-1 (principle of restriction of provision to third parties),
See 3-5-2 (provided by a third party by opt-out).
It should be noted that the following information is merely information that can be inferred (eg, purchasing books on religion, etc.)

18

Page 19

2 Definition

Information related to lending, etc.) is not included in sensitive personal information.

(1) Race
Broadly means race, descent or ethnic or racial origin. In addition, simple nationality and "outside"
The information "national" is a legal status and is not included in race by itself. Also, skin color
Is not included in the race because it is only information that suggests the race.

(2) Creed
It means an individual's basic view and way of thinking, and includes both thought and faith.

(3) Social status
Sticking to an individual as a situation, it is easily done by one's own power for the rest of his life
It means a position that cannot be escaped from, and does not include mere professional status or educational background.

(4) Medical history
It means a history of illness and shows a specific medical history (eg, a specific individual).
Is suffering from cancer, schizophrenia, etc.).

(5) Crime history
This applies to the criminal record, that is, the fact that this was confirmed after being convicted.

(6) Facts of being harmed by crime
The fact that you have been victim of a crime, whether physical, mental or financial.
means. Specifically, among the acts that can meet the constituent requirements stipulated in the punishment law, the sentence
Applicable to those who have started the procedure for the case.

(7) Physical disability, intellectual disability, mental disability (including developmental disability) and other personal information protection commission regulations
There is a disability of mental and physical functions specified by the regulations (related to Article 2, Item 1 of the Cabinet Order)
Refers to the information listed in (1) to (4) below. In addition, there is such a disability or in the past
Information that identifies what has happened (eg, comprehensively supports the daily life and social life of persons with disabilities
Being receiving disability welfare services based on the Act for
Or what I received in the past) also applies.
(1) "Physical disabilities listed in the attached table of the Physically Handicapped Persons Welfare Law (Law No. 283 of 1945)"
Information that identifies something
・ There is a physical disability listed in the attached table by a doctor or the Rehabilitation Counseling Center for the Physically Handicapped.
Was diagnosed or judged (including information on the name and degree of disability in the attached table)

19

Page 20

2 Definition

・ Received a certificate of the physically disabled from the prefectural governor, the head of a designated city, or the head of a core city
In addition, what you have or have had in the past (name of disability in the attached table and
Contains information about the degree. )
・ The person has a physical disability that is clearly listed in the attached table.
(2) It is special that there is "intellectual disability referred to in the Welfare Law for Persons with Intellectual Disabilities (Law No. 37 of 1960)"
Information to be determined
・ Doctor, child guidance center, mentally handicapped person rehabilitation counseling center, mental health and welfare center, disabled person
Diagnosed or judged to have intellectual disability by the industry center (regardless of the degree of disability)
Contains information to be done. )
・ Received and possessed a nursing notebook from the prefectural governor or the head of a designated city.
Things or possessions in the past (including information on the degree of disability)
③ "Act on Mental Health and Welfare for Persons with Mental Illness (Act No. 123 of 1950)
Mental disorders (Developmental disabilities support law (2004 law No. 167) stipulated in Article 2, Paragraph 1
Including developmental disabilities, excluding intellectual disabilities referred to in the Welfare Law for Persons with Intellectual Disabilities. ) ”
Information to be determined
・ Diagnosed by a doctor or mental health and welfare center as having a mental disorder or developmental disorder
Judgment (including information on the degree of disability)
・ Received a certificate of health and welfare for the mentally handicapped from the prefectural governor or the head of a designated city.
What you have or have had in the past (information about the degree of disability)
including. )
④ "Daily life of persons with disabilities due to illnesses for which no cure has been established or other special illnesses
It is also stipulated by the Cabinet Order of Article 4, Paragraph 1 of the Law for Comprehensive Support for Livelihood and Social Life.
The degree of disability caused by the above is the degree specified by the Minister of Health, Labor and Welfare in the same paragraph. "
Information to identify
・ Continuously daily due to disability caused by a special illness specified by the Minister of Health, Labor and Welfare by a doctor
Being diagnosed with significant restrictions on life or social life (name of illness or
Contains information about the degree. )

(8) Persons engaged in medical-related duties such as doctors for the person (“Doctors, etc.” in the next issue
That is. ) Health checkups and other tests for prevention and early detection of illness
(In the same item, it is referred to as "health diagnosis, etc.") (Relationship to Article 2, Item 2 of the Cabinet Order) (*)
Health checkups, health checkups, specific health checkups, conducted for the purpose of disease prevention and early detection
Health measurement, stress check, genetic test (excluding those performed in the course of medical treatment), etc.
The result of the test that reveals the health condition of the examinee is applicable.
As a specific example, it is carried out based on the Industrial Safety and Health Act (Act No. 57 of 1972).
As a result of the medical examination, the result of the stress check conducted based on the law, the doctor of the elderly

20

Page 21

2 Definition

Specified health examination conducted based on the Act on Ensuring Medical Care (Act No. 80 of 1982)
The result of is applicable. In addition, it is limited to the results of health examinations stipulated by law.
Not the results of inspections voluntarily conducted or subsidized by insurers and business owners such as human docks
Applicable. In addition, the person's person obtained by a genetic test performed without going through a medical institution
It also includes the genotype and the results corresponding to the susceptibility to the disease of the genotype. In addition, Ken
The fact that he received a medical examination, etc. does not apply.
In addition, information on personal health such as height, weight, blood pressure, pulse, body temperature, etc.
Applicable if it can be learned by a method unrelated to the business such as medical treatment and related business
Absent.

(9) Based on the results of medical examinations, etc., or because of illness, injury or other physical or mental changes, this book
Guidance, medical treatment, or dispensing to improve the physical and mental condition of a person is provided by a doctor, etc.
What was done (Cabinet Order Article 2, Item 3) (*)
"Based on the results of medical examinations, etc., the doctor, etc. improved the physical and mental condition of the person.
"The guidance was given" means that it is necessary to make efforts to maintain good health as a result of health examinations, etc.
The contents of health guidance, etc. provided by doctors or public health nurses are applicable to a certain person.
As a concrete example of the guidance given, a doctor or a doctor based on the Industrial Safety and Health Act
Contents of health guidance given by a public health nurse, interview guidance given by a doctor based on the law
By doctors, public health nurses, registered dietitians based on the law on ensuring medical care for the elderly
The contents of the specific health guidance provided are applicable. In addition, the content of health guidance stipulated by law
It is not limited to, but the insurer or business owner voluntarily conducted or received a medical examination with a subsidy.
The content of health guidance also applies. The fact that he received health guidance, etc. also applies.
"Based on the results of medical examinations, etc., or because of illness, injury or other physical or mental changes.
"The medical treatment was provided to the person by a doctor, etc." means hospitals, clinics, and other medical treatment.
In the process of medical treatment at the facility that provides the patient's physical condition, medical condition, treatment status, etc.
Refers to all the information that doctors, dentists, pharmacists, nurses and other healthcare professionals have learned.
For example, medical records and the like fall under this category. The fact that he visited a hospital, etc. also applies.
"Based on the results of medical examinations, etc., or because of illness, injury or other physical or mental changes.
"The dispensing was done by a doctor, etc." means hospitals, clinics, pharmacies, etc.
In the process of dispensing at a facility that provides medical care, the patient's physical condition, medical condition, treatment status, etc.
Therefore, a pharmacist (including the case where a doctor or a dentist dispenses by himself / herself according to his / her prescription)
Refers to all the information that can be obtained, such as dispensing records, medication history, and information recorded in the medication notebook.
Hit. The fact that the drug was dispensed at a pharmacy is also applicable.
In addition, information on personal health such as height, weight, blood pressure, pulse, body temperature, etc.
Applicable if you can find out by a method that is not related to the business such as medical treatment and related business
do not.

twenty one

Page 22

2 Definition

(10) Arrest, search, seizure, detention, prosecution, etc.
Procedures related to criminal cases have been carried out (excluding criminal background) (Cabinet Order Article 2, Item 4)
Person in charge)
The fact that the criminal case was filed with the person as the suspect or accused
Hit. The fact that he was investigated for a criminal investigation involving another person as a suspect, and interrogation as a witness
The information regarding the facts that were asked is because the person is not the suspect or the accused.
Not applicable to this.

(11) The juvenile or suspected juvenile stipulated in Article 3, Paragraph 1 of the Juvenile Law (Law No. 168 of 1948)
As a person, he is involved in investigations, guardianship measures, referees, protective measures and other juvenile protection cases.
Procedures to be carried out (related to Article 2, Item 5 of the Cabinet Order)
Regarding juvenile delinquency cases such as protective measures, assuming that the person is a juvenile delinquent or a person suspected of doing so
The fact that the procedure was carried out is applicable.

(*) Some information found by genetic testing can lead to discrimination and prejudice (eg, general)
May include possible illnesses, information on drug selection, etc.)
The information is provided by "a doctor or other person engaged in medical-related duties for the person.
Results of health examinations and other tests for prevention and early detection of illnesses ”(Cabinet Order
Article 2 No. 2) or "based on the results of medical examinations, etc., or illness, injury or other
To improve the physical and mental condition of the person by a doctor, etc. due to changes in the mind and body
Guidance, medical treatment, or dispensing was performed ”(related to Article 2, Item 3 of the Cabinet Order).
To

(reference)
Law Article 2 (Section 3)
3 In this law, "sensitive personal information" refers to the person's race, beliefs, social status, medical history, and crime.
Career, facts of being harmed by a crime, or other unfair discrimination against the person, prejudice or other disadvantages
Individuals that include a description specified by a Cabinet Order as something that requires special consideration in handling so that it does not occur
Refers to personal information.

Cabinet Order Article 2
The description, etc. specified by the Cabinet Order in Article 2, Paragraph 3 of the Act contains any of the following matters.
(Excluding those corresponding to the person's medical history or criminal history).
(1) Physical disability, intellectual disability, mental disability (including developmental disability) and other personal information protection commission regulations
There is a physical or mental disability specified by the rules.

twenty two

Page 23

2 Definition

(2) Persons engaged in medical-related duties such as doctors for the person (in the next issue, "doctors, etc."
Say. ) Health checkups and other tests for prevention and early detection of diseases (in the same item)
It is called "health checkup, etc." ) Result
(3) The person himself / herself based on the results of a medical examination, etc., or because of illness, injury or other physical or mental changes.
In response to this, doctors, etc. provided guidance, medical treatment, or dispensing to improve the physical and mental condition.
thing.
(4) Arrest, search, seizure, detention, prosecution and other punishment with the person as a suspect or accused
The procedure for the case has been carried out.
(5) The juvenile or suspected juvenile stipulated in Article 3, Paragraph 1 of the Juvenile Law (Law No. 168 of 1948)
As a person, investigations, guardianship measures, referees, protective measures and other juvenile protection cases
The continuation was done.

Rule Article 5
The following disorders are the physical and mental disorders stipulated by the rules of the Personal Information Protection Commission, Article 2, Item 1 of the Ordinance.
Harm.
(1) Physically Handicapped Persons Welfare Law (Law No. 283 of 1945) Physical disabilities listed in the attached table
(2) Intellectual disability referred to in the Welfare Law for Persons with Intellectual Disabilities (Law No. 37 of 1960)
(3) Mental disorders referred to in the Act on Mental Health and Welfare for Persons with Mental Illness (Act No. 123 of 1950)
Harm (including developmental disabilities stipulated in Article 2, Paragraph 1 of the Developmental Disability Support Act (Act No. 167 of 2004))
Excludes those listed in the previous item. )
(4) Daily life of persons with disabilities and other special illnesses for which no treatment method has been established
Government of Article 4, Paragraph 1 of the Act for Comprehensive Support for Social Life (Act No. 123 of 2005)
The degree of disability due to what is specified by the Ordinance is the degree specified by the Minister of Health, Labor and Welfare in the same paragraph.

Personal information database, etc. (related to Article 2, Paragraph 4 of the Law)

"Personal information database, etc." is to search for specific personal information using a computer.
It is a collection of information including personal information that is systematically constructed so that it can be done. Also, compute
Even if you don't use data, there are certain rules (for example, Japanese syllabary) for personal information processed on paper.
Organize and classify according to the order), so that you can easily search for specific personal information, the table of contents,
Those with indexes, codes, etc. that can be easily searched by others are also applicable.
However, items that fall under any of the following (1) to (3) are personal in terms of usage.
Since there is little risk of harming rights and interests, it does not fall under the category of personal information databases.

(1) It was issued for the purpose of selling to an unspecified number of people, and it
Was not issued in violation of the law or the provisions of an order based on the law.

twenty three

Page 24

2 Definition

(2) Being able to be purchased or made by an unspecified number of people at any time.
(3) It is used for its original purpose without adding other information about the living individual.
There is.

[Cases corresponding to personal information databases, etc.]
Example 1) E-mail address book (e-mail address and name) stored in e-mail software
If you have entered the combined information)
Example 2) Log information related to services used by users in Internet services
Electronic files organized and stored by user ID (user ID and personal information)
If the information can be easily collated)
Case 3) Employees use spreadsheet software for business card information (regardless of owner)
When inputting and organizing using etc.
Case 4) A dispatching company organizes registration cards in alphabetical order by name, and index in alphabetical order.
If the file is filed with a box

[Cases that do not correspond to personal information databases, etc.]
Case 1) Even if the employee puts his or her business card holder in a situation where others can freely view it,
When business cards are classified by a unique classification method that cannot be easily searched by others
Case 2) The return postcard of the questionnaire is not sorted by name, address, etc.
If
Example 3) Commercially available telephone directories, residential maps, staff records, car navigation systems, etc.

(reference)
Law Article 2 (Section 4)
4 In this law, "personal information database, etc." is a collection of information including personal information.
The following items (as those that are less likely to harm the rights and interests of individuals in terms of usage)
Excludes those specified by Cabinet Order. ).
(1) It is systematically configured so that specific personal information can be searched using a computer.
of
(2) In addition to the items listed in the previous item, systematically so that specific personal information can be easily searched.
What is specified by Cabinet Order as being composed of

Cabinet Order Article 3
1 From the viewpoint of how to use Article 2, Paragraph 4 of the Law, it is assumed that there is little risk of harming the rights and interests of individuals.
What is specified by the Ordinance shall fall under any of the following items.
(1) It was issued for the purpose of selling to an unspecified number of people, and it

twenty four

Page 25

2 Definition

The issuance was not made in violation of the law or the provisions of an order based on the law.
(2) Being able to be purchased or made by an unspecified number of people at any time.
(3) It is used for its original purpose without adding other information about the living individual.
That.
2 The personal information contained in the personal information specified by the Cabinet Order under Article 2, Paragraph 4, Item 2 of the Act shall be in accordance with certain rules.
It is systematically configured so that specific personal information can be easily searched by organizing it.
A collection of information that has a table of contents, index, and other information to facilitate searching.

Businesses handling personal information (related to Article 2, Paragraph 5 of the Law)
"Personal information handling business operator" is a person who uses a personal information database, etc. for business purposes.
Law Concerning the Protection of Personal Information Held by National Organizations, Local Public Organizations, Incorporated Administrative Agencies, etc. (2003)
Incorporated Administrative Agencies, etc. and Local Incorporated Administrative Agencies Act (Act No. 118 of 2003) stipulated in Law No. 59 of the Year
No.) means a person excluding local incorporated administrative agencies.
The "business" of "providing for business" here means repetitive and continuous with a certain purpose.
An act of the same type that is carried out and is recognized as a business according to social conventions, and is for-profit or non-business.
It doesn't matter what the interest is.
In addition, if the person uses the personal information database, etc. for business purposes, the personal information data
Individuals, regardless of the number of specific individuals identified by the personal information that makes up the base, etc.
It corresponds to a person handling business operator.
In addition, even if it is a non-profit organization (voluntary organization) or an individual who has no legal personality, personal information will be displayed.
If the database is used for business purposes, it corresponds to a business operator handling personal information.

(reference)
Law Article 2 (Section 5)
5 In this law, "personal information handling business operator" means to use personal information database, etc. for business purposes.
The person who is doing. However, the following persons are excluded.
(1) National agency
(2) Local public organizations
(3) Incorporated Administrative Agencies, etc. (Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc. (2003)
Year Law No. 59) Refers to an incorporated administrative agency, etc. prescribed in Article 2, Paragraph 1. same as below. )
(4) Local Incorporated Administrative Agency (Local Incorporated Administrative Agency Act (Act No. 118 of 2003), Article 2, Paragraph 1
Refers to the prescribed local incorporated administrative agency. same as below. )

twenty five

Page 26

2 Definition

Personal data (related to Article 2, Paragraph 6 of the Law)
"Personal data" constitutes a "personal information database, etc." managed by a telecommunications carrier.
Refers to personal information.
In addition, based on Article 2, Paragraph 4 of the Law and Article 3, Paragraph 1 of the Cabinet Order, individual rights and interests in terms of usage
Items that are excluded from personal information databases, etc. because they are less likely to harm profits (eg, commercially available)
Personal information that composes the telephone directory, residential map, etc. of the company does not correspond to personal data (2-5 (personal information)
Database etc.).

[Cases corresponding to personal data]
Example 1) Personal information stored in an external recording medium from a personal information database, etc.
Example 2) Personal information printed on a form output on paper from a personal information database, etc.

[Cases that do not correspond to personal data]
Example) Personal information described in the input form, etc. before constructing the personal information database, etc.
Information

(reference)
Law Article 2 (Section 6)
6 In this law, "personal data" means personal information that constitutes a personal information database, etc.
U.

Retained personal data (related to Article 2, Paragraph 7 of the Law)
"Retained personal data" (* 1) is requested by the telecommunications carrier from the person or his / her agent.
Disclosure, correction, addition or deletion, suspension of use, erasure and suspension of provision to third parties (hereinafter
Below is called "disclosure, etc." ) Has the authority to respond (* 2) means "personal data".
However, of the personal data, the following or deleted within 6 months (cannot be updated)
except. ) What is different is not "retained personal data".

(1) By clarifying the existence or nonexistence of the personal data, the life, body or body of the person or a third party
Is a property that may cause harm to property.

(2) By clarifying the existence of the personal data, it promotes illegal or unjust acts.
Or something that may induce.
Case 1) Electricity to prevent damage caused by unreasonable demands by antisocial forces such as gangsters
An individual who is owned by a credit business and who corresponds to the antisocial force.

26

Page 27

2 Definition

Person data
Case 2) Electric power to prevent damage caused by unreasonable demands by suspicious persons or malicious complaints
Personal data held by the telecommunications carrier, with the person who performed the act as the person himself / herself

(3) There is a risk that the security of the country will be impaired by clarifying the existence of the personal data, etc.
There is a risk that the relationship of trust with the national or international organization will be damaged, or with other countries or international organizations.
Those that may suffer disadvantages in negotiations.

(4) Prevention, suppression or investigation of crimes by clarifying the existence of the personal data
Others that may interfere with the maintenance of public safety and order.
Case 1) Personal day acquired for the first time by inquiries about investigation-related matters from the police
Ta
Case 2) A telecommunications carrier that received an inquiry from the police regarding investigation-related matters regarding contractor information, etc.
However, the inquiry acceptance book / answer transmission book, inquiry target person list, etc. created in the process of responding
Personal data (* The contractor information itself corresponds to "retained personal data")
Case 3) Article 8 of the Act on Prevention of Transfer of Proceeds from Crimes (Act No. 22 of 2007)
Whether or not a suspicious transaction based on paragraph 1 (hereinafter referred to as "suspicious transaction") has been reported
Personal data newly created at the time of notification
Case 4) Personal data included in the information about the account used for the transfer fraud

(* 1) The law is "Personal information" (see 2-2 (personal information)), "Personal data" (see 2-7 (personal data)),
"Retained personal data", "Personal information requiring consideration" (see 2-4 (Personal information requiring consideration)) and "Anonymous
We use different terms such as "processing information" (see 2-9 (anonymous processing information)), and handle personal information.
Please note that the obligations imposed on vendors are different.
(* 2) 3-6-2 (Retained personal data) for cases where specific measures such as disclosure are required
(Disclosure of) See below. Regarding the handling of personal data, it is necessary to outsource it.
When a number of business operators handling personal information are involved, which personal information depends on the actual conditions of the contract, etc.
It will be judged whether the information handling business operator has the authority to respond to disclosure, etc.

(reference)
Law Article 2 (Section 7)
7 In this law, "retained personal data" is disclosed, corrected, and added by the business operator handling personal information.
Has the authority to add or delete, suspend use, delete, and suspend provision to third parties
It is personal data, and the public interest and other interests will be harmed by clarifying its existence.
Except for those specified by Cabinet Order or those that will be deleted within the period specified by Cabinet Order within one year.
The thing.

27

Page 28

2 Definition

Cabinet Order Article 4
The items specified by Cabinet Order under Article 2, Paragraph 7 of the Act shall be as follows.
(1) By clarifying the existence or nonexistence of the personal data, the life, body or property of the person or a third party
Items that may cause harm to production
(2) By clarifying the existence or nonexistence of the personal data, it promotes illegal or unjust acts, or
Things that can trigger
(3) If the existence or nonexistence of the personal data becomes clear, the security of the country may be impaired.
Or there is a risk that the relationship of trust with international organizations will be damaged, or in negotiations with other countries or international organizations.
Those that may suffer disadvantages
(4) Prevention, suppression or investigation of crimes and other matters by clarifying the existence of the personal data
Items that may interfere with the maintenance of public safety and order

Cabinet Order Article 5
The period specified by a Cabinet Order under Article 2, Paragraph 7 of the Act shall be June.

Anonymously processed information (related to Article 2, Paragraph 9 of the Law)
Regarding the definition of anonymously processed information, "Protection of personal information" defined by the Personal Information Protection Commission
Guidelines for Law (Anonymously Processed Information) ”(2016 Personal Information Protection Commission Notification No. 9
No.).

(reference)
Law Article 2 (Section 9)
9 In this law, "anonymously processed information" means according to the classification of personal information listed in each of the following items.
Personal information so that a specific individual cannot be identified by taking the measures specified in each item.
It is information about an individual obtained by processing, and the personal information can be restored.
It means something that has been prevented.
(1) Personal information corresponding to Paragraph 1, Item 1 Deleted some of the descriptions, etc. contained in the personal information.
To do (by a method that does not have regularity that can restore the part of the description, etc.
Includes replacement with other descriptions. ).
(2) Personal information corresponding to Paragraph 1, Item 2 All personal identification codes included in the personal information
(A method without regularity that can restore the personal identification code)
Including replacing with other description etc. ).

28

Page 29

2 Definition

Businesses handling anonymously processed information (related to Article 2, Paragraph 10 of the Law)
Regarding the definition of a business operator handling anonymously processed information, "Personal Information Protection" established by the Personal Information Protection Commission
Please refer to "Guidelines for the Law Concerning Protection (Anonymous Processing Information)".

(reference)
Law Article 2 (Section 10)
10 In this law, "anonymously processed information handling business operator" is a collection of information including anonymously processed information.
And systematically so that specific anonymously processed information can be searched using a computer.
Systematically configured so that other specific anonymously processed information can be easily searched.
What is specified by a Cabinet Order (in Article 36, Paragraph 1 as "anonymously processed information database, etc."
Say. ) Is used for business purposes. However, the persons listed in each item of Paragraph 5 are excluded.

Cabinet Order Article 6
What is specified by the Cabinet Order of Article 2, Paragraph 10 of the Law follows certain rules for anonymously processed information contained therein.
Systematically configured so that specific anonymously processed information can be easily searched by organizing
A collection of information that has a table of contents, an index, and other information that facilitates searching.

"Notify the person"
"Notify the person" means to notify the person directly, the nature of the business and the handling of personal information.
Depending on the situation, the content must be perceived by the person in a rational and appropriate manner.

[Case corresponding to notification to the person]
Case 1) Notify by directly handing out documents such as leaflets.
Case 2) Inform by oral or automatic response device.
Case 3) Notification by sending by e-mail, fax, etc., or by sending a document by mail, etc.
That.

(reference)
Law Article 18 (Paragraph 1)
1 When a business operator handling personal information acquires personal information, the purpose of use is announced in advance.
Unless there is a case, the purpose of use must be promptly notified or announced to the person.

* (Reference) In addition to the above, the main texts regarding "notify the person"
① Thing about purpose of use
Article 18, Paragraphs 3 and 4 of the Law (3-1-2 (change of purpose of use), 3-2-7 (notification of purpose of use, etc.)

29

Page 30

2 Definition

If you don't have to)
② Thing about provision to third party
Article 23, Paragraphs 2 and 3 of the Act, and Paragraph 5, Paragraphs 3 and 6 (3-5-2 (opt-out))
(Provided by a third party), 3-5-4 (if not applicable to a third party))
③ Matters related to requests for disclosure, etc.
Law Article 27, Paragraphs 2 and 3, Law Article 28, Paragraph 3, Law Article 29, Paragraph 3 and Law Article 30
Section 5 (3-6-1 (publication of matters related to retained personal data, etc.), 3-6-2 (opening of retained personal data)
(Show), 3-6-3 (correction of retained personal data, etc.), 3-6-4 (suspension of use of retained personal data, etc.))

"Publication"
"Publication" is to inform the general public of one's intention (to be known by an unspecified number of people).
(Announce so that it can be done), and when making the announcement, the nature of the business and the handling status of personal information
Therefore, it must be done in a rational and appropriate manner.

[Case corresponding to publication]
Example 1) Posting from the top page of your company's homepage to a place that can be reached with about one operation
Listing
Example 2) Poster, etc. in places where customers are expected to visit, such as their own stores and offices
Posting, pamphlets, etc.
Case 3) (In the case of mail-order sales) Posting in pamphlets, catalogs, etc. for mail-order sales

(reference)
Law Article 18 (Paragraph 1)
1 When a business operator handling personal information acquires personal information, the purpose of use is announced in advance.
Unless there is a case, the purpose of use must be promptly notified or announced to the person.

* (Reference) In addition to the above, the main provisions regarding "publication" by businesses handling personal information, etc.
① Thing about purpose of use
Article 18 Paragraph 3 of the Law (see 3-1-2 (Change of Purpose of Use))
② Thing about anonymous processing information
Law Article 36, Paragraphs 3, 4 and 6, Article 37, and Article 39 (3-8 (anonymously processed information)
Obligations of handling companies, etc.))
③ Other
Law Article 76, Paragraph 3

30

Page 31

2 Definition

"Personal consent"
"Personal consent" is the handling method in which the personal information of the person is indicated by the business operator handling personal information.
It means the manifestation of intention of the person concerned to consent to be handled in (confirm that he / she is the person concerned).
It is premised that it can be confirmed. ).
In addition, "obtaining the consent of the person" or "having the consent of the person" means the intention to consent to the person.
It means that the telecommunications carrier recognizes the display, and it depends on the nature of the business and the handling status of personal information.
In response, by a reasonable and appropriate method deemed necessary for the person to make a decision regarding consent.
There must be.
Not only with individual consent, but also in the contractual terms regarding the provision of telecommunications services, individuals
Provisions regarding the provision of information to third parties are stipulated, and telecommunications services are provided based on the contract terms.
When a contract regarding provision is concluded (* 1) and the provision is valid under private law (* 2), "the person's
It is understood as the case of "obtaining consent" or "having the consent of the person". However, unlimited third
When it is recognized that the provisions of the contract terms and conditions that allow the provision of the user are hindering the interests of the user, the telephone
It can be subject to business improvement orders under the Telecommunications Business Law.
However, the secrecy of communications (not limited to the content of communications, the address, name, place of origin, and communication of the parties involved in the communication)
Includes the presence or absence of communication components such as the date of communication and the existence of communication such as the number of communications. )
Regarding the handling of personal information, in principle, from the perspective of protecting the confidentiality of communications, the parties involved in the communications
Individual specific and clear consent is required, and agents, etc. that do not depend on the specific delegation of the communication parties, etc.
Cannot be agreed upon.
In addition, regarding the result caused by agreeing to the handling of personal information, minors,
Custody if the adult guardian, guardian, or assisted person does not have the ability to judge
It is necessary to obtain the consent of the person or legal representative.

(* 1) When a provision regarding the provision of personal information to a third party is established due to a change in the contract terms.

However, the change is valid under private law, and even for the parties who signed the contract before the change, after the change
When it is judged that the provisions are effective, it is understood that there is "the consent of the person".
(* 2) When it is against the public order and morals of Article 90 of the Civil Code (Act No. 89 of 1897) or the point of Article 95 of the same law
If there is a simple mistake, the consumer interest of Article 10 of the Consumer Contract Law (Law No. 61 of 2000)
It is valid when consent is invalid under private law, such as when it is considered to unilaterally harm the interests.
It cannot be said that there is consent, so it cannot be said that there is consent.

[Case with the consent of the person]
Case 1) Oral manifestation of consent from the person
Case 2) Receipt of a written consent (including electromagnetic records) from the person
Case 3) Receiving an email from the person to the effect that he / she agrees

31

Page 32

2 Definition

Case 4) Checking the confirmation column to the effect that the person agrees
Case 5) Click the button on the homepage to the effect that the person agrees
Case 6) Voice input to the effect that the person agrees, touch to the touch panel, buttons and switches
Input by etc.

(reference)
Law Article 16 (Paragraph 1)
1 The business operator handling personal information was specified by the provisions of the preceding article without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the purpose of use.

* (Reference) In addition to the above, the main texts regarding "personal consent"
① Thing about purpose of use
Article 16 (2) and (3) (2) to (4) of the Act (3-1-5 (succession of business), 3-1-6 (interest)
Exceptions to restrictions due to purpose)
② Regarding the acquisition of sensitive personal information
Article 17, Paragraph 2 of the Law (Refer to 3-2-3 (Acquisition of sensitive personal information))
③ Thing about provision to third party
Article 23, Paragraph 1 and Article 24 of the Act (3-5-1 (Principle of Restriction on Provision to Third Parties), 3-5-5 (Foreign Countries)
(Restrictions on provision to third parties))

"Offer"
"Provision" means that personal data, retained personal data or anonymously processed information can be used by anyone other than yourself.
It means to put it in a competent state. Personal data, retained personal data or anonymously processed information is physically provided
Even if it is not provided, personal data and possession can be obtained by using the network etc.
If personal data or anonymously processed information is available (if you are authorized to use it)
B), which corresponds to "offering".

(reference)
Law Article 2 (Section 7)
7 In this law, "retained personal data" is disclosed, corrected, and added by the business operator handling personal information.
Has the authority to add or delete, suspend use, delete, and suspend provision to third parties
It is personal data, and the public interest and other interests will be harmed by clarifying its existence.
Except for those specified by Cabinet Order or those that will be deleted within the period specified by Cabinet Order within one year.
The thing.

32

Page 33

2 Definition

Law Article 23 (Paragraph 1)
1 Businesses handling personal information do not obtain the consent of the person in advance, except in the following cases.
Do not provide personal data to third parties.
(1)-(4) Omitted

* (Reference) In addition to the above, the main provisions regarding "offering"
① Thing about provision to third party
Article 23, Paragraphs 2, 5, 24, 25, and 26 of the Act (3-5-2 (opt-out)
3-5-4 (if not applicable to a third party), 3-5-5 (provided to a third party in a foreign country)
Restrictions on provision), 3-5-6 (creation of records related to provision by a third party, etc.), 3-5-7 (when receiving provision by a third party)
(Confirmation, etc.))
(2) Requests related to suspension of provision of retained personal data to third parties
Article 30, Paragraphs 3, 4 and 5 of the Act (see 3-6-4 (suspension of use of retained personal data, etc.))
③ Thing about anonymous processing information
Article 36, Paragraph 4 and Article 37 of the Act (Refer to 3-8 (Obligations of Businesses Handling Anonymous Processing Information))

33

Page 34

3 Obligations of telecommunications carriers

3 Obligations of telecommunications carriers (Chapter 2 related)
Purpose of use of personal information (related to Articles 4 to 5 and Article 8 Paragraph 3)
Identification of purpose of use (related to Article 4, Paragraph 1)
Article 4 (Section 1)
1 When handling personal information, the telecommunications carrier uses it for the purpose of its use (hereinafter referred to as "use".
"Purpose". ) Must be specified as much as possible.

When handling personal information, telecommunications carriers should specify the purpose of use as specifically as possible.
It must be determined, but when identifying the purpose of use, the purpose of use is simply abstract and generally
Rather than specifying, personal information is ultimately used by telecommunications carriers for what kind of business
It is general and rational for the person to be provided and for what purpose personal information is used.
It is desirable to specify as concretely as you can imagine (*).
If it is assumed that personal information will be provided to a third party in advance, the purpose of use
When identifying, it must be specified so that it can be clearly understood (3-5-1 (third party).
(Principle of restrictions on provision)).

[Examples that specifically specify the purpose of use]
Example) A telecommunications carrier obtains a name, address, e-mail address, etc. from an individual as the product is sold.
In order to obtain, "Shipping of products in XX business, related after-sales service, new business
We will use it to inform you of information about goods and services. ”, Etc.
If indicated

[Cases where the purpose of use is not specified]
Case 1) "For use in business activities"
Case 2) "For use in marketing activities"

(*) The person identified by personal information in light of the contents of the business stipulated in the articles of incorporation, etc.
From the perspective, the range in which your personal information is used is specified to the extent that you can reasonably predict it.
If the scope of the purpose of use is assumed by clearly indicating the type of business, this
It may be sufficient, but in many cases, the purpose of use can be achieved simply by specifying the type of business.
It is understood that it cannot be specified as concretely as possible. In addition, in identifying the purpose of use
Even in the case of clearly indicating a business such as "○○ business", from the viewpoint of the person himself / herself, according to social conventions.
It is desirable to specify the range that is considered to contribute to the identification.
Also, abstract and general, such as simply "business activities", "improvement of customer service", etc.
It is understood that the purpose of use of the content is not as specific as possible.
Is done.

(reference)

34

Page 35

3 Obligations of telecommunications carriers

Law Article 15 (Paragraph 1)
1 When handling personal information, the business operator handling personal information uses it for the purpose of its use (hereinafter referred to as "use").
"Purpose". ) Must be specified as much as possible.

Change of purpose of use (related to Article 4, Paragraph 2, Paragraph 3, Article 8, Paragraph 3)
Article 4 (Section 2)
2 When changing the purpose of use, the telecommunications carrier has a relevance to the purpose of use before the change.
Do not go beyond what is reasonably acceptable.

Article 8 (Section 3)
3 When the telecommunications carrier changes the purpose of use, the person himself / herself regarding the changed purpose of use
Must be notified or made public.

The purpose of use specified in 3-1-1 (Specification of purpose of use) above is related to the purpose of use before the change.
The range reasonably recognized as having, that is, the purpose of use after the change is from the purpose of use before the change.
Therefore, according to social conventions, change within the limits that the person can usually expect and within the range that is objectively recognized (* 1).
It is possible. The changed purpose of use must be notified (* 2) to the person or announced (* 3).
Must be.
The specified purpose of use (including the purpose of use changed within the scope specified in Article 4, Paragraph 2)
If personal information is handled beyond the scope necessary to achieve the above, the same person shall be in accordance with Article 5, Paragraph 1.
You have to be willing. However, it is necessary for the protection of the person's body, etc., and the person's same
When it is difficult to get the intention, etc., when listed in each item of Article 5, Paragraph 3 (listed in Article 5, Paragraph 4)
(Refer to 3-1-7 (Exception to personal information related to confidentiality of communications in restrictions due to purpose of use))
except. ) Is necessary to achieve the specified purpose of use without obtaining the consent of the person in advance.
Personal information can be handled beyond the scope (3-1-6 (exception of restrictions depending on the purpose of use))
Teru).

(* 1) "The limit that the person can usually expect and the range that can be objectively recognized" is the subjectivity and electricity of the person.
It is not based on the arbitrary judgment of the telecommunications carrier, but on the judgment of the general public.
The range that can be expected by comparing the purpose of use for the first time and the purpose of use after the change, and is initially specified.
Judgment will be made by comprehensively considering how much it is related to the purpose of use.
(* 2) For "Notify the person", refer to 2-11 (Notify the person).
(* 3) For "publication", refer to 2-12 (publication).

(reference)
Law Article 15 (Paragraph 2)

35

Page 36

3 Obligations of telecommunications carriers

2 When changing the purpose of use, the business operator handling personal information has a relevance to the purpose of use before the change.
Then you must not go beyond what is reasonably acceptable.

Law Article 18 (Section 3)
3 If the business operator handling personal information changes the purpose of use, the changed purpose of use will be referred to as a book.
You must notify or publish to a person.

Scope of purpose of use (related to Article 4, Paragraph 3)
Article 4 (Section 3)
3 The purpose of use specified in Paragraph 1 is the range necessary to provide telecommunications services.
You must try not to exceed it.

Article 6 It is said that the acquisition of personal information is limited to cases where it is necessary to provide telecommunications services.
Based on the fact that the purpose of use specified by the provisions of Paragraph 1 is also provided, the telecommunications service is provided.
It stipulates that the range required for this purpose should not be exceeded.
However, the "range required to provide telecommunications services" includes the electricity currently provided.
Not limited to the range directly required for communication services, but related to it (for example, new
Questionnaire surveys for providing services, etc.) are also included. In addition, we provide telecommunications services
If you decide on a purpose of use that exceeds the necessary range, use it for that purpose.
It is appropriate to obtain the consent of the person.

Restrictions on purpose of use (related to Article 5, Paragraph 1)
Article 5 (Section 1)
1 A telecommunications carrier is specified by the provisions of the preceding article without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the purpose of use.

Telecommunications carriers go beyond the scope necessary to achieve the purpose of use specified in Article 4, Paragraph 1.
When handling personal information, the consent (*) of the person must be obtained in advance.
However, using personal information to obtain the consent (sending an email or making a phone call)
And etc.) correspond to non-purpose use even if it is not described as the originally specified purpose of use.
Absent.

(*) For "Personal consent", refer to 2-13 (Personal consent).

(reference)

36

Page 37

3 Obligations of telecommunications carriers

Law Article 16 (Paragraph 1)
1 The business operator handling personal information was specified by the provisions of the preceding article without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the purpose of use.

Business succession (related to Article 5, Paragraph 2)
Article 5 (Section 2)
2 Telecommunications carriers accept business from other personal information handling carriers due to mergers or other reasons.
If personal information is acquired in connection with the succession, we will accept it without obtaining the consent of the person in advance.
Beyond the scope necessary to achieve the purpose of use of the personal information before the succession, the personal information
Do not handle.

A telecommunications carrier has changed its business from another personal information handling business due to a merger, spin-off, business transfer, etc.
When personal information is acquired in connection with the succession, but before the succession of the personal information
If it is handled within the range necessary to achieve the purpose of use, it will not be used for purposes other than the intended purpose, and the consent of the person (*)
You don't have to get.
After the succession of the business, personal information will be collected beyond the scope necessary to achieve the purpose of use before the succession.
When handling it, it is necessary to obtain the consent of the person in advance, but in order to obtain the consent, personal information is required.
Use (sending emails, making phone calls, etc.) is described as the purpose of use before succession.
Even if it is not, it does not correspond to unintended use.

(*) For "Personal consent", refer to 2-13 (Personal consent).

(reference)
Law Article 16 (Paragraph 2)
2 The business operator handling personal information accepts business from other business operators handling personal information due to merger or other reasons.
If personal information is acquired in connection with the succession, without obtaining the consent of the person in advance, before the succession
We handle the personal information beyond the scope necessary to achieve the purpose of use of the personal information in
must not.

Exceptions to restrictions depending on the purpose of use (related to Article 5, Paragraph 3)
Article 5 (Section 3)
3 The provisions of the preceding two paragraphs do not apply in the following cases.
(1) When required by law
(2) When it is necessary to protect the life, body or property of a person, the consent of the person is obtained.
When it is difficult to get.

37

Page 38

3 Obligations of telecommunications carriers

(3) When it is particularly necessary to improve public health or promote the sound development of children
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it performs the affairs stipulated by laws and regulations.
To obtain the consent of the person when it is necessary to cooperate in carrying out
When there is a risk of hindering the performance of the relevant affairs.

In the following cases, the purpose of use specified in Article 5, Paragraphs 1 and 2
It is required to obtain the consent (*) of the person when handling personal information beyond the range necessary for achievement.
Even if it is, the consent is not required.

(*) For "Personal consent", refer to 2-13 (Personal consent).

(1) When required by law (related to Article 5, Paragraph 3, Item 1)

If required by law, the consent of the person in advance is not applicable to Article 5, Paragraph 1 or Paragraph 2.
Handling personal information beyond the scope necessary to achieve the specified purpose of use without obtaining
Can be done.

Case 1) When responding to police investigation-related matters (Criminal Procedure Code (Law No. 131 of 1948))
Article 197, Paragraph 2)
Case 2) When responding to an investigation based on a warrant issued by a judge (Criminal Procedure Code, Article 218)
Case 3) When responding to a survey on income tax, etc. at the tax office (National Tax General Law (Act No. 66 of 1958)
No.) Article 74-2, etc.)
Case 4) When responding to inquiries from the bar association (Attorney Act (Act No. 205 of 1945) Article 23
of 2)

(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult (related to Article 5, Paragraph 3, Item 2)

It is necessary to protect specific rights and interests such as the life, body or property of a person (including a corporation).
In addition, if it is difficult to obtain the consent of the person, the application of Article 5, Paragraph 1 or Paragraph 2 is applied.
Beyond the scope necessary to achieve the specified purpose of use without obtaining the consent of the person in advance
Can handle personal information.

Case 1) When a sudden illness or other situation occurs, the blood type and family contact information of the person should be given.
When providing to doctors and nurses
Case 2) In the event of an emergency such as a large-scale disaster or accident, information on victims and injured will be provided to family members, government agencies, and sites.
When providing to local governments, etc.

38

Page 39

3 Obligations of telecommunications carriers

Case 3) Anti-social forces such as gangsters between telecommunications carriers and other personal information handling businesses
Power information, information about the account used for transfer fraud, information of those who intentionally interfere with business
When sharing information
Case 4) In an emergency where a product has a serious defect and requires protection of human life, body or property
When the manufacturer asks you to provide customer information and you need to respond to it.
Case 5) Information on the facts of financial crime damage such as illegal remittance, to prevent related crime damage
When providing to other businesses

(3) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person (related to Article 5, Paragraph 3, Item 3)

It is especially necessary for the improvement of public health or the sound development of children who are in the process of mental and physical development.
In addition, if it is difficult to obtain the consent of the person, the application of Article 5, Paragraph 1 or Paragraph 2 is applied.
Beyond the scope necessary to achieve the specified purpose of use without obtaining the consent of the person in advance
Can handle personal information.

(4) A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When the telecommunications carrier needs to cooperate with the above, obtain the consent of the person.
When there is a risk of hindering the performance of the relevant affairs (Article 5, Paragraph 3, Item 4)
Relationship)

National organizations (including local public bodies or those entrusted by them) carry out affairs stipulated by laws and regulations
In order to do so, it is necessary to obtain the cooperation of private companies, etc., and it is necessary to obtain the consent of the person concerned.
If it is recognized that there is a risk of hindering the performance, the private company, etc. concerned shall be referred to as Article 5, Paragraph 1.
Or, without the application of paragraph 2 and without obtaining the consent of the person in advance, the specified purpose of use
Personal information can be handled beyond the scope necessary for achievement.

Case 1) A telecommunications carrier submits personal information at the request of a tax office or customs officer.
If
Case 2) When a telecommunications carrier submits personal information at the request of the police
Case 3) When a telecommunications carrier responds to a general statistical survey or a statistical survey conducted by a local public body

(reference)
Law Article 16 (Section 3)
3 The provisions of the preceding two paragraphs do not apply in the following cases.
(1) When required by law
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.

39

Page 40

3 Obligations of telecommunications carriers

When it is difficult.
(3) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with what to do, the relevant affairs can be obtained with the consent of the person.
When there is a risk of interfering with the performance of.

Exceptions to personal information related to confidentiality of communications in restrictions based on the purpose of use (related to Article 5, Paragraph 4)
Article 5 (Section 4)
4 Notwithstanding the provisions of the preceding three paragraphs, the telecommunications carrier shall, with the consent of the user, other
Unless there is a reason to prevent illegality, personal information related to confidentiality of communications should not be used.
Absent.

Matters that fall under the secrecy of communications were issued by a judge with the consent of the parties to the communications.
If you follow a warrant, if you fall under self-defense or emergency evacuation, or if there are other reasons for preventing illegality
Except for cases, acquisition, storage, use and provision to third parties are not permitted (Telecommunications Business Law, Article 4 Seki).
Person in charge).
Therefore, personal information even if it falls under the provisions of Article 5, Paragraphs 1 to 3.
If is also a confidential communication, there may be a reason for the consent of the parties to the communication or the prohibition of illegality.
Except, the use of the information is not permitted. This is when using within the scope of the purpose of use.
The same is true.

(*) Refer to 2-13 (Person's consent) for consent regarding the handling of personal information related to confidentiality of communications.
That thing.

Acquisition of personal information (related to Articles 6 to 8)
Acquisition restrictions (related to Article 6)
Article 6
Telecommunications carriers need to provide telecommunications services for the acquisition of personal information
You must try only in cases.

Telecommunications carriers provide telecommunications services to prevent the acquisition of unnecessary personal information.
Therefore, we must endeavor to obtain personal information only when necessary. However, "telecommunications
If necessary to provide the service, for the telecommunications service currently provided
Not only when it is directly needed, but also what is related to it (for example, for providing new services)

40

Page 41

3 Obligations of telecommunications carriers

Includes surveys, etc.).

3-2-2 Appropriate acquisition (related to Article 7, Paragraph 1)
Article 7 (Section 1)
1 Telecommunications carriers must not acquire personal information by deception or other improper means.

Telecommunications carriers must not acquire (* 1) personal information by fraudulent means such as deception (* 1).
2).

[Case where a telecommunications carrier acquires personal information by fraudulent means]
Case 1) From children and persons with disabilities who do not have sufficient judgment ability, it is irrelevant considering the acquisition situation
When acquiring family personal information such as family income situation without the consent of the family
Case 2) Obtaining personal information by compelling to violate the restrictions on provision to third parties stipulated in Article 15, Paragraph 1.
If you do
Case 3) A book that intentionally shows false information about the subject that acquires personal information and the purpose of use.
When acquiring personal information from a person
Case 4) Instruct other businesses to acquire personal information by fraudulent means, and individuals from the other businesses
When getting information
Case 5) Knowing that the third party provision restriction stipulated in Article 15, Paragraph 1 is about to be violated,
Or when acquiring personal information even though it can be easily known
Case 6) It is also possible to know or easily know that personal information has been acquired by fraudulent means.
Regardless, when acquiring the personal information

(* 1) When information including personal information is made public via the Internet, etc., simply
If you only browse this and do not post it, it means that you have acquired personal information.
Not understood.
(* 2) A telecommunications carrier, its employees, or those who were these, regarding their business
Personal information database, etc. handled (all or part of it is duplicated or processed
Including. ) For the purpose of improper profits of oneself or a third party, or plagiarism
In such cases, criminal penalties (imprisonment of up to 1 year or fines of up to 500,000 yen) will be imposed according to Article 83 of the Act.
Can be done.

(reference)
Law Article 17 (Paragraph 1)
1 Businesses handling personal information must not acquire personal information by deception or other improper means.

41

Page 42

3 Obligations of telecommunications carriers

3-2-3 Acquisition of sensitive personal information (related to Article 7, Paragraph 2)
Article 7 (Section 2)
2 Telecommunications carriers, except in the following cases, do not obtain the consent of the person in advance.
You must not obtain sensitive personal information.
(1) When required by law
(2) When it is necessary to protect the life, body or property of a person, the consent of the person is obtained.
When it is difficult to get.
(3) When it is particularly necessary to improve public health or promote the sound development of children
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it performs the affairs stipulated by laws and regulations.
To obtain the consent of the person when it is necessary to cooperate in carrying out
When there is a risk of hindering the performance of the relevant affairs.
(5) The sensitive personal information is the person, the national institution, the local public body, each item of Article 76, Paragraph 1 of the Law.
To persons listed in, foreign governments, foreign government agencies, foreign local governments, international organizations or foreign countries
When published by a person equivalent to the person listed in each item of Article 76, Paragraph 1 of the Act
(6) By visually observing or photographing the person, personal information requiring consideration that is clear in appearance can be obtained.
When to get
(7) In the cases listed in each item of Article 15, Paragraph 10, the sensitive personal information that is personal data
When receiving an offer.

In order to obtain sensitive personal information (* 1), the consent of the person (* 2) must be obtained in advance.
Not. However, in the cases listed in (1) to (7) below, it is necessary to obtain the consent of the person.
There is no.
In addition, even if the telecommunications carrier acquires sensitive personal information, it will provide telecommunications services.
When concluding a contract or providing the service, it is unreasonable for a specific user based on the information.
No discriminatory treatment should be carried out (Article 6 of the Telecommunications Business Law).

(1) When required by law (related to Article 7, Paragraph 2, Item 1)

If required by law, obtain sensitive personal information without obtaining the consent of the person in advance.
be able to.

(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult (related to Article 7, Paragraph 2, Item 2).

It is necessary to protect specific rights and interests such as the life, body or property of a person (including a corporation).
And if it is difficult to obtain the consent of the person, without obtaining the consent of the person in advance,
It is possible to obtain sensitive personal information.

42

Page 43

3 Obligations of telecommunications carriers

Case 1) Between a telecommunications carrier and another business operator handling personal information, for fraud countermeasures, etc.
Among the information on antisocial forces such as gangsters and the information on those who intentionally interfere with business, business interruption in the past
When sharing information such as the fact that you were arrested for harm
Case 2) Information on the facts of financial crime damage such as illegal remittance, to prevent related crime damage
When acquiring from other businesses

(3) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person (related to Article 7, Paragraph 2, Item 3).

It is especially necessary for the improvement of public health or the sound development of children who are in the process of mental and physical development.
And if it is difficult to obtain the consent of the person, without obtaining the consent of the person in advance,
It is possible to obtain sensitive personal information.

(4) A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with the matter, the matter is obtained by obtaining the consent of the person.
When there is a risk of hindering the performance of duties (related to Article 7, Paragraph 2, Item 4).

National organizations (including local public bodies or those entrusted by them) carry out affairs stipulated by laws and regulations
In order to do so, it is necessary to obtain the cooperation of private companies, etc., and it is necessary to obtain the consent of the person concerned.
If it is recognized that there is a risk of hindering performance, the private company, etc. concerned shall be the person in advance.
It is possible to obtain sensitive personal information without obtaining the consent of.

Example) Personal information that a telecommunications carrier corresponds to sensitive personal information at the request of the police
When acquiring the personal information in order to submit a report

(5) The relevant personal information requiring consideration is listed in each item of Article 76, Paragraph 1 of the Act, the person, the national institution, the local public body.
When it is disclosed by a person who is a person or other person specified by the rules of the Personal Information Protection Commission (Article 7, Paragraph 2)
No. 5 relation)

If sensitive personal information is disclosed by the following persons, obtain the consent of the person in advance.
It is possible to obtain the publicly available personal information requiring consideration without obtaining it.

① The person
② National institution
③ Local public organizations
④ Broadcasting organizations, newspaper companies, news agencies and other news organizations (including individuals who engage in news reporting)
⑤ A person who writes as a business

43

Page 44

3 Obligations of telecommunications carriers

⑥ Universities and other institutions or organizations for the purpose of academic research, or those who belong to them
⑦ Religious group
⑧ Political organization
⑨ Foreign government, foreign government agency, foreign local public body or international organization
⑩ Persons equivalent to those listed in each item of Article 76, Paragraph 1 of the Act in a foreign country

(6) Obtain personal information that requires special consideration in appearance by visually observing or photographing the person.
(Relationship to Article 7, Paragraph 2, Item 6)

Matters included in sensitive personal information due to the external characteristics of the person, regardless of the person's intention
When (example: physical disability, etc.) is obvious, the relevant requirement is required without obtaining the consent of the person in advance.
Consideration Personal information can be obtained.

Example) A physically handicapped person visits the store, and the corresponding clerk records that fact in the customer response record, etc.
If you do (obtain by visual inspection) or if you have a physical disability, the security device installed in the store
When reflected in Mela (acquired by shooting)

(7) Provision of sensitive personal information, which is personal data, in the cases listed in each item of Article 15, Paragraph 10.
When receiving (related to Article 7, Paragraph 2, Item 7).

Collect sensitive personal information by consignment, business succession or shared use as stipulated in each item of Article 15, Paragraph 10.
If you want to get it, you do not need to get the consent of the person in advance.

[Cases that violate Article 7, Paragraph 2]
Without the consent of the person, anyone other than those specified in Article 7, Paragraph 2, Item 5 can use the Internet.
We have obtained information about the person's beliefs, criminal history, etc. from the publicly available information and already have it.
Register in your own database, etc. as part of the information about the person.

(* 1) Please refer to 2-4 (Personal information requiring consideration) for "Personal information requiring consideration". In addition, consideration is required
In principle, the consent of the person is required to provide personal information to a third party, and opt-out is required.
Please note that third-party provision is not permitted (3-5-1 (third-party provision)
Principle of restriction), 3-5-2 (provided by a third party by opt-out)).
(* 2) For "Personal consent", refer to 2-13 (Personal consent). Telecommunications business
When a person properly obtains sensitive personal information directly from the person in writing or verbally, etc.
The telecommunications carrier takes the information when the person provides the information.
It is understood that there was the consent of the person to obtain.
In addition, when the telecommunications carrier acquires sensitive personal information by a method provided by a third party,
The provider requires the consent (delivery required) from the person based on Article 7, Paragraph 2 and Article 15, Paragraph 1.

44

Page 45

3 Obligations of telecommunications carriers

Consideration It is premised that the acquisition of personal information and consent for provision to a third party have been obtained.
Therefore, the business operator handling the personal information that received the information is again referred to in Article 7, Paragraph 2 by the person himself / herself.
It is understood that there is no need to obtain based consent.

(reference)
Law Article 17 (Paragraph 2)
2 Businesses handling personal information do not obtain the consent of the person in advance, except in the following cases.
You must not obtain sensitive personal information.
(1) When required by law
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult.
(3) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with what to do, the relevant affairs can be obtained with the consent of the person.
When there is a risk of interfering with the performance of.
(5) The sensitive personal information is listed in each item of Article 76, Paragraph 1 of the person, national organization, local public body.
When it is disclosed by a person who is a person or other person specified by the rules of the Personal Information Protection Commission
(6) Other cases specified by Cabinet Order as equivalent to the cases listed in the preceding items

Rule Article 6
A person specified by the rules of the Personal Information Protection Commission under Article 17, Paragraph 2, Item 5 of the Act shall be one of the following items.
Applicable person.
(1) Foreign governments, foreign government agencies, foreign local governments or international organizations
(2) Persons equivalent to those listed in each item of Article 76, Paragraph 1 of the Act in a foreign country

Cabinet Order Article 7
When specified by a Cabinet Order under Article 17, Paragraph 2, Item 6 of the Act, the following cases shall apply.
(1) By visually observing or taking a picture of the person, the personal information requiring consideration that is clear on the outside is acquired.
If
(2) Proposal of sensitive personal information, which is personal data, in the cases listed in each item of Article 23, Paragraph 5 of the Act.
When receiving a companion.

Acquisition of personal information related to confidentiality of communications (related to Article 7, Paragraph 3)
Article 7 (Section 3)
3 Notwithstanding the provisions of the preceding paragraph, the telecommunications carrier may make other differences with the consent of the user.

45

Page 46

3 Obligations of telecommunications carriers

Unless there is a reason for legal obstruction, personal information related to confidentiality of communications must not be obtained.
I.

Notwithstanding the provisions of Article 7, Paragraph 2, if personal information also falls under the confidentiality of communications, communication will be conducted.
Acquisition of such information is not permitted except with the consent of the parties or reasons for blocking illegality.

(*) Refer to 2-13 (Person's consent) for consent regarding the handling of personal information related to confidentiality of communications.
That thing.

Notification or publication of purpose of use (related to Article 8, Paragraph 1)
Article 8 (Section 1)
1 When a telecommunications carrier acquires personal information, it announces the purpose of use in advance.
Unless you have, you must promptly notify or announce the purpose of use to the person.
Not.

When acquiring personal information, the telecommunications carrier announces the purpose of use in advance (* 1).
It is desirable to be. If it is not announced, the purpose of use will be communicated to the person immediately after acquisition.
Must be notified (* 2) or published.

[Cases that require notification or publication to the person]
Case 1) When personal information that the person voluntarily makes public on the Internet is acquired (simply reviewed)
Except when only viewed. )
Case 2) When personal information is obtained from the Internet, official bulletin, staff record, etc. (simply browsed)
Except for the case of. )
Case 3) When personal information is provided to a third party

(* 1) For "publication", refer to 2-12 (publication).
(* 2) For "Notify the person", refer to 2-11 (Notify the person).

(reference)
Law Article 18 (Paragraph 1)
1 When a business operator handling personal information acquires personal information, the purpose of use is announced in advance.
Unless there is a case, the purpose of use must be promptly notified or announced to the person.

Obtained directly in writing (related to Article 8, Paragraph 2)
Article 8 (Section 2)

46

Page 47

3 Obligations of telecommunications carriers

2 The telecommunications carrier decides to conclude a contract with the person regardless of the provisions of the preceding paragraph.
Accompanying this, the person concerned stated in the contract or other documents (including electromagnetic records; the same shall apply hereinafter).
When acquiring personal information Other personal information of the person directly written in writing from the person
When acquiring it, the purpose of use must be clearly stated to the person in advance.
However, this does not apply if there is an urgent need to protect human life, body or property.
Absent.

For telecommunications carriers, write in contracts, prize application postcards, etc., and go to the user input screen.
If you want to obtain personal information directly from the person by electromagnetic recording such as typing in, please do so in advance.
The purpose of use must be clearly stated (*) to the person.
In addition, although we do not impose the obligation of this section until we obtain personal information verbally,
In that case, based on Article 8 Paragraph 1, announce the purpose of use in advance, or promptly after acquisition,
The purpose of use must be notified to the person or announced.
In addition, when there is an urgent need to protect the life, body or property of a person (including a corporation),
It is not necessary to clearly indicate the purpose of use to the person in advance, but in that case, Article 8 Paragraph 1
Based on the above, the purpose of use must be notified or announced to the person immediately after acquisition.
(See 3-2-5 (Notification or publication of purpose of use)).

[Case where the purpose of use must be clearly stated to the person in advance]
Case 1) When directly obtaining an application form, contract, etc. containing personal information of the person from the person
Case 2) When personal information described in the questionnaire is obtained directly from the person
Case 3) A person who wants to participate in a campaign sponsored by the company wants to apply for participation in the company's home.
When personal information entered on the page input screen is obtained directly from the person

[Cases that correspond to the explicit purpose of use]
Case 1) Hand over or send a contract or other document stating the purpose of use to the other party.
If
In addition, the purpose of use clause is stated in the contract terms or documents such as terms of use (including electromagnetic records).
When posting, for example, tell that the purpose of use is stated in the back side agreement, or back side
The purpose of use clauses stated in the contracts, etc. are also stated on the surface, and the person himself / herself recognizes it according to social conventions.
You can actually confirm the purpose of use, such as writing in a place you can understand and the size of the letters.
It is desirable to keep in mind.
Example 2) On the network, the purpose of use is on the company's homepage accessed by the person himself / herself.
When clearly indicating in or displaying on the person's terminal device.
When acquiring personal information on the network, the person himself / herself clicks the send button, etc.
Before clicking, etc., the purpose of use (with one operation on the screen showing the content of the purpose of use)
Includes links and buttons set to transition pages. ) Is arranged so that it catches the eye of the person
It is desirable to pay attention to the position.

47

Page 48

3 Obligations of telecommunications carriers

(*) "Clarify the purpose of use to the person" clearly indicates the purpose of use to the person.
The content is recognized by the person according to the nature of the business and the handling status of personal information.
It is necessary to use a reasonable and appropriate method.

(reference)
Law Article 18 (Paragraph 2)
2 The business operator handling personal information decides to conclude a contract with the person regardless of the provisions of the preceding paragraph.
Accompanying it, it is stated in the contract and other documents (including electromagnetic records; the same shall apply hereinafter in this section).
When acquiring the personal information of the person concerned Others The person concerned directly stated in writing from the person concerned
When acquiring personal information of, the purpose of use must be clearly stated to the person in advance.
It doesn't become. However, if there is an urgent need to protect human life, body or property,
Not limited to.

When it is not necessary to notify the purpose of use (related to Article 8, Paragraph 4)
Article 8 (Section 4)
4 The provisions of the preceding three paragraphs do not apply in the following cases.
(1) By notifying or disclosing the purpose of use to the person, the life, body, of the person or a third party,
When there is a risk of harming property or other rights and interests
(2) The rights of the telecommunications carrier or the rights of the telecommunications carrier by notifying or publicizing the purpose of use.
When there is a risk of harming legitimate interests
(3) Cooperate with national institutions or local public bodies to carry out the affairs stipulated by laws and regulations.
When it is necessary to notify the person of the purpose of use or publicize it.
When there is a risk of hindering the performance of office work.
(4) When it is recognized that the purpose of use is clear from the status of acquisition

In the following cases, to the person who intends to use the service in Article 8, Paragraphs 1 to 3.
Notification (* 1), publication (* 2) or explicit (* 3) (hereinafter referred to as "notification of purpose of use, etc." in this section)
Even if is required, notification of the purpose of use, etc. is not required.

(1) The life, body, or property of the person or a third party by notifying or publicizing the purpose of use.
When there is a risk of harming the product or other rights and interests (related to Article 8, Paragraph 4, Item 1)

By notifying or disclosing the purpose of use to the person, the life, body, property of the person or a third party
If there is a risk of harming other rights and interests, the application of Article 8, Paragraphs 1 to 3 applies.
However, there is no need to notify the purpose of use.

48

Page 49

3 Obligations of telecommunications carriers

(2) The right or correctness of the telecommunications carrier by notifying or publicizing the purpose of use.
When there is a risk of harming reasonable profits (related to Article 8, Paragraph 4, Item 2)

The rights or legitimate interests of the telecommunications carrier by notifying or publicizing the purpose of use.
If there is a risk of harming profits, the use of Article 8 (1) to (3) will not apply.
No notification of purpose is required.

Example) Information on antisocial forces such as gangsters, information on suspicious transaction notifications, and acts of obstruction of business
By clarifying that malicious person information, etc. was obtained from the person or another business operator, etc.
When the company that acquired the information is harmed

(3) It is necessary for national organizations or local public bodies to cooperate in carrying out the affairs stipulated by laws and regulations.
If there is, the purpose of use is notified to the person or announced to complete the office work.
When there is a risk of hindering the line (related to Article 8, Paragraph 4, Item 3).

National organizations (including local public bodies or those entrusted by them) carry out affairs stipulated by laws and regulations
In order to do so, it is necessary to obtain the cooperation of private companies, etc., and by notifying the person of the purpose of use, etc.
If it is recognized that there is a risk of hindering the performance of the relevant business, the relevant private company, etc.
Article 8 Paragraphs 1 to 3 do not apply, and notification of the purpose of use is not required.

Case) The police do not make public arrangements, and the suspect is expected to go around with personal information about the suspect.
Receive the personal information from the police when it is provided only to the telecommunications carrier that you think
By notifying the person of the purpose of use or announcing the purpose of use by the telecommunications carrier.
When there is a risk of interfering with investigative activities

(4) When it is recognized that the purpose of use is clear from the status of acquisition (Article 8, Paragraph 4, Item 4)
Relationship)

If it is recognized that the purpose of use is clear from the status of acquisition, Article 8, Paragraphs 1 to 3
It is not applicable up to the item, and notification of the purpose of use is not required.

Example 1) Obtaining personal information such as address and telephone number when selling and providing products and services
In order to ensure that the purpose of use is only to sell or provide the product or service.
When it seems that the purpose of use is
Case 2) When exchanging business cards as a general practice, the name, affiliation, and name / affiliation / affiliation / affiliation / affiliation /
Personal information such as titles and contact information will be acquired, but the purpose of use is for future contact.
(However, use a business card for the purpose of direct mail, etc.
Please note that this may not correspond to the obvious purpose of use. )

49

Page 50

3 Obligations of telecommunications carriers

(* 1) For "notification" to the person, refer to 2-11 (notify the person).
(* 2) For "publication", refer to 2-12 (publication).
(* 3) For "clarification", refer to 3-2-6 (obtained directly in writing, etc.).

(reference)
Law Article 18 (Section 4)
4 The provisions of the preceding three paragraphs do not apply in the following cases.
(1) Life, body, property of the person or a third party by notifying or disclosing the purpose of use to the person
When there is a risk of harming other rights and interests
(2) The rights of the business operator handling personal information by notifying or publicizing the purpose of use.
When there is a risk of harming legitimate interests
(3) It is necessary for national organizations or local public bodies to cooperate in carrying out the affairs stipulated by laws and regulations.
If there is, perform the relevant affairs by notifying the person of the purpose of use or making it public.
When there is a risk of interfering with.
(4) When it is recognized that the purpose of use is clear from the status of acquisition

Management of personal data, etc. (related to Articles 9 to 13)
Ensuring the accuracy of data contents (related to Article 9)
Article 9
Telecommunications carriers use the most accurate and personal data to the extent necessary to achieve the purpose of use.
You must try to keep it new.

Telecommunications carriers go to personal information databases, etc. to the extent necessary to achieve the purpose of use.
Procedures for collation / confirmation when entering personal information, and arrangements for corrections when errors are found
We strive to keep personal data accurate and up-to-date by updating equipment and recorded items.
There must be.
In addition, it is not necessary to update the personal data held uniformly or constantly, and the purpose of use for each
It suffices to ensure accuracy and up-to-dateness within the required range.

(reference)
Article 19 of the law
Is the personal information handling business operator accurate in personal data within the range necessary to achieve the purpose of use?
Keep the contents up-to-date and delay the personal data when it is no longer necessary to use it.
You must try to erase it.

50

Page 51

3 Obligations of telecommunications carriers

Retention period, etc. (related to Article 10, Paragraph 1)
Article 10 (Section 1)
1 Telecommunications carriers shall be personal data (excluding those related to confidentiality of communications; hereinafter referred to in this Article).
the same. ), The storage period shall be set within the range necessary for the purpose of use, and the relevant insurance shall be provided.
After the expiration of the term or after it is no longer necessary to use the personal data, the personal data will be deleted without delay.
I must try. However, this does not apply in the following cases.
(1) When it is necessary to save in accordance with the provisions of laws and regulations.
(2) With the consent of the person.
(3) When a telecommunications carrier stores personal data to the extent necessary to carry out its own business
And when there is a good reason not to erase the personal data.
(4) In addition to the cases listed in item 3 above, there is a special reason for not erasing the personal data.
When there is a reason.

When it is no longer necessary to use the personal data that we hold, that is, the purpose of use has been achieved.
When there is no reasonable reason to hold the personal data in relation to the purpose
In that case, although the purpose of use was not achieved, the business itself, which is the premise of the purpose, was canceled.
In some cases, it is appropriate to delete the personal data without delay (*), and the purpose should be thoroughly understood.
From the point of view, the telecommunications carrier must endeavor to set the storage period according to the purpose of use.
Also, even within the storage period, you must try to delete it after you no longer need to use it.
Not.
On the other hand, depending on personal data, it may be difficult to set a uniform retention period.
We do not require you to set a retention period for all personal data. But in this case
However, if the purpose of use is achieved, we must try to erase it without delay.
However, the cases listed in each item of Article 10, Paragraph 1 or personal data related to the confidentiality of communications are appropriate for this provision.
I don't get any use.

[Cases applicable when it is no longer necessary to use personal data]
Example) We hold personal data of applicants for the campaign in order to send prizes for the campaign.
When the prizes were shipped, a reasonable period for non-delivery, etc. had passed.
Go

(*) "Erase of personal data" means making the personal data unusable as personal data.
In addition to deleting the personal data, identify a specific individual from the personal data.
Including things that cannot be done.

On the other hand, in the following cases, the individual concerned even after the storage period has elapsed or the purpose of use has been achieved.
Human data can not be erased.

51

Page 52

3 Obligations of telecommunications carriers

(1) When it must be preserved based on the provisions of laws and regulations (related to Article 10, Paragraph 1, Item 1)

Corporate Tax Law (Law No. 34 of 1965) Article 126, Corporate Tax Law Enforcement Regulations (Ministry of Finance Ordinance No. 1965)
No. 12) Article 59 and the Extraordinary Special Law Enforcement Regulations Concerning Telephone Subscription Rights (Ministerial Ordinance No. 18 of 1958)
If storage is required by law such as Article 4, after the storage period has elapsed or the purpose of use has been achieved.
Even after that, personal data can not be erased.

(2) With the consent of the person (related to Article 10, Paragraph 1, Item 2)

Save with the consent (*) of the person, such as when the person specifically requests to save
Personal data can not be deleted even after the period has passed or it is no longer necessary to use it.
(*) For "Personal consent", refer to 2-13 (Personal consent).

(3) When a telecommunications carrier stores personal data to the extent necessary to carry out its own business.
When there is a good reason not to delete the personal data (Article 10, Paragraph 1)
No. 3 relation)

Information on persons who have been delinquent in charges and have been suspended in the past can be saved even after the contract is canceled.
In the case of storing personal data to the extent necessary for business execution, such as
If there is a good reason not to delete, it is necessary to use it after the storage period has elapsed.
Personal data can not be erased even after the data is gone.

(4 ) In addition to the cases listed in item 3 above, there is a special reason for not erasing the personal data.
At one time (related to Article 10, Paragraph 1, Item 4)

Save certain personal data from law enforcement agencies that could be evidence of a criminal case
If there is a special reason for not erasing, such as when requested, the storage period has passed.
Personal data can not be erased after a while or after the purpose of use is achieved.

(reference)
Article 19 of the law
Is the personal information handling business operator accurate in personal data within the range necessary to achieve the purpose of use?
Keep the contents up-to-date and delete the personal data without delay when it is no longer necessary to use it.
You must try to leave.

52

Page 53

3 Obligations of telecommunications carriers

Exceptions to personal information related to confidentiality of communications during the retention period (related to Article 10, Paragraph 2)
Article 10 (Section 2)
2 The telecommunications carrier may have other reasons to prevent illegality with the consent of the user.
Except when personal information related to confidentiality of communications must not be stored and storage is permitted.
However, after achieving the purpose of use, the personal information must be deleted promptly.

Personal information related to confidentiality of communications, such as communication history, is the consent of the parties involved in the communication and other reasons for blocking illegality.
As a general rule, keep the record as it is necessary to keep the record to a minimum unless there is a case.
It must not be, and even if it is permitted to be preserved, to the extent of the consent of the communicating parties or for the purpose of preservation.
Do not store beyond the required range, and when the purpose of use is achieved, the individual concerned promptly
Erase information (In addition to erasing information that corresponds to the secrecy of communications, individuals that do not correspond to the secrecy of communications
This includes making it impossible for the person to identify the person's information. )Must.

(*) Refer to 2-13 (Person's consent) for consent regarding the handling of personal information related to confidentiality of communications.
That thing. For saving the communication history, refer to 5-1 (Recording the communication history).

Safety management measures (related to Article 11)
Article 11
A telecommunications carrier shall handle personal data or personal information related to confidentiality of communications (hereinafter referred to as "individuals").
People data, etc. " ) Leakage, loss or damage prevention and other safety management of personal data, etc.
Necessary and appropriate measures (hereinafter referred to as "safety management measures") must be taken for this purpose.

Telecommunications carriers use personal data they handle or personal information related to confidentiality of communications (hereinafter referred to as "individuals").
Data, etc. " ) Leakage, loss or damage (hereinafter referred to as "leakage, etc.") and other
Necessary and appropriate measures (hereinafter referred to as "safety management measures") for the safety management of personal data, etc.
You must take this measure, but the right to be incurred by the person in the event of leakage of personal data, etc.
Considering the magnitude of infringement of interests, the scale and nature of the business, the handling status of personal data, etc. (Handling)
Includes the nature and quantity of personal data, etc. ), Due to the nature of the medium on which personal data etc. are recorded
The content must be necessary and appropriate according to the schedule. Must be taken concretely
For examples of measures and methods for implementing the relevant items, see "7 (Attachment) Safety management measures to be taken.
See "Contents of".
In addition, even for personal information that does not correspond to personal data (so-called scattered information), the confidentiality of communication
It is desirable to take safety management measures because it can be said to be information related to.
In addition, when taking safety management measures, information and communication network safety and reliability standards (Akira)
The standards such as the Ministry of Posts and Telecommunications Notification No. 73) of 1987 shall be utilized. In addition, telecommunications equipment for business

(Telecommunications line equipment and telecommunications services that provide basic telecommunications services

53

Page 54

3 Obligations of telecommunications carriers

Regarding technical protection measures related to air communication equipment), electricity to install commercial telecommunications equipment
Techniques stipulated in the Business Telecommunications Equipment Regulations (Ministerial Ordinance No. 30 of 1985) for telecommunications carriers
It should also be noted that there is an obligation to maintain conformity with the surgical standards (Article 41 of the Telecommunications Business Law).
There is a need.

(reference)
Article 20 of the law
Businesses handling personal information prevent leakage, loss or damage of the personal data they handle, etc.
Necessary and appropriate measures must be taken for the security management of personal data.

Employee supervision (related to Article 12, Paragraphs 1 and 2)
Article 12 (paragraphs 1 and 2)
1 A telecommunications carrier provides its employees (including dispatched workers; the same shall apply hereinafter) with personal data, etc.
When handling it, the employee concerned so that the personal data etc. can be safely managed.
Must be supervised as necessary and appropriate.
2 Telecommunications carriers implement safety management measures and ensure proper handling of other personal data, etc.
For protection, the employee must endeavor to provide the necessary education and training.

Telecommunications carriers, in having their employees handle personal data, etc., are based on Article 11.
Necessary and appropriate supervision must be given to the employee so that he / she will comply with the safety management measures.
It doesn't become. At that time, if personal data etc. is leaked, the infringement of rights and interests suffered by the person himself / herself is large.
Considering this, the scale and nature of the business, the handling status of personal data, etc. (the nature of the personal data, etc. handled)
And quantity. ), Etc., to teach employees who handle personal data, etc.
It is desirable to take necessary and appropriate measures such as enhancing the content and frequency of training.
As the content of education and training, it is conceivable to disseminate internal rules and manuals related to safety management.
An "employee" is a direct or indirect command and supervision of a telecommunications carrier within the telecommunications carrier's organization.
Employees who are engaged in the work of a telecommunications carrier, etc., and are in an employment relationship (regular employees,
Not only contract employees, part-time employees, part-time employees, part-time employees, etc.), but also directors, executive officers, directors,
Auditors, auditors, dispatched employees, etc. are also included.

[Cases where employees are not supervised as necessary and appropriate]
Case 1) Employees are working in accordance with regulations that establish safety management measures for personal data, etc.
When personal data etc. is leaked as a result of not confirming that
Case 2) A notebook computer or external recording medium containing personal data, etc., in violation of internal regulations, etc.
As a result of neglecting the act even though it was taken out repeatedly, the personal computer or
When the recording medium is lost and personal data etc. is leaked

54

Page 55

3 Obligations of telecommunications carriers

(reference)
Article 21 of the law
A business operator handling personal information, when making its employees handle personal data, the individual concerned
Necessary and appropriate supervision of the employee must be provided to ensure the safety of the data.
Not.

Supervision of contractors (related to Article 12, Paragraph 3)
Article 12 (Section 3)
3 When a telecommunications carrier outsources all or part of the handling of personal data, etc., it will take it.
For those who have been entrusted with the handling so that the safety management of personal data, etc. entrusted to them can be achieved.
Necessary and appropriate supervision must be provided.

When a telecommunications carrier outsources all or part of the handling of personal data, etc. (* 1), outsource
Safety management measures for the personal data, etc. of the person who received the data (hereinafter referred to as "contractor")
Necessary and appropriate supervision must be given to the contractor so that it can be taken appropriately. Specifically
Telecommunications carriers should take measures equivalent to the safety management measures they should take based on Article 11.
It shall be supervised so that it can be done (* 2).
At that time, do not provide unnecessary personal data etc. for the business content to be entrusted.
As a matter of course, personal data etc. is leaked based on the contents of personal data etc.
Considering the magnitude of infringement of rights and interests that the person incurs in the event of an accident, etc., the scale of the business to be entrusted
Due to the nature and handling status of personal data (including the nature and amount of personal data handled), etc.
You must take the necessary and appropriate measures listed in (1) to (3) below according to the risk to be taken.
It does not become (* 3).

(1) Selection of an appropriate contractor

When selecting an outsourcer, the safety management measures of the outsourcer must be at least Article 20 of the Act and this guy.
"7 (Attachment) should be taken to confirm that it is equivalent to what is required of the consignor in the drine.
Each item specified in "Details of safety management measures" must be surely implemented according to the business content to be entrusted.
In addition to confirming the system and regulations of the contractor, a place to handle personal data etc. as necessary
Do not confirm in advance by going to a place or confirming by a rational alternative method.
Must be.

(2) Conclusion of consignment contract

The consignment contract includes safety management measures (persons who handle personal data, etc. at the consignee (work of the consignee)
Including persons other than persons. ), Details of safety management measures to be taken by the contractor, etc.),

55

Page 56

3 Obligations of telecommunications carriers

Conditions for confidentiality and subcontracting (whether or not subcontracting is permitted, and if subcontracting is permitted, subcontracting destination

To personal data, such as possible to select the person who is deemed to have properly dealt with, to re-commissioned
For written advance reporting or approval to telecommunications carriers and supervision of subcontractors
Matters related to this. If two or more stages of consignment are permitted, the same re-selection and supervision of consignees, etc.
It is necessary to determine matters related to. ), Handling of personal data, etc. at the end of the consignment contract ( individual)
Return of data , deletion, etc.), measures to be taken when the contract details are not observed (for example, safety management)
Matters concerning compensation for damages in the event that personal data, etc. is leaked without complying with the matters concerning
Cancellation, etc. when deficiencies in safety management measures are found) Regarding the handling of other personal data, etc.
It is appropriate to properly determine the matters to be specified. In addition, personal data, etc. entrusted by the consignee
It is desirable to include that the consignor reasonably grasps the handling status of.

(3) Understanding the handling status of personal data, etc. at the contractor

Regular audits to understand the handling status of outsourced personal data, etc.
After investigating the degree of implementation of the contents included in the consignment contract, etc.
Appropriate evaluation is desirable, including consideration of review.
In addition, when the outsourcer intends to subcontract, the outsourcer is the outsourcer, as in the case of outsourcing.
Regarding the other party to be subcontracted, the business content to be subcontracted, the handling method of personal data of the subcontractor, etc.
Receive prior reports or approval from the contractor, and through the contractor or as needed
By conducting regular audits, etc., the subcontractor will contact the subcontractor with respect to the subcontractor in this Article.
Proper supervision and subcontractors taking safety management measures under Article 11
It is desirable to check in minutes (* 4). Subcontracting will be carried out even after the subcontractor re-consigns
Same as the case.

[Cases where necessary and appropriate supervision is not provided to contractors]
Case 1) Externally without grasping the status of safety management measures such as personal data at the time of contract conclusion and after that
When the outsourcee leaks personal data, etc. as a result of outsourcing to the business operator of
Case 2) Do not instruct the contractor about the details of safety management measures necessary for handling personal data, etc.
As a result, if the contractor leaks personal data, etc.
Case 3) A letter of handling of personal data, etc. of the subcontractor without giving instructions regarding the conditions of subcontracting to the subcontractor.
As a result of neglecting to confirm the situation and subcontracting the processing of personal data etc., the subcontractor is an individual
When data etc. is leaked
Case 4) The contract includes that the outsourcer grasps the implementation status of subcontracting by the outsourcer.
Despite this, necessary measures such as requesting the contractor to report on subcontracting
As a result of subcontracting that is not recognized by the consignor without placing it, the subcontractor is personal data, etc.
If leaked

(* 1) "Consignment of handling of personal data, etc." means handling personal information regardless of the form and type of contract.

56

Page 57

3 Obligations of telecommunications carriers

It means that the business operator has another person handle personal data, etc. Specifically, an individual
Performing data input (including acquisition from the person), editing, analysis, output, etc.
Is expected to be outsourced.
(* 2) Where the consignor has taken high-level safety management measures that exceed the level required by Article 11.
In addition, it does not mean that the outsourcer is required to take the same measures, and the outsourcer is the 11th.
It is understood that it is sufficient to take the safety management measures of the level required by the article.
(* 3) When selecting an outsourcer or grasping the handling status of personal data, etc. at the outsourcee, take
It is necessary to take an appropriate method according to the content and scale of personal data to be outsourced.
However, for example, if necessary, go to a place where personal data etc. is handled or replace it.
Confirmation can be considered by a rational method (including oral confirmation).
(* 4) When the outsourcer does not perform "necessary and appropriate supervision" on the outsourcee, the outsourcer
If the subcontractor handles improperly when the subcontractor is subcontracted, the original consignor
Be careful when subcontracting because it can be judged as a violation of the law.

(reference)
Article 22 of the law
When a business operator handling personal information entrusts all or part of the handling of personal data, the handling thereof
Necessary and appropriate for the outsourced person so that the personal data entrusted to us can be safely managed.
Must be supervised.

Personal information protection manager (related to Article 13)
Article 13
The telecommunications carrier is a personal information protection manager (handling of personal data, etc. of the telecommunications carrier)
Responsible for. ), And formulate and supervise internal rules to comply with this guideline.
Strive to improve the inspection system and supervise the handling of personal data, etc. of the telecommunications carrier.
I have to get it.

Clarify the responsibility for the implementation of personal data protection measures, and the safety management measures in Article 11
Implementation and other proper handling of personal data, etc. Internal responsibility of the telecommunications carrier
In order to ensure the system, the telecommunications carrier should properly handle the personal data of the telecommunications carrier.
Persons who can supervise across the organization, such as officers who have the necessary authority to secure
Personal information protection manager) is assigned, and personal data required by the personal information protection manager responsibly
We must endeavor to supervise the handling of such items.
In addition, the establishment of a personal information protection manager is, in particular, fraudulent activity from inside or outside the telecommunications carrier.
It is also important to clarify the responsibility in order to prevent leakage of personal data etc. due to the purpose.
is there. In addition, the personal information protection manager should refer to "7 (separately) when formulating internal rules and establishing an audit system.
Appendix) It is desirable to include the measures stipulated in "Details of safety management measures to be taken".

57 57

Page 58

3 Obligations of telecommunications carriers

Privacy Policy (Article 14)
Publication of privacy policy (related to Article 14, Paragraph 1)
Article 14 (Section 1)
1 The telecommunications carrier has a privacy policy (the telecommunications carrier protects personal information)
Refers to the way of thinking and policies for promotion. ) Is appropriate.

Telecommunications carriers to ensure social trust in the protection of personal information of telecommunications carriers
Makes a declaration about the way of thinking and policies in promoting the protection of personal information
It is appropriate to publish as Sea.

Privacy policy should be written in easy-to-understand terms by each telecommunications carrier
However, the following items should be stated in the privacy policy.
Is done.
① Compliance with the provisions of the Telecommunications Business Law and other related laws and regulations related to the confidentiality of laws and communications
② Compliance with this guideline
③ Matters to be announced as stipulated in each item of Article 19, Paragraph 1
(I) Name or name of the telecommunications carrier
(Ii) Purpose of use of retained personal data
(Iii) Procedures for responding to requests from the person such as notification of purpose of use or disclosure or correction
(Iv) Where to file a complaint
(V) Name of authorized personal information protection organization and address for resolving complaints
④ Policy on safety management measures in Article 11
⑤ Matters concerning the protection of users' rights and interests
(I) Direct mail will be sent when requested by the person regarding the retained personal data.
Voluntarily respond to suspension of use, etc.
(Ii) Promote transparency of outsourced processing, such as clarifying the presence or absence of outsourced work and the content of outsourced office work.
thing
(Iii) Telecommunications carriers limit the purpose of use for each type of user in consideration of their business content.
Or, the telecommunications carrier voluntarily takes the limitation of the purpose of use according to the person's choice.
To make the purpose of use clearer for the person, such as assembling
(Iv) Be as specific as possible about the source of personal information or the method of obtaining it (type of source, etc.)
To specify

In addition to the above, for the purpose of use at the time of acquisition (Article 8, Paragraphs 1 and 3), opt-out
Items of personal data when providing personal data to a third party (Article 15, Paragraph 2, Paragraph 3,
Paragraph 9), items of personal data shared in shared use, etc. (Article 15, Paragraph 10, Item 3)

58

Page 59

3 Obligations of telecommunications carriers

Item 11), information items included in anonymously processed information (Article 28, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 7)
Section, Article 29), Safety management measures for anonymously processed information by businesses handling anonymously processed information (Article 31)
In the privacy policy, etc., notification, publication, or a state that the person can easily know about
It should be noted that it is required to be placed.

(reference)
Basic Policy on Personal Information Protection (Cabinet decision on April 2, 2004)
6 Basic matters concerning measures to protect personal information that businesses handling personal information should take
(1) Matters concerning personal information handled by businesses handling personal information
In addition to complying with the provisions of the law, the business operator handling personal information is a guy of the Personal Information Protection Commission of 2 (2) ①.
In accordance with the personal information protection guidelines of Drine and authorized personal information protection organizations, for example, consumer rights and interests
From the perspective of further protecting profits, the way of thinking and policies for promoting the protection of personal information (so-called plastic)
Protection of personal information, such as clarifying the privacy policy, privacy statement, etc. externally
It is expected to proactively work on protection and proper and effective utilization.
Therefore, it is required to actively work on the improvement of the system. At that time, the scale of the business and
Appropriate efforts may be implemented by each business operator according to the nature, handling status of personal data, etc.
is important.

Privacy Policy for Application Software (Article 14, Paragraph 2, Paragraph 3)
Item relation)
Article 14 (Sections 2 and 3)
2 Telecommunications carriers are application software (hereinafter referred to as "application").
U. ) Is provided, and the acquisition of information by the application concerned is clearly stated.
It is appropriate to publish a well-established privacy policy.
3 Telecommunications carriers operate sites that provide applications.
For those who provide the application on the site, the application
Publish a privacy policy that clearly and appropriately defines the acquisition of information by
It is appropriate to encourage them.

Application software (hereinafter referred to as "application") is a call or communication.
Perform various functions such as communication tools such as communication and photos / games
Software to do this. For smart devices such as smartphones, applications
By installing the option, it is possible to extend and customize the functions.
Because some applications get various information and send it to the outside.
Viewpoint to protect user privacy by ensuring transparency and opportunities for users to be involved
If the telecommunications carrier provides the application, the application
To publish a privacy policy that clearly and appropriately defines the acquisition of information by

59

Page 60

3 Obligations of telecommunications carriers

Is appropriate (related to Article 14, Paragraph 2).
In addition, when a telecommunications carrier operates a site that provides applications,
For those who provide applications using the site (excluding self), the application
A privacy policy that clearly and appropriately defines the acquisition of information by liking
It is appropriate to encourage publication (related to Article 14, Paragraph 3).
The following items should be included in the application privacy policy.
Be done.
(1) Name or name of the application provider, etc. that acquires information
② Items of information to be acquired
③ How to get
④ Specifying and clarifying the purpose of use
⑤ Notification / publication or consent acquisition method, user involvement method
⑥ Existence of external transmission, provision to a third party, and information collection module
⑦ Inquiry window
⑧ Procedure for changing privacy policy
In addition, for telecommunications carriers, the content of the privacy policy is the information of the application.
Verification by a third party, etc. to ensure that the information acquisition, etc. is properly described.
It is desirable to use it and verify its appropriateness.
For other details regarding the privacy policy of the application, see the smartphone page.
Liberty Initiative (August 2012 In charge of ICT services from the user's perspective
Study group on various problems), etc.

Since this guideline is intended for telecommunications carriers, it should be noted that telecommunications carriers.
Although it describes the efforts of, it is clear and appropriate for information collection by the application.
Efforts such as announcing the privacy policy that has been urgently set are for application providers and information.
Information collection module provider, application provider site operator, OS provider, etc.
It is also required by those involved. The efforts shown in this article by telecommunications carriers are related to each.
It is expected to contribute to the promotion of the efforts of the staff.

Provision of personal data to third parties (related to Articles 15-18)
Principle of restriction of provision to third parties (related to Article 15, Paragraph 1)
Article 15 (Section 1)
1 A telecommunications carrier shall not obtain the consent of the person in advance, except in the following cases.
Do not provide personal data to third parties.
(1) When required by law
(2) When it is necessary to protect the life, body or property of a person, the consent of the person is obtained.
When it is difficult to get.

60

Page 61

3 Obligations of telecommunications carriers

(3) When it is particularly necessary to improve public health or promote the sound development of children
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it performs the affairs stipulated by laws and regulations.
To obtain the consent of the person when it is necessary to cooperate in carrying out
When there is a risk of hindering the performance of the relevant affairs.

The telecommunications carrier consents to the provision of personal data to a third party in advance (* 1).
Do not provide without obtaining (* 2) (* 3). In obtaining consent, the scale and nature of the business,
The person agrees according to the handling status of personal data (including the nature and amount of personal data handled), etc.
Must clearly indicate the content of a reasonable and appropriate range that is considered necessary to make a judgment regarding
Must be.
If it is assumed that personal information will be provided to a third party in advance, the purpose of use
To that effect must be specified (see 3-1-1 (Specification of purpose of use)).

[Cases provided by a third party] (However, the cases of each item of Article 15, Paragraph 10 are excluded.)
Case 1) When exchanging personal data between parent and child sibling companies and group companies
Case 2) When exchanging personal data between the headquarters of a franchise organization and a member store
Case 3) When exchanging specific personal data between telecommunications carriers

[Cases not provided to third parties] (However, there are restrictions depending on the purpose of use.)
Example) When providing personal data to other departments within the same telecommunications carrier

However, in the cases listed in (1) to (4) below, provision of personal data to a third party
In order to do so, the consent of the person is not required. A specific example is 3-1-6 (system based on purpose of use).
See Limited Exceptions).

(1) When providing personal data in accordance with laws and regulations (related to Article 15, Paragraph 1, Item 1)

Search for "when required by law" as a compulsory disposition according to a warrant issued by a judge.
When seized, etc., the information within the range specified in the warrant is provided.
Therefore, the offer cannot be refused.
On the other hand, inquiries from persons with legal inquiry authority (Criminal Procedure Code, Article 197, Paragraph 2, Boys)

Regarding Article 6-4 of the Law, Article 23-2, Paragraph 2 of the Attorney Law, Appropriate Transmission of Specified E-mail, etc.
Act (Act No. 26 of 2002; hereinafter referred to as the "Specified E-mail Act") Article 29, etc.)
In principle, inquiries should be answered when such matters are made, but the telecommunications business
Since a person also has an obligation to protect the confidentiality of communications, matters belonging to the secrecy of communications (communication)
Not only the content, but also the address / name of the communication party, the place of origination / reception, the date of communication, etc.
Includes the presence or absence of the existence of communication such as the element and the number of communications. ) Is provided in principle

61

Page 62

3 Obligations of telecommunications carriers

Not suitable as. In addition, the address, name, etc. of the subscriber, which is not related to each communication, is the communication.
Since it is not subject to the protection of confidentiality, basically inquiries from persons with legal inquiry authority
It is possible to respond to. However, how to inquire whether it is unrelated to individual communication
In the process of query, the target is closely related to individual communication.
When it seems that it will be done, it is appropriate to treat it as a secret of communication.
In any case, provide so as not to unduly infringe the rights and interests of the person, etc.
In line with the purpose of provision, such as responding to the part specified in the warrant, inquiry, etc.
It should be in the minimum necessary range, and general comprehensive provision is not appropriate.

(2) Specific rights and interests such as the life, body or property of a person (including a corporation) are infringed.
In order to protect this, it is necessary to provide personal data, and the consent of the person is obtained.
When it is difficult to obtain (related to Article 15, Paragraph 1, Item 2)

(3) When it is particularly necessary for the improvement of public health or the sound development of children who are in the process of mental and physical development
And when it is difficult to obtain the consent of the person (related to Article 15, Paragraph 1, Item 3)

(4) It is necessary to obtain the cooperation of private companies, etc. in order for national organizations, etc. to carry out the affairs stipulated by laws and regulations.
In some cases, a cooperating private company, etc. will provide personal data to an institution, etc. in the country concerned.
Therefore, when there is a risk that obtaining the consent of the person will hinder the performance of the relevant affairs (law).
Article 15, Paragraph 1, Item 4)

(* 1) For "Personal consent", refer to 2-13 (Personal consent).
(* 2) Information including personal data written on blogs and other SNS is applicable.
Public to an unspecified number of or limited subjects with the clear intention of the person who wrote the information
It is open information, and write the information about who can view the information.
Since it is specified by the person, the connection to the Internet line is about the disclosure range.
Discretionary to providers, blogs, and other SNS operators that provide continuous services
Since there is no room, in such a case, the business operator will provide personal data to a third party.
It is not understood that there is.
(* 3) A telecommunications carrier, its employees, or those who were these, regarding their business
Personal information database, etc. handled (all or part of it is duplicated or processed
Including. ) For the purpose of improper profits of oneself or a third party, or plagiarism
In such cases, criminal penalties (imprisonment of up to 1 year or fines of up to 500,000 yen) will be imposed according to Article 83 of the Act.
Can be done.

(reference)
Law Article 23 (Paragraph 1)

62

Page 63

3 Obligations of telecommunications carriers

1 Businesses handling personal information do not obtain the consent of the person in advance, except in the following cases.
Do not provide personal data to third parties.
(1) When required by law
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult.
(3) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
(4) A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with what to do, the relevant affairs can be obtained with the consent of the person.
When there is a risk of interfering with the performance of.

Provided to a third party by opt-out (related to Article 15, Paragraphs 2 to 7 and 9 of the Act)
3-5-2-1 Principles on opt-out (related to Article 15, Paragraph 2, Paragraphs 4 to 7, Paragraph 9)
Article 15 (2nd, 4th, 5th, 6th, 7th, 9th)
2 Telecommunications carriers provide personal data provided to third parties (excluding sensitive personal information.
Same as in the section. ), Personal data that identifies the person at the request of the person
In the case where it is decided to suspend the provision of the above to a third party, regarding the following matters
Notify the person in advance, or put it in a state that the person can easily know, and Law No. 23
When notifying the Personal Information Protection Commission pursuant to the provisions of Article 2, paragraph 2, regardless of the provisions of the preceding paragraph
Instead, the personal data can be provided to a third party.
(1) The purpose of use is to provide it to a third party.
(2) Items of personal data provided to a third party
(3) How to provide to a third party
(4) Suspension of provision of personal data that identifies the person to a third party at the request of the person
To do.
(5) How to accept the request of the person
4 Notifications pursuant to the provisions of the preceding two paragraphs or measures to be placed in an easily recognizable state are as follows.
It shall be done by.
(1) The person identified by personal data provided to a third party ("Person" in the next issue)
That is. ) Allows the period required to request the suspension of the provision.
(2) By an appropriate and rational method that allows the person to reliably recognize the matters listed in each item of Paragraph 2.
That.
5 Notification pursuant to the provisions of Paragraph 2 or Paragraph 3 must be made by any of the following methods.
Must be.
(1) Electronic information processing organization (Personal Information Protection Commission) as stipulated by the Personal Information Protection Commission
Telecommunications between the computer used by the committee and the computer used by the person making the notification

63

Page 64

3 Obligations of telecommunications carriers

An electronic information processing organization connected by a line. ) How to use
(2) Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information Protection Commission Regulation No. 3)
issue. Hereinafter referred to as "rules". ) It should be stated in the notification form in the separate form No. 1 and the notification form.
An optical disc on which items are recorded (a method similar to this is used to reliably record certain items.
Includes things that can be left behind. Hereinafter referred to as "optical disc, etc." ) How to submit
6 When a telecommunications carrier makes a notification pursuant to the provisions of paragraph 2 or 3 by an agent
Submit a document certifying its authority to the Personal Information Protection Commission in accordance with the separate rule form No. 2.
There must be.
7 Telecommunications carriers in foreign countries (meaning countries or regions outside Japan; the same shall apply hereinafter)
When making a notification pursuant to the provisions of paragraph 2 or 3, a person who has an address in Japan and has an address in Japan
Has the authority to represent the telecommunications carrier in all acts relating to the notification.
Must be determined. In this case, the telecommunications carrier shall be the same as the notification.
Occasionally, the telecommunications carrier will act on any act related to the notification to a person who has an address in Japan.
A document certifying that you have been granted the authority to represent the telecommunications carrier (in Japanese)
Includes translated text. ) Must be submitted to the Personal Information Protection Commission.
9 Telecommunications carriers will promptly enter after the announcement pursuant to the provisions of Article 23, Paragraph 4 of the Act.
Matters listed in Paragraph 2 (Nos. 2 and 3 of the same paragraph) by using the Internet or other appropriate methods.
If there is a change in the items listed in item 5 or item 5, the items listed in each item after the change)
Shall be published.

Telecommunications carriers list personal data in (1) to (5) below when providing personal data to third parties.
If you notify the person in advance (* 1) of the matter to be removed, or put it in a state that the person can easily know (* 2)
In both cases, if you notify the Personal Information Protection Commission pursuant to the provisions of Article 23, Paragraph 2 of the Act (* 3),
Personal data regardless of the provisions of Article 15, Paragraph 1 without obtaining the consent (* 4) of the person in advance.
Can be provided to a third party (* 5) (provided by a third party by opt-out). On the other hand, telecommunications
When the business operator provides the personal data of the subscriber to a third party, obtain the consent of the person according to the contract terms.

It is generally possible to do it with the consent of the person.
desirable. However, even if it is done with the consent of the person according to the contract terms, it will be posted in the telephone directory.
For cases where the intention of the person should be respected as much as possible, the person should provide it at the request of the person.
It is desirable to treat it as stopping.
The telecommunications carrier reports necessary matters to the Personal Information Protection Commission based on Article 15, Paragraph 2.
In such a case, the content will be announced by using the Internet or other appropriate method (* 6).
Shall be.
In addition, sensitive personal information cannot be provided to a third party by opt-out, and to a third party.
In providing, unless it falls under each item of Article 15 Paragraph 1 or each item of Article 15 Paragraph 5
Please note that it is necessary to obtain the consent of the person in advance.

(1) The purpose of use is to provide it to a third party.

64

Page 65

3 Obligations of telecommunications carriers

(2) Items of personal data provided to a third party
Case 1) Name, address, phone number, age
Case 2) Name, product purchase history

(3) How to provide to a third party
Case 1) Published as a book (including electronic books)
Case 2) Posted on the Internet
Case 3) Print out and deliver
Case 4) Delivery by various communication means
Case 5) Delivery in the form of other external recording media

(4) Stop providing to a third party at the request of the person.

(5) How to accept the request of the person (* 7)
Case 1) Mail
Case 2) Sending an email
Example 3) Input to the designated form on the homepage
Case 4) Reception at the window of the office
Case 5) Telephone

(* 1) When providing to a third party by opt-out, the items listed in (1) to (5) above should be applied.
The person identified by the personal data provided to a third party in advance is the person who provided the information.
Notify the person or easily know the person to ensure the time required to request the suspension
Since it must be placed in a possible condition (Article 15, Paragraph 4, Item 1), the person must be notified.
Is submitted to a third party after a very short period of time from the time when the person puts it in a state that can be easily known
In the case of offering, please indicate "the period required for the person to request the suspension of the provision".
It can be judged that it is not.
For the specific period, the type of business, the mode of business, the notification or the state that can be easily known
Mode, proximity between the person and the business operator handling personal information, accepting requests for suspension from the person
Since it may differ depending on the system, the nature of the personal data provided, etc.
You need to judge.
In addition, the time to "notify the person or put it in a state that the person can easily know" and "personal information"
It is not always necessary to notify the protection committee at the same time, but notify the person and notify him / her.
Or, after putting it in a state that the person can easily know, promptly notify the Personal Information Protection Commission.
It is desirable to get out.
(* 2) For "Notify the person", refer to 2-11 (Notify the person).

65

Page 66

3 Obligations of telecommunications carriers

"A state that the person can easily know" means posting / installing a document at the window of the business establishment, etc.
If the person wants to know by posting on the homepage or other continuous method, it will be timely.
Also, by that means, it means a state that can be easily known, and the nature and individuality of the business.
According to the handling situation of personal information, by an appropriate and rational method that the person can surely recognize.
Must be (Article 15, Paragraph 4, Item 2).

[Cases that correspond to a state that the person can easily know]
Case 1) Homepage of a telecommunications carrier that is reasonably expected to be viewed by the person himself / herself
A place that is easy for the person to understand in the page (example: top page of the homepage)
The matters stipulated by law are divided into places that can be reached with only one operation.
For easy and continuous posting
Case 2) Posting at the office window, etc. where the person is expected to visit reasonably,
When the equipment is continuously installed
Case 3) When regular publication is made in the periodicals distributed to the person
Case 4) In electronic commerce, continue to link to the homepage that introduces products
When displaying in
(* 3) The notification method must be the method specified by the Personal Information Protection Commission.
(Article 15, Paragraph 5). In addition, when the notification is made by an agent, the personal information protection commissioner
You must submit a document stating that authority in the form specified by the Society (Article 15 Article 15).
Item 6). In addition, if a telecommunications carrier in a foreign country makes a notification, it has an address in Japan.
Right to act on behalf of the telecommunications carrier for all acts related to the notification
You must specify what has a limit, and protect personal information in a document certifying the right of proxy.
Must be submitted to the Committee (Article 15, Paragraph 7).
(* 4) For "Personal consent", refer to 2-13 (Personal consent).
(* 5) Providing personal information to a third party for the original purpose of use specified by the provisions of Article 4, Paragraph 1.
If the information related to the service is not included, it will be used for other purposes if it is provided to a third party.
Therefore, it cannot be provided to a third party by opt-out.
(* 6) Basically, "publication" by "Internet method" is desirable, but telecommunications carriers
It is also possible to publish by an appropriate method other than the method depending on the characteristics of the
Is. For “publication”, refer to 2-12 (publication).
(* 7) For "How to accept the request of the person", the contact information (business name, window) for which the person makes the request.
First name, mailing address or destination email address, etc. The business operator handling personal information goes abroad
If you have a headquarters, the name, contact information, etc. of the domestic agent. ) Is included.

(reference)
Law Article 23 (Paragraph 2)
2 Personal information handling business operators are provided with personal data provided to third parties (excluding sensitive personal information.

66

Page 67

3 Obligations of telecommunications carriers

Same as in the section. ), The number of personal data that identifies the person at the request of the person
In the case where it is decided to suspend the provision to the three parties, personal information regarding the following matters
According to the rules of the Protection Commission, notify the person in advance or easily know the person.
When the personal information protection commission is notified, regardless of the provisions of the preceding paragraph,
The personal data can be provided to a third party.
(1) The purpose of use is to provide it to a third party.
(2) Items of personal data provided to a third party
(3) How to provide to a third party
(4) Suspending the provision of personal data that identifies the person to a third party at the request of the person
When.
(5) How to accept the request of the person

Rule Article 7
1 Notifications pursuant to the provisions of Article 23, Paragraph 2 or Paragraph 3 of the Act or measures to be placed in an easily recognizable state are as follows.
It shall be carried out in accordance with the places listed in.
(1) The person identified by personal data provided to a third party (referred to as "person" in the next issue)
Allow a period of time for the company to request the suspension of the offer.
(2) Appropriate and rational method by which the person can surely recognize the matters listed in each item of Article 23, Paragraph 2 of the Act.
By.
2 Notification pursuant to the provisions of Article 23, Paragraph 2 or Paragraph 3 of the Act shall be made by any of the following methods.
There must be.
(1) Electronic information processing organization (Personal Information Protection Commission) as stipulated by the Personal Information Protection Commission
The computer related to the use of the computer and the computer used by the person making the notification are connected by a telecommunication line.
A continuous electronic information processing organization. ) How to use
(2) An optical disc on which the notification form in the separate form No. 1 and the matters to be stated in the notification form are recorded.
Includes items that can be reliably recorded with certain items by a method similar to this. Below, "Hikari de
Isku, etc. " ) How to submit
3 A business operator handling personal information submits a notification pursuant to the provisions of Article 23, Paragraph 2 or Paragraph 3 of the Act by an agent.
If so, a document certifying its authority in the separate form No. 2 (including electromagnetic records; the same shall apply hereinafter).
Must be submitted to the Personal Information Protection Commission.

Rule Article 8
A place where a business operator handling personal information in a foreign country makes a notification pursuant to the provisions of Article 23, Paragraph 2 or Paragraph 3 of the Act.
In that case, a person who has an address in Japan and has personal information regarding all acts related to the notification.
Those who have the authority to act on behalf of the information handling business operator must be stipulated. In this case,
The business operator handling personal information has an address in Japan at the same time as the notification.
With the authority to act on behalf of the business operator handling personal information for all acts related to the notification.

67

Page 68

3 Obligations of telecommunications carriers

You must submit a document certifying that you have given it (including a translation in Japanese) to the Personal Information Protection Commission.
Must be.

Rule Article 10
The business operator handling personal information promptly intervenes after the announcement pursuant to the provisions of Article 23, Paragraph 4 of the Act.
-Matters listed in Paragraph 2 of the same Article (Nos. 2 and 3 of the same Paragraph) by using the Internet or other appropriate methods.
When there is a change in the matters listed in item 5, the matters listed in each of the changed items) will be announced.
To be.

3-5-2-2 Changes to matters related to opt-out (related to Article 15, Paragraph 3)
Article 15 (Section 3)
3 When the telecommunications carrier changes the matters listed in item 2, item 3 or item 5 of the preceding paragraph,
Notify the person in advance of the content to be changed, or make it easy for the person to know
At the same time, it must be notified to the Personal Information Protection Commission.

Telecommunications carriers provide personal data to third parties by opt-out based on Article 15, Paragraph 2.
The item of personal data to be provided, the method of provision, or provision to a third party
If you want to change the method of accepting the request of the person who should stop
Before making a change (* 1), notify the person or place it in a state that the person can easily know (* 2).
At the same time, you must notify the Personal Information Protection Commission (* 3).
In addition, the telecommunications carrier submits necessary matters to the Personal Information Protection Commission based on Article 15, Paragraph 9.
When notified, the content shall be announced (* 4) by itself.

(* 1) For the specific period of "in advance", refer to 3-5-2-1 (Principle regarding opt-out).
See.
(* 2) For "Notify the person", refer to 2-11 (Notify the person).
3-5-2-1 (Principle of opt-out) for "states that the person can easily know"
checking ... The following method is understood to be an appropriate and rational method.
・ The content to be changed is clearly stated in a document, for example, by comparing old and new.
Notify the person.
・ Home page of a business operator handling personal information that is reasonably expected to be viewed by the person
For example, the old and new comparison table can be changed to a place that is easy for the person to understand.
Make it clear in an easy-to-understand manner
(* 3) For the notification method, etc., refer to 3-5-2-1 (Principle regarding opt-out).
(* 4) For "publication", refer to 2-12 (publication)).

(reference)

68

Page 69

3 Obligations of telecommunications carriers

Law Article 23 (Section 3)
3 When a business operator handling personal information changes the matters listed in item 2, item 3 or item 5 of the preceding paragraph
Regarding the contents to be changed, in advance, as stipulated by the rules of the Personal Information Protection Commission,
Notify the person or put it in a state that the person can easily know, and notify the Personal Information Protection Commission.
There must be.

Articles 7, 8 and 10 of the Regulations
(Omitted) (3-5-2-1) (Principle of opt-out))

Exceptions to personal information related to confidentiality of communications in restrictions on provision to third parties (related to Article 15, Paragraph 8)
Article 15 (Section 8)
8 Notwithstanding the provisions of the preceding paragraphs, the telecommunications carrier shall, with the consent of the user, other
Unless there is a reason to prevent illegality, provide personal information related to confidentiality of communications to a third party.
must not.

If personal information is confidential to the communication, it is only possible to provide it to a third party with the consent of the communication party.
In addition to certain cases, when following a warrant issued by a judge, when meeting emergency evacuation requirements, etc.
Only if there is a reason to prevent the illegality of.

(*) Refer to 2-13 (Person's consent) for consent regarding the handling of personal information related to confidentiality of communications.
That thing.

When not applicable to a third party (related to Article 15, Paragraph 10)
Article 15 (Section 10)
10 In the following cases, the person who receives the provision of the personal data shall be in paragraphs 1 to 7.
Up to and the application of the provisions of the preceding paragraph shall not fall under the category of a third party.
(1) Handling of personal data to the extent necessary for the telecommunications carrier to achieve the purpose of use
When the personal data is provided by entrusting all or part of
(2) When personal data is provided due to business succession due to merger or other reasons
(3) Personal data shared with a specific person will be provided to that specific person.
In some cases, to that effect and the items of personal data to be used jointly, to be used jointly
Responsible for the scope of the user, the purpose of use of the user, and the management of the personal data.
Notify the person in advance of the name or name of the person, or the person can easily know
When it is in a state of being.

In the following cases (1) to (3), the destination of personal data is different from that of the telecommunications carrier.

69

Page 70

3 Obligations of telecommunications carriers

Although formally corresponds to a third party as the subject of, it is the provider in relation to the person.
Not applicable to a third party as it is rational to treat it as one with a telecommunications carrier
Let's assume.
If these requirements are met, the telecommunications carrier will cover Article 15, paragraphs 1-7.
And regardless of the provisions of paragraph 9, opters with prior consent of the person or provision to a third party
Personal data can be provided without having to go out.
Personal information related to confidentiality of communications is not covered by this section, and is outsourced, business succession, and co-operation.
Even if it accompanies the use, it will be provided without the consent of the communication parties or the reason for preventing illegality.
Must not be. However, when the information holding entity such as a merger or company split is substantially the same.
This is not the case.

(1) Consignment (Article 15, Paragraph 10, Item 1)

To the extent necessary to achieve the purpose of use, all of the business related to the handling of personal data or
If the personal data is provided by entrusting a part, the provider will contact a third party.
Not correct.
In addition, telecommunications carriers are subject to supervisory responsibility over contractors pursuant to Article 12, Paragraph 3.
(See 3-3-6 (Supervision of contractors)).

Case 1) When providing personal data to outsource information processing such as data input
Case 2) When providing personal data to a courier for delivery of ordered products

(2) Business succession (related to Article 15, Paragraph 10, Item 2)

Personal day related to the business due to business succession due to merger, spin-off, business transfer, etc.
If the data is provided, the destination is not a third party.
Even after the succession of the business, the range of purpose of use before the personal data is provided by the succession of the business.
Must be used within the enclosure (see 3-1-5 (Business Succession)).
In addition, at the negotiation stage before concluding a contract for business succession, the partner company investigates the company.
In response to this, if you provide your company's personal data to the other company, it also falls under this issue, and the person's personal data is given in advance.
Personal Day without consent or without opt-out procedures provided by a third party
Data can be provided, but if the data is used, how it is handled, or if there is a leak, etc.
Comply with the partner company's safety management measures, such as joint measures and measures in the event of unsuccessful negotiations for business succession.
You must conclude the necessary contract to get it done.

Case 1) When providing personal data to a new company due to merger or spin-off
Case 2) When providing personal data to the transferee company by business transfer

70

Page 71

3 Obligations of telecommunications carriers

(3) Shared use (related to Article 15, Paragraph 10, Item 3)

When providing personal data shared with a specific person to that specific person (* 1)
Therefore, the following information (* 2) from (1) to (5) is notified to the person in advance (* 3) before provision.
Or, when the person is in a state where he / she can easily know (* 4), the provider concerned is viewed from the person himself / herself.
It is rational to treat the personal data as one with the business operator who originally provided it.
Therefore, it does not correspond to a third party (* 5). On the other hand, the telecommunications carrier is the individual subscriber
When sharing personal data, it is generally possible to obtain the consent of the person in accordance with the contract terms.
It is possible, and basically it is desirable to obtain the consent of the person. However, the contract terms
Even if the consent of the person is obtained, the right of the person is the same as in the case of exchanging information such as non-payers.
When exchanging information that may have a significant impact on profits, Article 15, Paragraph 10, Paragraph 3
Measures such as notifying the person in advance of the information listed in the item or putting it in a state that the person can easily know
It is appropriate not to infringe the rights and interests of the person unreasonably.
In addition, a place to jointly use personal data already acquired by a specific business with other businesses.
In that case, within the scope of the purpose of use specified by the business operator who has already acquired it pursuant to the provisions of Article 4, Paragraph 1.
Must be used jointly.

① To share

② Items of personal data used jointly
Case 1) Name, address, phone number, age
Case 2) Name, product purchase history

③ Scope of people who use it jointly
The "purpose of shared use" is one with the business operator that provides the personal data from the perspective of the individual.
To the extent that it is reasonable to be treated as
Is Rukoto.
Therefore, regarding the range of joint users, to which business the person will be used in the future
It needs to be clarified to the extent that it can be judged.
As long as the scope is clear, not all the names of business operators are listed individually.
It is not necessary to list, but it is necessary to be able to determine to which business the person will be used.
Must be.

④ Purpose of use of the user
Regarding personal data to be used jointly, notify the person of all the purposes of use, or book
It must be in a state that is easily accessible to humans.
If the purpose of use differs depending on the item of personal data, the item of the personal data
It is desirable to describe the purpose of use separately for each.

71

Page 72

3 Obligations of telecommunications carriers

⑤ Name or name of the person responsible for the management of the personal data
"A person responsible for the management of personal data" is a person who receives requests for disclosure, etc. and complaints.
In addition to making efforts to process it, disclosure, correction, and suspension of use of the contents of personal data, etc.
A person who has the authority to stop, etc., and is responsible for the management of personal data such as security management.
In addition, the "responsible person" here means among all the businesses that are used jointly.
A person who has the authority to primarily accept / process, disclose / correct complaints, etc., and is a joint user.
It does not mean the person in charge inside one of the businesses.
In addition, the person responsible for the management of personal data is within the range necessary to achieve the purpose of use.
To keep personal data used among joint users accurate and up-to-date
You must make an effort (see 3-3-1 (Ensuring the accuracy of data contents, etc.)).

[Cases corresponding to shared use]
Case 1) Purpose of use at the time of acquisition to provide comprehensive services at group companies (Article 4, Article 2)
Includes purposes of use modified in accordance with the provisions of the section. same as below. ) To share information
If
Case 2) When personal data is shared between parent and child sibling companies within the scope of the purpose of use at the time of acquisition

(* 1) Regarding the provision of personal data that is subject to shared use, not all joint users
Does not have to be done in both directions, but can be done in one direction for some joint users.
(* 2) When a telecommunications carrier implements shared use, the responsibility of the shared user, etc.
From the viewpoint of clarification and smooth implementation, in addition to the information from ① to ⑤ above, from the following (a)
It is desirable to make arrangements in advance for the matters up to (f).
(A) Requirements for joint users (being a group company, specific campaign business
A certain framework for business execution through shared use, such as being a member)
(B) Personal information protection manager, inquirer and contact information for each joint user
(C) Matters concerning the handling of shared personal data
・ Matters concerning prevention of leakage of personal data, etc.
・ Prohibition of unintended processing, use, copying, duplication, etc.
・ Matters concerning the return, erasure, and disposal of data after the end of shared use
(D) When the agreement regarding the handling of shared personal data is not observed
Measures
(E) Report / contact in the event of an incident / accident related to shared personal data
Matters concerning
(F) Procedures for terminating shared use
(* 3) For "Notify the person", refer to 2-11 (Notify the person).
(* 4) For "states that the person can easily know", 3-5-2 (provided by a third party by opt-out)
checking ...

72

Page 73

3 Obligations of telecommunications carriers

(* 5) Whether it is shared use or consignment is determined by the form of handling personal data.
Therefore, even if the scope of joint users includes the contractor, the relationship with the contractor
The clerk is not for shared use, and the consignor is not exempt from the obligation to supervise the consignee.
Absent.

(reference)
Law Article 23 (Section 5)
5 In the following cases, the person who receives the provision of the personal data shall apply the provisions of the preceding paragraphs.
Therefore, it shall not correspond to a third party.
(1) Handling of personal data to the extent necessary for the business operator handling personal information to achieve the purpose of use
When the personal data is provided by entrusting all or part of the data
(2) When personal data is provided due to business succession due to merger or other reasons
(3) When personal data shared with a specific person is provided to that specific person
There is, to that effect, items of personal data used jointly, examples of people who jointly use
The name of the person who is responsible for the surroundings, the purpose of use of the user, and the management of the personal data.
Or, notify the person in advance about the name, or put it in a state that the person can easily know.
When you are.

<Changes in matters related to shared use (related to Article 15, Paragraph 11)>
Article 15 (Section 11)
11 The telecommunications carrier shall use the purpose of use or personal data of the user specified in item 3 of the preceding paragraph.
When changing the name or name of the person responsible for management, change the content
The person must be notified in advance or placed in a state where the person can easily know about it.
Not.

When sharing personal data, telecommunications carriers say, "Use of shared users.
Regarding "target", it is within the range that is objectively recognized as the limit that the person can usually expect according to social conventions (*
It can be changed in 1) to "the name or name of the person responsible for the management of personal data"
You can also change it, but before changing any of them, notify the person (* 2) or the person.
Must be placed in a state where it can be easily known (* 3).
Regarding "Items of personal data used jointly" and "Scope of people who use jointly"
In principle, it is not allowed to change, but in the following cases, for example, we will continue to jointly
Can be used.

Case 1) Obtain the consent of the person in advance regarding changes in personal data items and businesses to be shared.
If you get
Case 2) There is a change in the name of the business operator that shares the data, but the section on personal data that is shared.

73

Page 74

3 Obligations of telecommunications carriers

If there is no change in the eyes
Case 3) Businesses that share business When business succession (* 4) is carried out (individuals for shared use)
Assuming that there are no changes to human data items, etc.)

(* 1) For "the limit that the person can usually expect and the range that is objectively recognized", 3-1-2 (interest)
Change the purpose).
(* 2) For "Notify the person", refer to 2-11 (Notify the person).
(* 3) For "states that the person can easily know", 3-5-2 (provided by a third party by opt-out)
checking ...
(* 4) For “Business succession”, refer to 3-1-5 (Business succession).

(reference)
Law Article 23 (Section 6)
6 The business operator handling personal information is the purpose of use of the user or personal data specified in item 3 of the preceding paragraph.
When changing the name or name of the person responsible for management, the content to be changed
The person must be notified in advance or placed in a state that the person can easily know.

Restrictions on provision to third parties in foreign countries (Article 16)
Article 16
1 A telecommunications carrier is a third party in a foreign country (Handling of personal data, Chapter 4, Section 1 of the Act).
Measures equivalent to the measures that the business operator handling personal information should take according to the provisions of
Establish a system that meets the standards set forth in the next section as necessary for continuous measures
Excludes those who are. The same shall apply hereinafter in this article. ) When providing personal data, the preceding article
Except for the cases listed in each item of paragraph 1, the provision to a third party in a foreign country is permitted in advance.
You must obtain the consent of the person. In this case, the same Article (excluding Paragraph 8 of the same Article)
The provisions of are not applicable.
2 Handling of personal data A business operator handling personal information gives a lecture pursuant to the provisions of Chapter 4, Section 1 of the Act.
As necessary measures to continuously take measures equivalent to the measures that are supposed to be done
The criteria specified in the above shall fall under any of the following items.
(1) Between the telecommunications carrier and the person who receives the personal data, to the person who receives the personal data
Regarding the handling of such personal data in the law, by an appropriate and rational method, Chapter 4 of the Act
Implementation of measures in line with the purpose of the provisions of Section 1 is ensured.
(2) The person who receives the personal data is based on the international framework regarding the handling of personal information.
Must be certified.

Regarding restrictions on the provision of personal information to third parties in foreign countries, the "Personal Information" set by the Personal Information Protection Commission
Guidelines for Protection Laws (Provision to Third Parties in Foreign Countries) ”(2016)

74

Page 75

3 Obligations of telecommunications carriers

It shall be in accordance with the Personal Information Protection Commission Notification No. 7).

(reference)
Article 24 of the law
A business operator handling personal information is a foreign country (meaning a country or region outside the region of Japan; the same shall apply hereinafter) (individual rights
System for protection of personal information recognized as being at the same level as Japan in protecting interests
Excludes those specified by the rules of the Personal Information Protection Commission as foreign countries that have. Same as in this article below
Ji. ) Is a third party (About the handling of personal data) According to the provisions of this section, the business operator handling personal information
Individuals as necessary to continuously take measures equivalent to the measures that should be taken
Excludes those who have a system in place that meets the standards stipulated by the rules of the Information Protection Commission. Below in this article
It's the same. ), Except for the cases listed in each item of paragraph 1 of the preceding article,
Ecklonia cava must obtain the consent of the person to allow the provision to a third party in a foreign country. In this case
The provisions of the same Article do not apply.

Rule Article 11
1 Personal information protection as a foreign country that has a system for protection of personal information pursuant to the provisions of Article 24 of the Act
What is stipulated by the rules of the protection committee is the Personal Information Protection Committee as a foreign country that falls under any of the following items.
It shall be determined by the committee.
(1) There are laws and other provisions equivalent to the provisions regarding business operators handling personal information in the law.
The situation is sufficient to admit that the performance of the above is secured in the foreign country.
(2) There is an independent foreign enforcement authority equivalent to the Personal Information Protection Commission, and it is not applicable.
A system is in place for the national executive authorities to provide necessary and appropriate supervision.
(3) Appropriate and effective use of personal information and protection of personal rights and interests with Japan
It is recognized that cooperation and cooperation based on mutual understanding regarding
(4) Restrict the transfer of international personal data beyond the scope necessary for the protection of personal information
Mutually smooth personal information while protecting personal information with Japan
It is recognized that it is possible to relocate the data.
(5) In addition to the matters specified in the preceding four items, the foreign country shall be designated as a foreign country pursuant to the provisions of Article 24 of the Act.
However, the creation of new industries in Japan, a vibrant economic society, and the fruits of affluent national life
Being recognized as actually contributing
2 The Personal Information Protection Commission, in the case of defining a foreign country pursuant to the provisions of the preceding paragraph, in Japan
When it is deemed necessary to protect the rights and interests of an individual, a proposal to a third party in the foreign country concerned
Limiting the range of personal data that can be provided without obtaining the consent of the person who approves the service, etc.
The necessary conditions can be attached.
3 When the Personal Information Protection Commission defines a foreign country pursuant to the provisions of Paragraph 1, the foreign country is the first.
Applicable to each item of paragraph 1 or the conditions attached to the foreign country pursuant to the provisions of the preceding paragraph are satisfied.
When we find it necessary to confirm that it is necessary, we will protect personal information in the foreign country.

75

Page 76

3 Obligations of telecommunications carriers

Necessary investigations shall be conducted regarding the status of the related system or the response to the conditions.
4 When the Personal Information Protection Commission has designated a foreign country pursuant to the provisions of Paragraph 1, the investigation set forth in the preceding paragraph
When it is recognized that the foreign country no longer falls under each item of Paragraph 1 based on the results and other circumstances, or
When it is found that the conditions attached under the provisions of Paragraph 2 are no longer satisfied for the foreign country, Paragraph 1
The provisions of the paragraph shall be revoked.

Rule 11-2
The criteria stipulated by the rules of the Personal Information Protection Commission in Article 24 of the Act shall fall under any of the following items.
And.
(1) Between the business operator handling personal information and the person who receives the provision of personal data, to the person who receives the provision
Regarding the handling of the personal data in the law, by an appropriate and rational method, Chapter 4, Section 1 of the Law
The implementation of measures in line with the purpose of the provisions of
(2) The person who receives the personal data is recognized based on the international framework regarding the handling of personal information.
Being fixed.

Creation of records related to provision to a third party (related to Article 17)
Article 17
1 Telecommunications carriers exclude personal data from third parties (excluding those listed in each item of Article 2, Paragraph 5 of the Act.
The same shall apply hereinafter in this article and the next article. ), Document, electromagnetic recording or microphone
Depending on the method of making using film, depending on the classification in each of the following items,
A record of the matters specified in each item shall be created. However, the individual
The data is provided by either Article 15, Paragraph 1 or Paragraph 10 (individuals pursuant to the provisions of the preceding Article).
In providing data, if any of the items in Article 15, Paragraph 1) applies, this limit
Not.
(1) When personal data is provided to a third party pursuant to the provisions of Article 15, Paragraph 2
Matters listed up to
B. Date when the personal data was provided
(B) The name or name of the third party and other matters sufficient to identify the third party (non-special)
When it is provided to a fixed number of people, that fact)
C. Identify the name of the person identified by the personal data and other persons.
Sufficient matters
D. Items of the personal data
(2) When personal data is provided to a third party pursuant to the provisions of Article 15, Paragraph 1 or the preceding Article:
Matters listed in a and b
B. The fact that the consent of the person in Article 15, Paragraph 1 or the preceding Article has been obtained
(B) Matters listed in the previous item (b) to (d)

76

Page 77

3 Obligations of telecommunications carriers

2 Of the matters specified in each item of the preceding paragraph, the method already specified in the preceding paragraph, the next paragraph and the fourth paragraph is used.
Recorded in the record of the preceding paragraph (limited to the case where the record is kept)
If the content is the same as the item, omit the record of the item in the preceding paragraph.
Can be done.
3 The record in Paragraph 1 must be created promptly each time personal data is provided to a third party.
Not. However, personal data will be provided to the third party continuously or repeatedly (15th).
Excludes provision under the provisions of Article 2. The same shall apply hereinafter in this section. ) Or the relevant
Expected to be certain to provide personal data to the three parties continuously or repeatedly
Records can be created all at once.
4 Notwithstanding the provisions of the preceding paragraph, the goods for the person pursuant to the provisions of Article 15, Paragraph 1 or the preceding Article
Or when personal data related to the person concerned is provided to a third party in connection with the provision of services.
The matters specified in each item of Paragraph 1 are described in the contract and other documents prepared for the provision.
If it is listed, use the document in place of the record relating to the matter in Paragraph 1.
Can be done.
5 The telecommunications carrier shall list the records in paragraph 1 in the following items from the date of creation of the records.
Depending on the classification of the case, it must be stored for the period specified in each item.
(1) When a record is created by the method specified in the preceding paragraph Finally, the individual data related to the record
From the date of provision of data to the date when one year has passed
(2) When a record is created by the method specified in the proviso of paragraph 3 Finally, in the record
From the date of providing such personal data to the date when three years have passed from the date of provision
(3) 3 years for cases other than the previous 2

Regarding the creation of records related to provision to third parties, "Protection of personal information" established by the Personal Information Protection Commission
Guidelines for the Law Concerning Protection (Obligation to Confirm and Record When Provided to a Third Party) ”(2016)
It shall conform to the Personal Information Protection Commission Notification No. 8).
In addition, even if the outline is formally provided by a third party, it is necessary to confirm and record it.
As a matter of fact, provisions to third parties that have little need to impose confirmation / recording obligations are subject to this obligation.
It does not correspond to the provision to a third party. For example, a telecommunications carrier offers a caller ID notification service.
If you want to notify the caller's phone number according to your choice, or if you are a telecommunications carrier
The subscriber reports to the CGM (Consumer Generated Media) operator, etc., for which is specified in advance.
Based on information about users registered by subscribers as part of the included user registration service
When notifying the age judgment information of the user (whether or not he / she has reached a specific age), etc.
The telecommunications carrier is believed to provide personal data "on behalf of the individual" in this case.
Regarding provision to a third party, the obligation to confirm and record does not apply to either the provider or the recipient.

(reference)
Article 25 of the law

77

Page 78

3 Obligations of telecommunications carriers

1 Businesses handling personal information are third parties (excluding those listed in each item of Article 2, Paragraph 5) for personal data.
The same shall apply in this article and the next article. ), Where specified by the rules of the Personal Information Protection Commission
The date on which the personal data was provided, the name or name of the third party, and other personal information
Records shall be made regarding the matters specified by the rules of the Protection Commission. However, the individual
The data is provided by either Article 23, Paragraph 1 or Paragraph 5 (Personal Day pursuant to the provisions of the preceding Article).
This shall not apply to the provision of data if any of the items in Article 23, Paragraph 1) applies.
2 The business operator handling personal information shall record the record in the preceding paragraph from the date when the record was created by the Personal Information Protection Commission.
Must be retained for the period specified by the regulations.

Rule Article 12
1 The method of creating the record of the same paragraph pursuant to the provision of Article 25, Paragraph 1 of the Act is document, electromagnetic record or My
It is a method of making using a black film.
2 The record in Article 25, Paragraph 1 of the Act refers to a third party (meaning the third party specified in the same paragraph) for personal data.
The same applies to Articles, the following Articles and Articles 15 to 17. ), Do not create it promptly
Must be. However, personal data will be provided to the third party continuously or repeatedly (law).
Excludes provision under Article 23, Paragraph 2. The same shall apply hereinafter in this section. ) Or the third
When it is expected that personal data will be provided to a person continuously or repeatedly.
Records can be created in a batch.
3 Notwithstanding the provisions of the preceding paragraph, the item for the person pursuant to the provisions of Article 23, Paragraph 1 of the Law or Article 24 of the Law.
When personal data related to the person concerned is provided to a third party in connection with the provision of goods or services
Therefore, the contracts and other documents prepared for the provision include the matters specified in each item of Paragraph 1 of the following Article.
If it is listed, use the document in place of the record relating to the matter in Article 25, Paragraph 1 of the Act.
Can be done.

Rule Article 13
1 Matters stipulated by the rules of the Personal Information Protection Commission in Article 25, Paragraph 1 of the Act are the cases listed in the following items.
The matters specified in each item shall be applied according to the classification.
(1) When personal data is provided to a third party pursuant to the provisions of Article 23, Paragraph 2 of the Act
Matters listed in
B. Date when the personal data was provided
(B) The name or name of the third party and other matters sufficient to identify the third party (whether it is unspecified)
When provided to a large number of people, to that effect)
C. It is sufficient to identify the person's name and other persons identified by the personal data.
Matters
D. Items of the personal data
(2) When personal data is provided to a third party pursuant to the provisions of Article 23, Paragraph 1 of the Law or Article 24 of the Law.
Matters listed in the following a and b

78 78

Page 79

3 Obligations of telecommunications carriers

B. The consent of the person in Article 23, Paragraph 1 of the Law or Article 24 of the Law has been obtained.
(B) Matters listed in the previous item (b) to (d)
2 Of the matters stipulated in each item of the preceding paragraph, Article 25, Paragraph 1 of the Act, which has already been prepared by the method stipulated in the preceding Article.
The matters and contents recorded in the record (limited to the case where the record is saved)
For items that are the same, the record of the relevant matter in Article 25, Paragraph 1 of the Act may be omitted.

Rule Article 14
The period specified by the rules of the Personal Information Protection Commission in Article 25, Paragraph 2 of the Act is the ward in the cases listed in the following items.
Depending on the minute, the period specified in each item shall be applied.
(1) When a record is created by the method specified in Article 12, Paragraph 3 Finally, the individual related to the record
From the day when the person data is provided to the day when one year has passed
(2) When a record is created by the method specified in the proviso of Article 12, Paragraph 2 Finally, the record
From the date when the personal data related to the above is provided to the date when three years have passed since the date of provision.
(3) 3 years for cases other than the previous 3

Confirmation when receiving provision to a third party (related to Article 18)
[Confirmation when receiving a third party (related to Article 18, Paragraphs 1 and 2)]
Article 18 (paragraphs 1 and 2)
1 When receiving personal data from a third party, the telecommunications carrier shall apply to the following items.
Confirmation must be carried out by the method specified in each item according to the items listed.
I. However, the provision of the personal data is either in each item of Article 15, Paragraph 1 or in each item of Paragraph 10.
This does not apply if the above applies.
(1) In the case of the name or address of the third party and the corporation, its representative (corporation)
If there is a non-organization with a representative or manager, the representative or manager
Name of person) (excluding those corresponding to the matters listed in item 3) Provide the personal data
How to receive a declaration from the third party and other appropriate methods
(2) Background of acquisition of the personal data by the third party (corresponding to the matters listed in the next item)
Excludes things. ) From the third party who provides the personal data to the individual by the third party
How to receive a contract or other document showing the process of acquiring human data Other appropriate
Way
(3) When receiving other personal data from the third party, it is already stipulated in item 2 above.
Confirmation by method (By the method specified in paragraphs 3, 5 and 6 for the confirmation)
Only when creating and storing records. ) Matters
Confirmation that the content of the matter and the content of the matter listed in the previous two items related to the provision are the same
How to do
2 The third party set forth in the preceding paragraph shall be applicable when the telecommunications carrier confirms pursuant to the provisions of the same paragraph.

79

Page 80

3 Obligations of telecommunications carriers

The matters pertaining to the confirmation must not be false to the telecommunications carrier.

[Creation of records when receiving a third party (related to Article 18, Paragraphs 3 to 7)]
Article 18 (Sections 3 to 7)
3 When the telecommunications carrier confirms according to the provisions of Paragraph 1, it shall be a document, electromagnetic record or
According to the classification in each of the following items by the method of making using microfilm.
Therefore, a record regarding the matters specified in each item must be prepared.
(1) Received personal data provided by a business operator handling personal information pursuant to the provisions of Article 23, Paragraph 2 of the Act.
In the case of the following items from a to e
B. Date of receiving personal data
(B) Matters listed in each item of Paragraph 1
C. Identify the name of the person identified by the personal data and other persons.
Sufficient matters
D. Items of the personal data
(E) It is announced pursuant to the provisions of Article 23, Paragraph 4 of the Act.
(2) Personal information handling business operator's personal day according to the provisions of Article 23, Paragraph 1 of the Law or Article 24 of the Law
If you receive the provision of data, the matters listed in the following a and b
B. The fact that the part other than those listed in each item of Article 23, Paragraph 1 of the Law or the consent of the person in Article 24 of the Law has been obtained.
(B) Matters listed in the previous item (b) to (d)
(3) Receive the provision of personal data from a third party (excluding those who fall under the category of business operators handling personal information)
In the case of digits Items listed in No. 1 (b) to (d)
4 Of the matters specified in each item of the preceding paragraph, already work by the method specified in the preceding paragraph, the next paragraph and the sixth paragraph.
It was recorded in the record of the preceding paragraph (limited to the case where the record is kept).
If the item and content are the same, the record of the item in the same paragraph can be omitted.
Wear.
5 The record in paragraph 3 must be created promptly each time personal data is provided by a third party.
Must be. However, the third party will provide personal data continuously or repeatedly.
(Excluding the provision pursuant to the provisions of Article 15, Paragraph 2. The same shall apply hereinafter in this Article.)
Or it is certain that personal data will be provided continuously or repeatedly from the third party.
Records when it is expected to be can be created in a batch.

6 Notwithstanding the provisions of the preceding paragraph, from a third party in connection with the provision of goods or services to the person
When personal data related to the person is provided, it is created for the provision.
If the contract or other document contains the matters specified in each item of Paragraph 3, the document concerned.
Can be replaced with a record relating to the relevant matter in the same paragraph.
7 The telecommunications carrier shall list the records in paragraph 3 in the following items from the date of creation of the records.
Depending on the classification of the case, it must be stored for the period specified in each item.
(1) When a record is created by the method specified in the preceding paragraph Finally, the individual data related to the record

80

Page 81

3 Obligations of telecommunications carriers

From the date of receiving the data to the day when one year has passed
(2) When a record is created by the method specified in the proviso of paragraph 5 Finally, in the record
From the date when the personal data is provided to the date when three years have passed since the date of receipt of the personal data.
(3) 3 years for cases other than the previous 2

For confirmation, etc. when receiving provision to a third party, "Protection of personal information" established by the Personal Information Protection Commission
Follow the "Guidelines for Protection Law (Confirmation / Recording Obligation at the Time of Provision to a Third Party)"
And.

(reference)
[Confirmation when receiving a third party (related to Article 26, Paragraphs 1 and 2 of the Law)]
Article 26 of the Law (Paragraphs 1 and 2)
1 When a business operator handling personal information receives personal data from a third party, it protects personal information.
The following matters shall be confirmed pursuant to the rules of the protection committee. However
However, if the provision of the personal data falls under any of the items of Article 23, Paragraph 1 or Paragraph 5
In that case, this is not the case.
(1) The name or address of the third party and the representative of the corporation (not a corporation)
In the case of an organization with a designated representative or manager, the representative or manager)
Name
(2) Background of acquisition of the personal data by the third party
2 The third party in the preceding paragraph shall be applicable when the business operator handling personal information confirms according to the provisions of the same paragraph.
The matters related to the confirmation must not be false to the business operator handling personal information.

Rule Article 15
1 The method for confirming the matters listed in item 1 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act is personal data.
It shall be a method of receiving a declaration from a third party who provides the above or any other appropriate method.
2 The method for confirming the matters listed in item 2 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act is personal data.
A contract showing the process of acquisition of the personal data by the third party from the third party who provides
The method of receiving the written presentation of the above and other appropriate methods shall be used.
3 Notwithstanding the provisions of the preceding two paragraphs, when receiving other personal data from a third party, the preceding two
Confirmation by the method specified in the section (Creation of records by the method specified in the next article for the confirmation)
And only when it is preserved. ) Is the method of confirming the matter
Confirmation that the content of the item and the content of the items listed in each item of Article 26, Paragraph 1 of the Act relating to the provision are the same.
It is a method of recognition.

[Creation of records when receiving a third party (related to Article 26, Paragraphs 3 and 4 of the Law)]
Article 26 of the Law (Sections 3 and 4)

81

Page 82

3 Obligations of telecommunications carriers

3 When the business operator handling personal information confirms according to the provisions of Paragraph 1, the rules of the Personal Information Protection Commission
According to the rules, the date when the personal data was provided, the matters related to the confirmation,
Records must be created regarding matters specified by other rules of the Personal Information Protection Commission.
4 The business operator handling personal information shall record the record in the preceding paragraph from the date when the record was created by the Personal Information Protection Commission.
Must be retained for the period specified by the regulations.

Rule Article 16
1 The method of creating the record of the same paragraph pursuant to the provision of Article 26, Paragraph 3 of the Act is document, electromagnetic record or My
It is a method of making using a black film.
2 The record of Article 26, Paragraph 3 of the Law shall be promptly created each time personal data is provided by a third party.
There must be. However, the third party will provide personal data continuously or repeatedly (law).
Excludes provision under Article 23, Paragraph 2. The same shall apply hereinafter in this article. ), Or the relevant
Expected to be certain to receive personal data continuously or repeatedly from a third party
Records can be created all at once.
3 Notwithstanding the provisions of the preceding paragraph, a third party concerned with the provision of goods or services to the person.
When personal data related to the person is provided, a contract created for the provision
If any other document contains the matters specified in each item of paragraph 1 of the next article, the document shall be used as the law.
It can be replaced with the record concerning the matter in Article 26, Paragraph 3.

Rule Article 17
1 Matters stipulated by the rules of the Personal Information Protection Commission in Article 26, Paragraph 3 of the Act are the cases listed in the following items.
The matters specified in each item shall be applied according to the classification.
(1) A place where personal data is provided by a business operator handling personal information pursuant to the provisions of Article 23, Paragraph 2 of the Act.
Matters listed in the following a to e
B. Date of receiving personal data
(B) Matters listed in each item of Article 26, Paragraph 1 of the Act
C. It is sufficient to identify the person's name and other persons identified by the personal data.
Matters
D. Items of the personal data
(E) It is announced pursuant to the provisions of Article 23, Paragraph 4 of the Act.
(2) Personal data from a business operator handling personal information pursuant to the provisions of Article 23, Paragraph 1 of the Law or Article 24 of the Law.
When provided: Matters listed in the following a and b
B. The consent of the person in Article 23, Paragraph 1 of the Law or Article 24 of the Law has been obtained.
(B) Matters listed in the previous item (b) to (d)
(3) A place where personal data is provided by a third party (excluding those who fall under the category of business operators handling personal information)
Matters listed in No. 1 (b) to (d)
2 Of the matters stipulated in each item of the preceding paragraph, Article 26, Paragraph 3 of the Act, which has already been prepared by the method stipulated in the preceding Article.

82

Page 83

3 Obligations of telecommunications carriers

The items and contents recorded in the record (limited to the case where the record is saved) are the same.
For some, the record of the relevant matter in Article 26, Paragraph 3 of the Act may be omitted.

Rule Article 18
The period specified by the rules of the Personal Information Protection Commission in Article 26, Paragraph 4 of the Act is the ward in the cases listed in the following items.
Depending on the minute, the period specified in each item shall be applied.
(1) When a record is created by the method stipulated in Article 16, Paragraph 3 Finally, the individual related to the record
From the day when the person data is provided to the day when one year has passed
(2) When a record is created by the method specified in the proviso of Article 16 Paragraph 2 Finally, in the record
From the date when the personal data is provided to the date when three years have passed since the date of receipt of the personal data.
(3) 3 years for cases other than the previous 2

Disclosure, correction, suspension of use, etc. of retained personal data, such as publication of matters related to retained personal data
(Relationship between Articles 19 and 26)
Publication of matters related to retained personal data (related to Article 19)
(1) Dissemination of matters related to retained personal data to the individual (related to Article 19, Paragraph 1)
Article 19 (Section 1)
1 The telecommunications carrier can know the following matters regarding the retained personal data.
Must be placed in such a state (including the case of responding without delay at the request of the person).
(1) Name or name of the telecommunications carrier
(2) Purpose of use of all retained personal data (corresponds to Article 8, Paragraph 4, Items 1 to 3)
Except when )
(3) Requests pursuant to the provisions of the next paragraph or Article 1, Paragraph 1, Article 21, Paragraph 1 or Article 22, Paragraph 1 Young
Or the procedure for responding to a request pursuant to the provisions of Paragraph 3 (the fee shall be charged pursuant to the provisions of Article 25 Paragraph 2).
When the amount is set, the amount of the fee is included. )
(4) To file a complaint regarding the handling of retained personal data by the telecommunications carrier.
(5) When the telecommunications carrier is a target carrier of an authorized personal information protection organization
Is the name of the authorized personal information protection organization and the address to which the complaint can be resolved.

The telecommunications carrier can know the following information (1) to (4) regarding the retained personal data.
It must be placed in a state (including the case of responding without delay at the request of the person) (* 1).

① Name or name of the telecommunications carrier

(2) Purpose of use of all retained personal data (* 2) (However, except for certain cases (* 3))

(3) Procedures and maintenance in response to requests for notification of the purpose of use of retained personal data or requests for disclosure, etc. (* 4)

83

Page 84

3 Obligations of telecommunications carriers

Amount of fee for requesting notification of purpose of use of personal data or requesting disclosure (if specified)
Limited to. )(※Five)

④ Where to file complaints regarding the handling of retained personal data
(Example) Name of contact person / contact person who accepts complaints, mailing address, reception telephone number and other complaints
Request destination (if the telecommunications carrier is a target carrier of an authorized personal information protection organization, that
Includes the name of the organization and the address to which the complaint is resolved. )

(* 1) "A state that the person can know (including the case of responding without delay at the request of the person)"
Posting on the homepage, distributing pamphlets, responding to the request of the person without delay
If the person wants to know, such as doing, it is said to put it in a state where it can be known, always
The exact content at that time must be in a state that the person can know. Must
Continued posting on the homepage or at the counters of offices, etc.
It does not require that it be done in a targeted manner, but the nature of the business and personal information
Depending on the handling situation, the content must be recognized by the person in a rational and appropriate way.
Must be.
For telecommunications carriers that usually respond to inquiries, go to the homepage.
The method of continuous posting is "a state that the person can easily know" (3-5-2 (opt-out).
(Provided by a third party)) and "A state that the person can know (circulated without delay at the request of the person)
Including the case of answering. ) ”Is a method that matches the purpose of both.
[Cases that correspond to the state that the person can know]
Case 1) Set up an inquiry window so that if there is an inquiry, we can answer it verbally or in writing.
When building a system
Example 2) When a pamphlet is kept in a store
Example 3) In electronic commerce, contact information on the homepage that introduces products.
When displaying the address
(* 2) If the purpose of use includes provision to a third party, that fact must also be clarified.
(* 3) “Constant cases” refers to the following cases listed in Article 8, Paragraph 4, Items 1 to 3.
(Refer to 3-2-7 (when it is not necessary to notify the purpose of use)).
A) The life of the person or a third party by notifying the person of the purpose of use or making it public.
When there is a risk of harming the body, property or other rights and interests
B) Right of the telecommunications carrier by notifying or publicizing the purpose of use
When there is a risk of infringement of interests or interests
C) Obtain the cooperation of private companies, etc. in carrying out the affairs stipulated by laws and regulations by national organizations, etc.
When it is necessary, the cooperating private companies, etc. received it from the national institution, etc.
By notifying or disclosing the purpose of use of personal information, the relevant affairs
When there is a risk of interfering with the performance of
(* 4) “Request for disclosure, etc.” means disclosure of retained personal data (3-6-2 (disclosure of retained personal data))

84

Page 85

3 Obligations of telecommunications carriers

Reference), correction, addition or deletion of the contents of retained personal data (3-6-3 (retained personal data)
(Correction, etc.)), suspension or deletion of the use of retained personal data, or retained personal data
Suspension of provision of data to third parties (see 3-6-4 (suspension of use of retained personal data, etc.))
Refers to billing.
(* 5) When determining the amount of the fee, it should be within the range that is considered reasonable in consideration of the actual cost.
It must be set (see 3-6-7 (fee)).

(reference)
Article 27 of the Act (paragraphs 1 to 3)
1 The business operator handling personal information can know the following matters regarding the retained personal data.
Must be placed in such a state (including the case of responding without delay at the request of the person).
(1) Name or name of the business operator handling personal information
(2) Purpose of use of all retained personal data (places that fall under Article 18, Paragraphs 1 to 3)
Excludes cases. )
(3) Request under the provisions of the next paragraph or Article 29, Paragraph 1 or Article 30, Paragraph 1 of the following Article or
Procedures for responding to requests pursuant to the provisions of Paragraph 3 (the amount of fees is determined pursuant to the provisions of Article 33, Paragraph 2)
When, the amount of the fee is included. )
(4) In addition to the items listed in item 3 above, necessary matters regarding ensuring the proper handling of retained personal data.
What is specified by Cabinet Order
2 The business operator handling personal information is the purpose of use of the retained personal data that identifies the person concerned.
When requested to notify, the person must be notified without delay. However, next
This does not apply if any of the items in the above applies.
(1) When the purpose of use of the retained personal data that identifies the person concerned is clear according to the provisions of the preceding paragraph
(2) When applicable to Article 18, Paragraph 4, Items 1 to 3
3 Businesses handling personal information pass through the purpose of use of retained personal data requested based on the provisions of the preceding paragraph.
If you decide not to know, you must notify the person without delay.

Cabinet Order Article 8
The items specified by Cabinet Order under Article 27, Paragraph 1, Item 4 of the Act shall be as follows.
(1) Where to file complaints regarding the handling of retained personal data by the business operator handling personal information.
(2) When the business operator handling personal information is a business operator subject to an authorized personal information protection organization
Is the name of the authorized personal information protection organization and the address to which the complaint can be resolved.

Article 47 of the law
1 Businesses listed below for the purpose of ensuring the proper handling of personal information, etc. of businesses handling personal information
(Including non-corporate organizations with a representative or administrator stipulation.
Same for No. 3 (b). ) Can be certified by the Personal Information Protection Commission.

85

Page 86

3 Obligations of telecommunications carriers

(1) Personal information, etc. of personal information handling business operators, etc. (hereinafter referred to as "target business operators") that are the targets of business
Handling of complaints pursuant to the provisions of Article 52 regarding handling
(2) Information on the target business operator regarding matters that contribute to ensuring the proper handling of personal information, etc.
Providing information
(3) In addition to the items listed in item 2 above, it is essential to ensure the proper handling of personal information of the target business operator.
Required work
2 A person who intends to obtain the certification set forth in the preceding paragraph applies to the Personal Information Protection Commission pursuant to the provisions of a Cabinet Order.
Must.
3 When the Personal Information Protection Commission has made the certification set forth in paragraph 1, it must publicly announce that fact.

Article 52 of the Act
1 Authorized personal information protection organization handles personal information of the target business operator from the person and other related parties
When there is a request for resolution of a complaint regarding, we will respond to the consultation and give the requester the necessary advice.
Then, while investigating the circumstances related to the complaint, the content of the complaint is communicated to the target business operator.
You must know and seek a quick solution.
2 When the authorized personal information protection organization finds it necessary to resolve the complaint pertaining to the request set forth in the preceding paragraph.
Requests the target business operator to provide written or oral explanations, or requests the submission of materials.
be able to.
3 The target business operator is legitimate when requested by an authorized personal information protection organization pursuant to the provisions of the preceding paragraph.
Don't refuse this for no reason.

(2) Notification of purpose of use of retained personal data (related to Article 19, Paragraphs 2 and 3)
Article 19 (paragraphs 2 and 3)
2 The telecommunications carrier intends to use the retained personal data that identifies the person from the person.
When requested to notify, the person must be notified without delay. Ta
However, this does not apply if any of the following items apply.
(1) The purpose of use of the retained personal data that identifies the person concerned is clear according to the provisions of the preceding paragraph.
If
(2) When applicable to Article 8, Paragraph 4, Items 1 to 3
3 Telecommunications carriers shall pass the purpose of use of retained personal data requested based on the provisions of the preceding paragraph.
If you decide not to know, you must notify the person without delay.
Absent.

The telecommunications carrier is identified by the person except in the following cases (1) to (4).
When requested to notify the purpose of use of retained personal data, the person must be notified (*) without delay.
Must be.
If you decide not to notify, you must notify the person without delay.

86

Page 87

3 Obligations of telecommunications carriers

I.

(1) Use of retained personal data that identifies the person by the measures in (1) above (Article 19, Paragraph 1)
When the target is clear

(2) Life, body, property of the person or a third party by notifying or disclosing the purpose of use to the person
When there is a risk of harming other rights and interests (Article 8, Paragraph 4, Item 1) (3-2-7 (Purpose of use)
If you do not need to give notice etc.)

③ The right or correctness of the telecommunications carrier by notifying or publicizing the purpose of use.
When there is a risk of infringement of such interests (Article 8, Paragraph 4, Item 2) (3-2-7 (Communication of purpose of use)
If you don't need to know)

(4) It is necessary to obtain the cooperation of private companies, etc. in order for national organizations, etc. to carry out the affairs stipulated by laws and regulations.
In some cases, the use of retained personal data received from national institutions by cooperating private companies, etc.
Obtaining the consent of the person by notifying or disclosing the purpose to the person is the completion of the relevant affairs.
When there is a risk of hindering the line (Article 8, Paragraph 4, Item 3) (3-2-7 (Notification of purpose of use, etc.)
If you don't have to do it)

(*) For "Notify the person", refer to 2-11 (Notify the person).

(reference)
Article 27 of the Act (paragraphs 2 and 3)
2 The business operator handling personal information is the purpose of use of the retained personal data that identifies the person concerned.
When requested to notify, the person must be notified without delay. However, next
This does not apply if any of the items in the above applies.
(1) When the purpose of use of the retained personal data that identifies the person concerned is clear according to the provisions of the preceding paragraph
(2) When applicable to Article 18, Paragraph 4, Items 1 to 3
3 Businesses handling personal information pass through the purpose of use of retained personal data requested based on the provisions of the preceding paragraph.
If you decide not to know, you must notify the person without delay.

Disclosure of retained personal data (related to Article 20)
Article 20
1 The person requests the telecommunications carrier to disclose the retained personal data that identifies the person.
Can be sought.
2 When a telecommunications carrier receives a request pursuant to the provisions of the preceding paragraph, it will deliver a document to the person.

87

Page 88

3 Obligations of telecommunications carriers

By the method according to (if there is a method agreed by the person who requested the disclosure, the method concerned)
The retained personal data must be disclosed without delay. However, by disclosing
If any of the following items apply, all or part of it may not be disclosed.
To
(1) When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(2) Places that may significantly hinder the proper implementation of the business of the telecommunications carrier.
Go
(3) Decree (Law, Law Enforcement Ordinance on Protection of Personal Information (Cabinet Order No. 507 of 2003) and
Excludes rules. The same applies to paragraph 4 and paragraph 2 of the next article. ) Is violated
3 The telecommunications carrier shall have all or part of the retained personal data pertaining to the request pursuant to the provisions of Paragraph 1.
When it is decided not to disclose the relevant personal data or when the retained personal data does not exist
Must notify the person without delay.
4 According to the provisions of laws and regulations, the method equivalent to the method specified in the main text of Paragraph 2 shall be applied to the person.
When it is supposed to disclose all or part of the retained personal data that identifies the person
For all or part of the retained personal data, the provisions of paragraphs 1 and 2 shall apply.
Does not apply.

The telecommunications carrier discloses the retained personal data that identifies the person (does not exist) from the person.
Sometimes it involves notifying that. ), A document will be delivered to the person.
(If there is a method agreed by the person who requested the disclosure, that method (* 1))
The retained personal data must be disclosed without delay (* 2).
However, if the disclosure falls under any of the following (1) to (3), that
It is possible not to disclose all or part of it, but when it is decided not to disclose it again
If the retained personal data related to the request does not exist, the person will be notified (* 3) without delay.
There must be.

(1) When there is a risk of harming the life, body, property or other rights and interests of the person or a third party

By disclosing the retained personal data to the person, the life, body, property, etc. of the person or a third party, etc.
If there is a risk of harming the rights and interests of the company, do not disclose all or part of the retained personal data.
I can do it.

(2) When there is a risk of significant hindrance to the proper implementation of the business of the telecommunications carrier

By disclosing the retained personal data to the person himself / herself, it is possible to properly carry out the business of the telecommunications carrier.
If there is a risk of causing any problems, we will not disclose all or part of the retained personal data.
be able to.
Case 1) The same person repeatedly requests disclosure of the same content that requires complicated measures.

88

Page 89

3 Obligations of telecommunications carriers

Yes, other inquiries can be handled by virtually occupying the inquiry window.
When there is a risk of significant business problems such as not being able to go
Case 2) Telecommunications carriers are required to disclose their own credit evaluations, etc.
When there is a risk of significant business problems

(3) Decree (Law, Law Enforcement Ordinance on Protection of Personal Information (Cabinet Order No. 507 of 2003) and rules
except. The same applies to Paragraph 4 and Article 21 Paragraph 2. ) Is violated

Violation of laws and regulations (excluding personal information protection laws and regulations) by disclosing retained personal data to the person
In that case, all or part of the retained personal data may not be disclosed.

Case) Criminal Law (Meiji 40 Law No. 45) Article 134 (Secret Disclosure Offense) and Telecommunications Business Law No. 4
When it violates the Article (Protection of Privacy of Communications)

In addition, according to the provisions of laws and regulations (excluding personal information protection laws and regulations), the method stipulated in Article 20, Paragraph 2 is used.
Applicable method (method by delivery of document (when there is a method agreed by the person who requested disclosure, if there is a method)
When it is decided to disclose retained personal data that identifies the person in question by the method))
The provisions of Article 20, Paragraphs 1 and 2 do not apply to, but the provisions of the relevant decree apply.
Become.
In addition, the person requests disclosure of retained personal data that identifies the person in a court action.
Please refer to 3-6-8 (Advance Request for Settlement Action) for the relationship between the case and this article.

(* 1) "If there is a method that the person who requested the disclosure agrees, that method" is the method of disclosure.
If the person who made the request agrees, various methods such as e-mail, telephone, etc.
Is possible, and the method of issuing a document means that it is possible without consent.
In addition, the person who requested the disclosure did not specify the disclosure method in particular, and the telecommunications affairs
If you do not object to the method presented by the vendor (request for disclosure over the phone)
This includes the case of answering inquiries by telephone as it is after confirming the necessary identity. ) Is
It can be treated as if there was consent for the method. Request for disclosure
As a way of obtaining consent from a person, a telecommunications carrier presents a disclosure method, and that person is rare.
It is conceivable that the business operator selects from a plurality of desired methods.
(* 2) From the perspective of protecting the rights and interests of consumers, etc., the characteristics, scale, and actual conditions of business activities
As much as possible, the source or method of acquiring personal information (type of acquisition source, etc.)
It is desirable to specify it physically and further respond to the request from the person.
(* 3) For "Notify the person", refer to 2-11 (Notify the person).

(reference)

89

Page 90

3 Obligations of telecommunications carriers

Article 28 of the Act (paragraphs 1 to 4)
1 The person requests the business operator handling personal information to disclose the retained personal data that identifies the person.
Can be sought.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it shall be specified by a Cabinet Order to the person himself / herself.
The retained personal data must be disclosed without delay by such a method. However, to disclose
If any of the following items apply, all or part of it may not be disclosed.
To
(1) When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(2) Places that may significantly hinder the proper implementation of the business of the business operator handling personal information
Go
(3) When it violates other laws and regulations
3 The business operator handling personal information shall have all or part of the retained personal data pertaining to the request pursuant to the provisions of Paragraph 1.
When it is decided not to disclose the personal data, or when the retained personal data does not exist, the person himself / herself
You must notify us without delay.
4 According to the provisions of other laws and regulations, the method equivalent to the method prescribed in the main text of paragraph 2 is applied to the person.
If all or part of the retained personal data that identifies the person is to be disclosed, this
The provisions of paragraphs 1 and 2 do not apply to all or part of the retained personal data.

Article 9 of the Cabinet Order
The method specified by the Cabinet Order under Article 28, Paragraph 2 of the Act is the method by issuing a document (the person who requested the disclosure).
If there is a method that you agree with, the method) shall be applied.

Correction of retained personal data, etc. (related to Article 21)
Article 21
1 The person is the content of the retained personal data that identifies the person to the telecommunications carrier.
If it is not true, the content of the retained personal data will be corrected, added or deleted (hereinafter referred to as this article).
It is called "correction, etc." ) Can be requested.
2 When a telecommunications carrier receives a request pursuant to the provisions of the preceding paragraph, it will correct the content, etc.
To achieve the purpose of use, unless special procedures are stipulated by laws and regulations.
To the extent necessary, conduct the necessary investigation without delay, and based on the results, the relevant individual
The contents of the data must be corrected.
3 The telecommunications carrier has all the contents of the retained personal data related to the request pursuant to the provisions of Paragraph 1.
Or when some corrections are made, or when it is decided not to make corrections
Will notify the person without delay (including the content of any corrections made).
I have to know.

The telecommunications carrier has an error in the retained personal data that identifies the person, and in fact

90

Page 91

3 Obligations of telecommunications carriers

Correction, addition or deletion (* 1) of the content (hereinafter referred to as "correction, etc.") because it is not
When we receive a request, we will conduct the necessary investigation without delay to the extent necessary to achieve the purpose of use, and as a result
In principle, corrections, etc. must be made based on (* 2).
In addition, the telecommunications carrier is included in the retained personal data related to the request based on the provisions of Article 21, Paragraph 2.
When all or part of the contents are corrected, or it is decided not to make corrections.
In that case, without delay, notify the person to that effect (including the details of any corrections made) (*
3) Must do.
In addition, the provisions of laws and regulations (excluding personal information protection laws and regulations) regarding correction of the contents of retained personal data, etc.
If more special procedures are provided, the provisions of Article 21, Paragraphs 1 and 2 of the Act apply.
However, the provisions of the relevant decree will be applied.
In addition, the person requests the correction of the retained personal data that identifies the person by a court action.
See 3-6-8 (Advance Request for Settlement) for the relationship between the request and this article.

[Cases that do not need to be corrected]
Case) When the target of correction, etc. is not facts but information related to evaluation

(* 1) "Delete" means to remove unnecessary information.
(* 2) If the purpose of use does not require correction, etc., it means that the retained personal data is incorrect.
If the indication is incorrect, there is no need to make corrections. However, in that case, it is late
You must notify the person that no corrections will be made without delay.
(* 3) For "Notify the person", refer to 2-11 (Notify the person).

(reference)
Article 29 of the law
1 The person is the content of the retained personal data that identifies the person to the business operator handling personal information.
If it is not true, the content of the retained personal data will be corrected, added or deleted (hereinafter referred to in this Article).
It is called "correction, etc." ) Can be requested.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it will correct the content, etc.
Required to achieve the purpose of use, unless special procedures are stipulated by other laws and regulations.
We will conduct the necessary investigation without delay within the necessary range, and based on the result, the retained personal data
The contents of the above must be corrected.
3 The business operator handling personal information is not sure about all the contents of the retained personal data related to the request pursuant to the provisions of Paragraph 1.
Or when a part of the correction is made, or when it is decided not to make the correction, the person himself / herself
To that effect (including the content of any corrections, etc.) must be notified without delay.
Absent.

91

Page 92

3 Obligations of telecommunications carriers

Suspension of use of retained personal data (related to Article 22)

Article 22
1 The person is the telecommunications carrier, and the retained personal data that identifies the person is Article 5
When it is handled in violation of the provisions or acquired in violation of the provisions of Article 7.
In some cases, suspension or deletion of the use of the retained personal data (hereinafter referred to as "suspension of use" in this article.
Stop, etc. " ) Can be requested.
2 When a telecommunications carrier receives a request pursuant to the provisions of the preceding paragraph, the reason for the request
When it is found that there is, to the extent necessary to correct the violation, without delay, the insurance
Yes You must suspend the use of personal data. However, the interest of the retained personal data
When it costs a lot of money to suspend the use, etc. When it is difficult to suspend the use, etc.
Therefore, when taking necessary alternative measures to protect the rights and interests of the person, this
Not limited.
3 The person is the telecommunications carrier, and the retained personal data that identifies the person is Article 15 Article 15.
If it is provided to a third party in violation of the provisions of Paragraph 1 or Article 16, the holding individual day
You can request the suspension of provision of data to a third party.
4 When a telecommunications carrier receives a request pursuant to the provisions of the preceding paragraph, the reason for the request
If it is found that there is, we will stop providing the retained personal data to a third party without delay.
Must. However, it costs a lot of money to stop providing the retained personal data to a third party.
When it is necessary to stop providing it to other third parties, and the person himself / herself
When taking necessary alternative measures to protect the rights and interests of
I.
5 The telecommunications carrier shall have all or all of the retained personal data pertaining to the request pursuant to the provisions of Paragraph 1.
When the use of some parts is suspended or it is decided not to suspend the use
When, or all or part of the retained personal data pertaining to the request pursuant to the provisions of paragraph 3.
When the provision to a third party is stopped or the provision to a third party is not stopped
In such a case, the person must be notified to that effect without delay.

For telecommunications carriers, the retained personal data that identifies the person concerned is subject to the provisions of Article 5 from the person himself / herself.
In violation, it is used for purposes other than the intended purpose without the consent of the person, or it is falsely in violation of the provisions of Article 7.
Personal information is acquired by other fraudulent means or sensitive personal information is acquired without the consent of the person.
Suspension or deletion of the use of the retained personal data (* 1) (hereinafter
Below is called "suspension of use, etc." ), And it is found that there is a reason for the request
When it is revealed, in principle (* 2), the use must be suspended without delay.
In addition, the telecommunications carrier has Article 15 of the retained personal data that identifies the person concerned.
Because it is provided to a third party without the consent of the person in violation of the provisions of Paragraph 1 or Article 16.
Therefore, even if a request for suspension of provision of the retained personal data to a third party is received, the request will be made.
When it becomes clear that there is a reason (* 3), in principle, the provision to a third party must be stopped without delay.
Must be.

92

Page 93

3 Obligations of telecommunications carriers

In addition, the telecommunications carrier will suspend the use or suspend the use as described above.
When it is decided not to do so, or when the provision to a third party is suspended, or when the provision to a third party is suspended.
When it is decided not to stop, the person must be notified (* 4) to that effect without delay.
In addition, the person is suspended from using the retained personal data that identifies the person due to a court action, etc.
Or, regarding the relationship between the case of requesting the suspension of provision to a third party and this article, 3-6-8 (in a judicial action)
See (advance billing).
From the perspective of protecting the rights and interests of consumers, etc., consider the characteristics, scale, and actual conditions of business activities.
In consideration, if there is a request from the person regarding the retained personal data, a direct mail will be sent.
It is desirable to take further measures at the request of the person, such as voluntarily responding to suspension of use, etc.
Castanopsis.

(* 1) "Erase" means to make the retained personal data unusable as retained personal data.
In addition to deleting the data, it is not possible to identify a specific individual from the data.
(Refer to 3-3-1 (Ensuring the accuracy of data contents, etc.)).
(* 2) For example, even if you are requested to delete all of your personal data, you will be suspended from using it.
If it is possible to correct the procedural violation, by taking such measures, it is justified.
You have fulfilled your duties, and you do not necessarily have to take the required measures as they are.
I.
If the indication that the procedure is violated is incorrect, it is necessary to suspend the use.
Absent.
(* 3) If the indication that the procedure is violated is incorrect, it is necessary to stop providing it to a third party.
There is no.
(* 4) For "Notify the person", refer to 2-11 (Notify the person).

(reference)
Article 30 of the law
1 The person who handles personal information has the retained personal data that identifies the person in Article 16 of Article 16.
When it is handled in violation of the provisions or when it was acquired in violation of the provisions of Article 17
Suspension or deletion of the use of the retained personal data (hereinafter referred to as "suspension of use, etc." in this Article)
U. ) Can be requested.
2 The business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, and the reason for the request
When it is found that there is, to the extent necessary to correct the violation, without delay, the holding individual
Data usage must be suspended. However, suspension of use of the retained personal data, etc.
If a large amount of money is required for the service, or if it is difficult to suspend the use of the service, the right of the person
This shall not apply when taking necessary alternative measures to protect interests.
3 For the business operator handling personal information, the retained personal data that identifies the person is Article 23, Article 23.
When provided to a third party in violation of the provisions of Paragraph 1 or Article 24, the retained personal data

93

Page 94

3 Obligations of telecommunications carriers

You can request the suspension of provision to a third party.
4 The business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, and the reason for the request
When it is found that there is, we must stop providing the retained personal data to a third party without delay.
Must be. However, it costs a lot of money to stop providing the retained personal data to a third party.
In the case where it is difficult to stop the provision to other third parties, the rights and interests of the person
This shall not apply when taking alternative measures necessary for protection.
5 The business operator handling personal information may use all or all of the retained personal data related to the request pursuant to the provisions of Paragraph 1.
When the use of some parts is suspended or when it is decided not to suspend the use, etc.
Or to a third party for all or part of the retained personal data related to the request pursuant to the provisions of Paragraph 3.
When we stop providing the service or decide not to stop providing it to a third party, we will contact the person.
However, you must notify us without delay.

Explanation of reason (related to Article 23)
Article 23
Telecommunications carriers are referred to in Article 19, Paragraph 3, Article 20, Paragraph 3, Article 21, Paragraph 3 or the preceding Article, Paragraph 5.
Measures for all or part of the measures requested or requested by the person in accordance with the regulations
If you want to notify that you will not take measures, or if you want to notify that you will take measures different from those measures,
You must try to explain to others why.

Telecommunications carriers request notification of the purpose of use of retained personal data, or disclose retained personal data.
Requests for corrections, suspension of use, etc. or suspension of provision to third parties (hereinafter referred to as "requests for disclosure, etc."
U. ) For all or part of the measures, the fact that the measures are not taken or the measures different from the measures
When notifying the person (*) that he / she will take the place, explain the reason to the person at the same time.
Must strive for.

(*) For "Notify the person", refer to 2-11 (Notify the person).

(reference)
Article 31 of the law
The business operator handling personal information is Article 27, Paragraph 3, Article 28, Paragraph 3, Article 29, Paragraph 3 or the preceding Article, Paragraph 5.
For all or part of the measures requested or requested by the person in accordance with the provisions of
When notifying the person that he / she will not take the measure, or when notifying the person that he / she will take a measure different from the measure.
You must try to explain why.

94

Page 95

3 Obligations of telecommunications carriers

Procedures for responding to requests for disclosure, etc. (related to Article 24)
Article 24
1 Telecommunications carriers are requested by the provisions of Article 19 Paragraph 2 or Article 20 Paragraph 1 and Article 21 Paragraph 21.
Requests pursuant to the provisions of Paragraph 1 or Article 22, Paragraph 1 or Paragraph 3 (hereinafter referred to as "open" in this Article
Requests for indications, etc. " ), The following items as a method of accepting the request or request
You can specify what is listed in. In this case, the person himself / herself follows the method.
Requests for disclosure, etc. must be made.
(1) Request for disclosure, etc.
(2) Document format to be submitted when requesting disclosure, etc. and other methods for requesting disclosure, etc.
(3) Confirmation that the person making the request for disclosure, etc. is the person or the agent specified in Paragraph 3.
the method of
(4) How to collect the fee set forth in Paragraph 1 of the following Article
2 The telecommunications carrier is the subject of the individual request for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify the data. In this case, electricity
The credit business operator holds the relevant information so that the person can easily and accurately request disclosure, etc.
Providing information that contributes to the identification of personal data and taking other appropriate measures in consideration of the convenience of the individual
There must be.
3 Requests for disclosure, etc. can be made by the following agents. However, Article 20
Regarding the request for disclosure pursuant to the provisions of Paragraph 1, in the case of infringing the confidentiality of communications of the person, etc. 20
This does not apply if any of the items in Paragraph 2 of the Article applies.
(1) Legal representative of minors or adult guardians
(2) An agent delegated by the person to request disclosure, etc.
4 The telecommunications carrier shall establish procedures for responding to requests for disclosure, etc. based on the provisions of the preceding three paragraphs.
In doing so, care must be taken not to impose an excessive burden on the person.

Telecommunications carriers use the following (1) as a method of accepting requests for disclosure, etc. (* 1).
Items from to (4) can be defined (* 2).
If the method of accepting requests for disclosure, etc. is determined, the state that the person can know (at the request of the person)
Including the case of responding without delay. ) (* 3) must be placed (3-6-1 (owned individual de
(Publication of matters related to data, etc.)).
When the telecommunications carrier has established a method for accepting requests for disclosure, etc. within a reasonable range.
Must make a request for disclosure, etc. in accordance with the method, and must not comply with the method.
In such a case, the telecommunications carrier can refuse the request for disclosure, etc. (* 4).
Regarding requests for disclosure, etc., if the person is in a remote location or if he / she is injured or ill, his / her stool
From the point of view of convenience, it is necessary to approve the request by the agent, so the agent listed in each item of Paragraph 3
It is possible to request disclosure, etc. In addition, the person himself / herself by disclosing the usage details to the agent, etc.
In the case of infringing the confidentiality of communications, etc. In the case of any of the items of Article 20, Paragraph 2
Is not accepted by the agent.

95

Page 96

3 Obligations of telecommunications carriers

In addition, the telecommunications carrier requests the person to disclose, etc. so that the procedures for disclosure, etc. can be carried out smoothly.
Matters necessary for identifying retained personal data (address, ID, pass) that identifies the person concerned
You can ask for the presentation of your ward, membership number, etc.). For example, a telecommunications carrier is a business unit

If you have personal data held by each business office, or if you have personal data held by date of acquisition
In the case of owning, etc., the telecommunications carrier specifically requests disclosure, etc.
It is possible to request identification of which category of retained personal data is targeted.
To. In that case, we will make a request for disclosure, etc. easily and accurately.
Consideration must be given to the convenience of the individual, such as providing information that contributes to the identification of the retained personal data.
Not.

(1) Request for disclosure, etc.
(Example) Contact name / contact name, mailing address, reception telephone number, reception fax number, e-mail address
etc

(2) Document format to be submitted when requesting disclosure, etc., and other methods of accepting requests for disclosure, etc.
(Example) Accepting by mail, fax, e-mail, etc.

(3) The person who makes the request for disclosure, etc. is the person or his / her agent ((1) Legal guardian of minor or adult
Confirmation that you are an agent, (2) an agent delegated by you to make a request for disclosure, etc.)
Method (* 5)

(4) Number of steps to be collected when notifying the purpose of use of retained personal data or disclosing retained personal data
How to collect fees

(* 1) “Request for disclosure, etc.” means requesting notification of the purpose of use of retained personal data (3-6-1 (retained)
(Publication of matters related to personal data, etc.)) or disclosure of retained personal data (3-6-2 (preservation)
(Disclosure of personal data), corrections (see 3-6-3 (correction of retained personal data)), interests
Suspension of use, etc. or suspension of provision to third parties (see 3-6-4 (suspension of use of retained personal data, etc.))
Refers to the request.
(* 2) In deciding the procedure for responding to requests for disclosure, etc., the procedure is the nature of the business.
Appropriate according to the handling status of retained personal data, the method of accepting requests for disclosure, etc.
In addition to taking care to become, letting you write more complicated documents than necessary, accepting requests, etc.
For example, limiting the contact point to an unnecessarily inconvenient place apart from the base where other business is performed, etc.
Care must be taken not to impose an excessive burden on the person.
(* 3) "A state that the person can know (including the case of responding without delay at the request of the person)"
For more information, see 3-6-1 (Publication of matters related to retained personal data, etc.).
(* 4) If you do not specify a method for accepting requests for disclosure, etc., you are allowed to apply freely.
Therefore, it is necessary to be careful.

96

Page 97

3 Obligations of telecommunications carriers

(* 5) The confirmation method is the nature of the business, the handling status of retained personal data, and the receipt of requests for disclosure, etc.
It must be appropriate according to the method of attachment, etc., and the business operator keeps it for identity verification.
Do not ask for more information than necessary compared to the personal data you have, etc.
Care must be taken not to impose an excessive burden on the person.
Case 1) In the case of the person: Driver's license, health insurance insured person's card, individual number card (ma)
Individual Number Card) Surface, Passport, Residence Card, Special Permanent Resident Certificate,
Pension notebook, seal certificate and registered seal
Case 2) In the case of an agent: A driver's license and health insurance for the person and the agent
Insurer ID, Individual Number Card (My Number Card) front, passport,
Residence card, special permanent resident certificate, pension notebook, etc. In addition, regarding the agent,
Power of attorney to indicate proxy (indicates that the parental authority is the legal representative of a minor
In the case, a copy of the family register in which both the person and the agent are listed and the relationship is shown.
Book, copy of resident's card)

(reference)
Article 32 of the law
1 The business operator handling personal information is requested by the provisions of Article 27, Paragraph 2 or Article 28, Paragraph 1, Article 29.
Requests pursuant to the provisions of Paragraph 1 or Article 30, Paragraph 1 or Paragraph 3 (hereinafter referred to as this Article and Article 53, Paragraph 3)
In paragraph 1, it is referred to as "request for disclosure, etc." ), As stipulated by a Cabinet Order, request or request
It is possible to determine the method of accepting requests. In this case, the person himself / herself follows the method.
Requests for disclosure, etc. must be made.
2 The business operator handling personal information is the subject of the request for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify the data. In this case, handling of personal information
The business operator can easily and accurately make a request for disclosure, etc.
Providing information that contributes to the identification of data and other appropriate measures must be taken in consideration of the convenience of the individual.
Not.
3 Requests for disclosure, etc. may be made by an agent pursuant to the provisions of a Cabinet Order.
4 The business operator handling personal information shall establish the procedure for responding to requests for disclosure, etc. based on the provisions of the preceding three paragraphs.
In doing so, care must be taken not to impose an excessive burden on the person.

Cabinet Order Article 10
A method for a business operator handling personal information to accept requests for disclosure, etc. pursuant to the provisions of Article 32, Paragraph 1 of the Act.
The matters that can be determined in the above shall be as follows.
(1) Request for disclosure, etc.
(2) Documents to be submitted when requesting disclosure, etc. (including electromagnetic records. Article 14, Paragraph 1 and Paragraph 1)
The same applies in Article 21, Paragraph 3. ) Form and other methods for requesting disclosure, etc.
(3) Method of confirming that the person requesting disclosure, etc. is the person himself / herself or the agent prescribed in the next article.

97

Page 98

3 Obligations of telecommunications carriers

(4) How to collect fees under Article 33, Paragraph 1 of the Law

Cabinet Order Article 11
The agents who can request disclosure, etc. pursuant to the provisions of Article 32, Paragraph 3 of the Act shall be the following agents:
Let's be a man.
(1) Legal representative of minors or adult guardians
(2) An agent delegated by the person to request disclosure, etc.

Fees (related to Article 25)
Article 25
1 When a telecommunications carrier is requested to notify the purpose of use pursuant to the provisions of Article 19, Paragraph 2
When receiving a request for disclosure pursuant to the provisions of Article 20, Paragraph 1, regarding the implementation of such measures,
Several fees can be collected.
2 When a telecommunications carrier collects a fee pursuant to the provisions of the preceding paragraph, the actual cost is taken into consideration.
The amount of the fee must be set within the range that is considered reasonable.

Telecommunications carriers are required to notify the purpose of use of retained personal data (Article 19, Paragraph 2), and also.
When receiving a request for disclosure of retained personal data (Article 20, Paragraph 1), regarding the implementation of such measures,
You can set the amount of the fee and collect it.
In addition, if the amount of the fee is set, the state that the person can know (delayed at the request of the person)
Including the case of answering without. ) (*) (Article 19, Paragraph 1, Item 3).
In addition, when collecting a fee, it should be within the range that is considered reasonable in consideration of the actual cost.
The amount of the fee must be determined.

(*) Regarding "states that the person can know (including cases where the person responds without delay at the request of the person)"
For more information, please refer to 3-6-1 (Publication of matters related to retained personal data, etc.).

(reference)
Article 33 of the law
1 When a business operator handling personal information is requested to notify the purpose of use pursuant to the provisions of Article 27, Paragraph 2
When receiving a request for disclosure pursuant to the provisions of Article 28, Paragraph 1, a fee will be charged for the implementation of such measures.
Can be collected.
2 When a business operator handling personal information collects a fee pursuant to the provisions of the preceding paragraph, it will be combined in consideration of the actual cost.
The amount of the fee must be set within the range that is considered reasonable.

98

Page 99

3 Obligations of telecommunications carriers

Preliminary request for settlement of action (related to Article 26)
Article 26
1 The person is in accordance with the provisions of Article 20, Paragraph 1, Article 21, Paragraph 1 or Article 22, Paragraph 1 or Paragraph 3.
When attempting to file an action relating to a claim by, to the person who should be the defendant of the action
The request must be made in advance and two weeks have passed from the date of arrival.
If so, the complaint cannot be filed. However, the person who should be the defendant of the complaint is
This does not apply when the request is refused.
2 The request set forth in the preceding paragraph shall be deemed to have arrived when the request should normally have arrived.
3 The provisions of the preceding two paragraphs are Article 20, Paragraph 1, Article 21, Paragraph 1 or Article 22, Paragraph 1 or Paragraph 3.
The application shall apply mutatis mutandis to the petition for provisional disposition order pertaining to the request under the provisions of.

Disclosure (* 1), correction, etc. (* 2) or suspension of use, etc. (* 3) of retained personal data that identifies oneself
Filed a settlement action regarding a claim against a telecommunications carrier for suspension of provision to a third party (* 4)
If you intend to do so, make the request to the telecommunications carrier in advance outside the court.
Unless two weeks have passed since the request arrived at the telecommunications carrier, the request was made.
Cannot file a complaint (* 5) (* 6).
However, if the telecommunications carrier refuses the alternative dispute resolution (* 7), before two weeks have passed.
In addition, a settlement action relating to the request may be filed.

(* 1) For disclosure of retained personal data, refer to 3-6-2 (Disclosure of retained personal data).
(* 2) Correction of retained personal data means correction, addition or deletion of retained personal data.
(Refer to 3-6-3 (Correction of retained personal data, etc.)).
(* 3) Suspension of use of retained personal data means suspension or deletion of retained personal data.
(Refer to 3-6-4 (suspension of use of retained personal data, etc.)).
(* 4) Regarding suspension of provision of retained personal data to third parties, 3-6-4 (Use of retained personal data)
See stop, etc.).
(* 5) For example, a request for disclosure of retained personal data from the person himself / herself to a telecommunications carrier was made on April 1st.
If the date is reached, the person may file a settlement action relating to the request.
It can be done after the day (April 16), two weeks after the arrival date.
(* 6) Disclosure, correction, etc. of retained personal data that identifies oneself, suspension of use, etc., or third
Similarly, when filing a provisional disposition order for suspension of provision by a person, electricity is communicated in advance.
Make these requests to the telecommunications carrier, and the request is made to the telecommunications carrier.
Apply for the provisional disposition order only after two weeks have passed from the date of arrival.
I can't.
(* 7) “When refusing the alternative dispute resolution” means Article 20, Paragraph 3, Article 21, Paragraph 3, and Paragraph 3.
In addition to the cases listed in Article 22, Paragraph 5, to the person who made the request by the business operator handling personal information
Including cases where the request is simply refused without explaining the reason.
Is done.

99

Page 100

3 Obligations of telecommunications carriers

(reference)
Article 34 of the law
1 The person is in accordance with the provisions of Article 28, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1 or Paragraph 3.
When filing an action relating to a claim, the person who should be the defendant of the action should be notified in advance.
The complaint is filed only after two weeks have passed since the request was made and the date of arrival.
Can't wake up. However, if the person who should be the defendant of the complaint refuses the request, this
Not limited.
2 The request set forth in the preceding paragraph shall be deemed to have arrived when the request should normally have arrived.
3 The provisions of the preceding two paragraphs are the provisions of Article 28, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1 or Paragraph 3.
The application shall apply mutatis mutandis to the petition for a provisional disposition order pertaining to a fixed request.

Grievance regarding the handling of personal information (related to Article 27)
Article 27
1 Telecommunications carriers must handle complaints about the handling of personal information appropriately and promptly.
Must be.
2 The telecommunications carrier must establish the system necessary to achieve the purpose set forth in the preceding paragraph.
Absent.

Telecommunications carriers complain about the use, provision, disclosure or correction of personal information and other personal information.
Complaints regarding the handling of information must be dealt with appropriately and promptly.
In addition, in order to handle complaints appropriately and promptly, the procedure for setting up a grievance window and handling grievances
It is necessary to establish the necessary system such as establishing the above (* 1). Specific "appropriate and quick processing"
It is difficult to uniformly determine the content for all telecommunications carriers, etc.
It is necessary to decline, but at least in the following cases, it is said that appropriate and prompt measures are taken.
I don't think I can say that.

① When there is no contact point for complaints
(2) Even if there is a contact point for complaints, the contact information and reception hours are generally available.
If not revealed
③ Even if the contact information and reception hours for responding to complaints are generally disclosed,
In the case where the corresponding window is hardly available (for example, at the telephone window)
If you can't connect even if you call frequently, or if you don't connect
But if you do not contact me)
On the other hand, it is not necessary to meet unreasonable demands.
In addition, the telecommunications carrier is the recipient of complaints regarding the handling of retained personal data (telecommunications business).
If the person is a target business operator of an authorized personal information protection organization, the name of the organization and the complaint resolution report
Including whereabouts. ), The state that the person can know (when replying without delay at the request of the person)

100

Page 101

3 Obligations of telecommunications carriers

including. ) (* 2) (3-6-1 (publication of matters related to retained personal data, etc.)
reference).
In addition, Article 27 of the Telecommunications Business Law is the telecommunications services listed in each item of Article 26, Paragraph 1 of the same law.
Do not handle complaints and inquiries from consumers, etc. regarding the business method related to the service appropriately and promptly.
It stipulates that it must be done.

(* 1) To build a relationship of trust with consumers and other individuals and secure public trust in business activities.
For the purpose, "Thoughts and policies for promoting the protection of personal information (so-called privacy)
Policy, privacy statement, etc.) ”and posted on the website
Or, make it public by posting it in a place where the store is easy to see, so that it can be understood externally in advance.
Consignment office, such as explaining quickly, clarifying the existence of consignment, the contents of the consigned office work, etc.
It is also important to promote transparency of reason.
(* 2) "A state that the person can know (including the case of responding without delay at the request of the person)"
For more information, please refer to 3-6-1 (Publication of matters related to retained personal data, etc.).

(reference)
Law Article 35
1 Businesses handling personal information strive to handle complaints regarding the handling of personal information appropriately and promptly.
There must be.
2 Businesses handling personal information must endeavor to establish the system necessary to achieve the purpose set forth in the preceding paragraph.
It doesn't become.

Obligations of businesses handling anonymously processed information (related to Articles 28 to 31)
[Creation of anonymously processed information, etc. (related to Article 28, Paragraph 1)]
Article 28 (Section 1)
1 Telecommunications carriers make up anonymously processed information (anonymously processed information database, etc.)
Limited. same as below. ), Used to identify a specific individual and create it
The following is defined as necessary to prevent the restoration of personal information
The personal information must be processed according to the standards.
(1) All or part of the description, etc. that can identify a specific individual included in personal information
(Has regularity that can restore all or part of the description, etc.)
Including replacing with other description etc. by no method. ).
(2) Delete all the personal identification codes included in the personal information (restore the personal identification code)
Includes replacement with other descriptions, etc. by a method that does not have regularity that can be based
Mu. ).
(3) A code that connects personal information and information obtained by taking measures against the personal information (actually, electricity)

101

Page 102

3 Obligations of telecommunications carriers

Limited to codes that connect information handled by telecommunications carriers to each other. ) To delete
(The personal information and the personal information can be restored by a method that does not have regularity that can restore the code.
Replace the personal information with a code that cannot be linked to the information obtained by taking measures.
Including that. ).
(4) Deleting a peculiar description, etc. (Regularity that can restore the peculiar description, etc.)
Includes replacement with other descriptions, etc. by a method that does not have. ).
(5) In addition to the measures listed in the preceding items, the description etc. included in the personal information and the individual including the personal information
Differences from other personal information that composes the personal information database, etc.
Taking into consideration the nature of the personal information database, etc., and taking appropriate measures based on the results
To cheat.

[Safety management measures for anonymously processed information, etc. (Article 28, Paragraphs 2 to 4, Article 28, Paragraph 7, Article 31)]
Article 28 (Sections 2 to 4 and 7)
2 When a telecommunications carrier creates anonymously processed information, is it the personal information used to create it?
Regarding the description, etc. deleted from the above, the personal identification code, and the processing method performed according to the provisions of the preceding paragraph.
In accordance with the standards set forth below as necessary to prevent leakage of information, these
Measures must be taken for the security of information.
(1) Processing method information (descriptions deleted from personal information used to create anonymous processing information, etc.)
Information on the personal identification code and the processing method performed according to the provisions of the preceding paragraph (the information)
Limited to those that can be used to restore the personal information. ). Below in this article
It's the same. ) Clearly define the authority and responsibility of the person who handles it.
(2) Establish rules regarding the handling of information such as processing methods, and process methods in accordance with the rules.
Etc. are handled appropriately, and the status of their handling is evaluated, and the results are obtained.
Take necessary measures to make improvements based on the above.
(3) Collection of information on processing methods, etc. by a person who does not have the proper authority to handle information on processing methods, etc.
Take necessary and appropriate measures to prevent handling.
3 When a telecommunications carrier creates anonymously processed information, it will not be delayed and will benefit from the Internet.
Items of personal information contained in the anonymously processed information, by any other appropriate method.
Must be published.
4 A telecommunications carrier created anonymously processed information on behalf of another personal information handling carrier.
In the case, the other business operator handling personal information is the information about the individual included in the anonymously processed information.
The items of the report shall be published by the method prescribed in the preceding paragraph. In this case, the relevant
Upon publication, the telecommunications carrier shall be deemed to have published the item.
7 When a telecommunications carrier creates anonymously processed information, the safety management of the anonymously processed information
Complaints about necessary and appropriate measures for the purpose, creation of the anonymously processed information and other handling
Processing and other measures necessary to ensure the proper handling of the anonymously processed information
We must endeavor to take measures and publicize the details of the measures.

102

Page 103

3 Obligations of telecommunications carriers

Article 31
Telecommunications carriers that handle anonymously processed information are responsible for the safety management of anonymously processed information.
Necessary and appropriate measures, handling of complaints regarding the handling of anonymously processed information and other anonymously processed information
Take the necessary measures to ensure the proper handling of, and publicize the contents of the measures
I must try.

[Provision of anonymously processed information to a third party (related to Article 28, Paragraph 5, Article 29)]
Article 28 (Section 5)
5 The telecommunications carrier creates anonymously processed information and provides the anonymously processed information to a third party.
In some cases, provide it to a third party in advance by using the Internet or other appropriate method.
About the items of personal information included in the anonymously processed information and the method of providing it
In addition to making it public, the information related to the provision to the third party is anonymously processed information.
Clarified by sending an e-mail or delivering a document or other appropriate method
Must.

Article 29
Telecommunications carriers, which handle anonymously processed information, process anonymously processed information (process personal information by themselves).
Excludes those created in. The same applies below in this chapter. ) To a third party
Anonymous processing provided to a third party in advance by using the Internet or other appropriate method
The items of personal information contained in the information and the method of providing it will be announced.

To the third party, an e-mail is sent to the effect that the information related to the provision is anonymously processed information.
Must be clearly stated by a method of belief, a method of delivering a document, or any other appropriate method.
I.

[Prohibition of identification (Article 28, Paragraph 6, Article 30)]
Article 28 (Section 6)
6 Telecommunications carriers create anonymously processed information and handle the anonymously processed information by themselves.
Therefore, in order to identify the person related to the personal information used to create the anonymously processed information.
In addition, the anonymously processed information must not be collated with other information.

Article 30
A telecommunications carrier, which handles anonymously processed information, handles anonymously processed information.
In order to identify the person related to the personal information used to create the anonymously processed information,
Descriptions deleted from personal information or personal identification codes or Article 28, Paragraph 1, administrative organs
Article 44-10, Paragraph 1 of the Law Concerning the Protection of Personal Information Held by
(Including cases where it is applied mutatis mutandis in Paragraph 2 of the same Article.) Or personal information held by an incorporated administrative agency, etc.

103

Page 104

3 Obligations of telecommunications carriers

Law Concerning the Protection of Information (Act No. 59 of 2003) Article 44-10, Paragraph 1 (In Paragraph 2 of the same Article)
Including the case where it is applied mutatis mutandis. ), And also obtains information on the processing method performed according to the provisions of
Must not collate the anonymously processed information with other information.

Regarding the obligations of businesses handling anonymously processed information, etc., the "Personal Information" stipulated by the Personal Information Protection Commission
It shall be in accordance with "Guidelines for Protection Law (Anonymous Processed Information)".
Regarding the location information handled by the telecommunications carrier, the location information related to the base station and the GPS location
There is information, Wi-Fi location information, etc., but these may include personal information that corresponds to the confidentiality of communications.
In addition, protection is required from the viewpoint of privacy, and further technological progress will be made in the future.
Therefore, it is expected to have higher privacy. Therefore, the location information is processed anonymously.
In that case, an appropriate processing method and management operation system are required. Specific processing method, etc.
5-4 (location information) because it is desirable that the information is determined according to the actual handling conditions.
In addition to stipulating in, voluntary rules such as personal information protection guidelines created by authorized personal information protection organizations
Entrusted.

(reference)
[Creation of anonymously processed information, etc. (related to Article 36, Paragraph 1 of the Law)]
Law Article 36 (Paragraph 1)
1 Businesses handling personal information should use anonymously processed information (which constitutes an anonymously processed information database, etc.)
Limited. same as below. ), Identify a specific individual and the individual used to create it.
Personal Information Protection Commission rules as necessary to prevent information from being restored
The personal information must be processed in accordance with the standards specified in.

Rule Article 19
The criteria stipulated by the rules of the Personal Information Protection Commission in Article 36, Paragraph 1 of the Act shall be as follows.
(1) Delete all or part of the description that can identify a specific individual contained in personal information
To do (by a method that does not have regularity that can restore all or part of the description, etc.
Includes replacement with other descriptions. ).
(2) Delete all of the personal identification code included in the personal information (restore the personal identification code)
Includes replacement with other descriptions, etc. by a method that does not have regularity. ).
(3) A code that connects personal information and information obtained by taking measures against the personal information (actually personal information)
Limited to codes that connect the information handled by the information handling business operator to each other. ) Is deleted (corresponding
To the personal information and the personal information by a non-regular method that can restore the code
Includes replacing the information obtained by taking measures with a code that cannot be concatenated. ).
(4) Deleting a peculiar description, etc. (having regularity that can restore the peculiar description, etc.
Including replacing with other description etc. by no method. ).
(5) In addition to the measures listed in the preceding items, the description etc. included in the personal information and the individual including the personal information

104

Page 105

3 Obligations of telecommunications carriers

Differences from other personal information that constitutes an information database, etc., and other relevant individuals
Consider the nature of the personal information database, etc., and take appropriate measures based on the results.

[Safety management measures for anonymously processed information, etc. (Article 36, Paragraph 2, Article 36, Paragraph 3, Article 3, Paragraph 6, Article 39)
Person in charge)]
Article 36 of the Act (paragraphs 2, 3, and 6)
2 When a business operator handling personal information creates anonymously processed information, it starts with the personal information used to create it.
Information on deleted descriptions, personal identification codes, and processing methods performed pursuant to the provisions of the preceding paragraph.
According to the standards stipulated by the rules of the Personal Information Protection Commission as necessary to prevent leakage of
In addition, measures must be taken to ensure the security of this information.
3 When a business operator handling personal information creates anonymously processed information, it is stipulated by the rules of the Personal Information Protection Commission.
As a result, the item of personal information included in the anonymously processed information must be published.
It doesn't become.
6 When a business operator handling personal information creates anonymously processed information, the safety management of the anonymously processed information
Necessary and appropriate measures for, creation of the anonymously processed information and other complaints regarding handling
Take the necessary measures to ensure the proper handling of the anonymously processed information such as processing,
At the same time, efforts must be made to publicize the details of the measures.

Article 39 of the law
Anonymously processed information handling business operators should take necessary and appropriate measures and concealment for the safety management of anonymously processed information.
Handle complaints regarding the handling of name processing information and ensure proper handling of other anonymously processed information
You must take the necessary measures for this purpose and endeavor to publicize the contents of the measures.

Rule Article 20
The criteria stipulated by the rules of the Personal Information Protection Commission in Article 36, Paragraph 2 of the Act shall be as follows.
(1) Processing method information (descriptions, etc. deleted from personal information used to create anonymous processing information)
Information on the person identification code and the processing method performed pursuant to the provisions of Article 36, Paragraph 1 of the Act (its information)
Limited to those whose personal information can be restored using information. ). The following smells in this article
Same. ) Clearly define the authority and responsibility of the person who handles it.
(2) Establish rules regarding the handling of information such as processing methods, and process methods, etc. in accordance with the rules.
We handle information appropriately, evaluate the status of its handling, and based on the results.
Take necessary measures to improve the situation.
(3) Handling of information such as processing methods Handling of information such as processing methods by persons who do not have the proper authority to handle information
Take necessary and appropriate measures to prevent it.

Rule Article 21
1 Publication pursuant to the provisions of Article 36, Paragraph 3 of the Act is made on the Internet without delay after creating anonymously processed information.

105

Page 106

3 Obligations of telecommunications carriers

It shall be carried out by the use of a computer or other appropriate method.
2 A business operator handling personal information creates anonymously processed information on behalf of another business operator handling personal information.
In that case, the other business operator handling personal information is the information about the individual included in the anonymously processed information.
The items of the report shall be published by the method prescribed in the preceding paragraph. In this case, the announcement
It is considered that the business operator handling personal information has published the item.

[Provision of anonymously processed information to a third party (related to Article 36, Paragraph 4 and Article 37 of the Act)]
Law Article 36 (Section 4)
4 The business operator handling personal information creates anonymously processed information and provides the anonymously processed information to a third party.
In that case, it will be provided to a third party in advance as stipulated by the rules of the Personal Information Protection Commission.
When we announce the items of personal information included in anonymously processed information and the method of providing it
In both cases, it is necessary to clearly indicate to the third party that the information related to the provision is anonymously processed information.
Must be.

Article 37 of the law
Businesses handling anonymously processed information exclude anonymously processed information (excluding those created by processing personal information by themselves.
The same shall apply hereinafter in this section. ) To a third party, as stipulated by the rules of the Personal Information Protection Commission
Items of personal information included in anonymously processed information provided to a third party in advance
And the method of providing it will be announced, and the information related to the provision will be provided to the third party.
It must be clearly stated that it is anonymously processed information.

Rule Article 22
1 Publication pursuant to the provisions of Article 36, Paragraph 4 of the Act shall be made by using the Internet or other appropriate methods.
And Umono.
2 The method of sending an e-mail or the person who delivers the document is clearly stated in the provisions of Article 36, Paragraph 4 of the Law.
It shall be carried out by law or other appropriate method.

Rule Article 23
1 The provisions of Paragraph 1 of the preceding Article shall apply mutatis mutandis to the publication pursuant to the provisions of Article 37 of the Act.
2 The provisions of Paragraph 2 of the preceding Article shall apply mutatis mutandis to the explicit provisions of Article 37 of the Act.

[Prohibition of identification (related to Article 36, Paragraph 5 and Article 38 of the Law)]
Law Article 36 (Section 5)
5 Businesses handling personal information create anonymously processed information and handle the anonymously processed information by themselves.
Therefore, in order to identify the person related to the personal information used to create the anonymously processed information,
The anonymously processed information must not be collated with other information.

106

Page 107

3 Obligations of telecommunications carriers

Article 38 of the law
When handling anonymously processed information, the business operator handling anonymously processed information of the anonymously processed information
Description deleted from the personal information in order to identify the person related to the personal information used for creation
Etc. or personal identification code or Article 36, Paragraph 1, regarding the protection of personal information held by administrative agencies
Law (Act No. 58 of 2003), Article 44-10, Paragraph 1 (including cases where it is applied mutatis mutandis in Paragraph 2 of the same Article)
Mu. ) Or Article 44-10, Paragraph 1 of the Act on the Protection of Personal Information Held by Independent Administrative Institutions, etc.
(Including the case where it is applied mutatis mutandis in Paragraph 2 of the same Article) Information on the processing method performed in accordance with the provisions of
Or do not collate the anonymously processed information with other information.

107

Page 108

4 ～ Accident response, handling of various information, review of guidelines

4 Response in case of leakage or other incidents
Telecommunications carriers handle personal data (including those handled by contractors)
Prevention of secondary damage, prevention of similar cases, etc. in the event of leakage, etc. (*)
From the perspective, the Personal Information Protection Commission will take measures that are desired to be taken by telecommunications carriers.
Depends on what is determined by. In addition, in Article 28 of the Telecommunications Business Law, it is stipulated in Article 2, Item 5 of the same law.
Established the obligation to report to the Minister of Internal Affairs and Communications in the event of leakage of confidential communications to telecommunications carriers
Therefore, if a case of leakage of personal information related to confidentiality of communications occurs, General Affairs University
I have to report to my vassals.

(*) "Leakage, etc." means leakage, loss, or damage. (3-3-4 (Safety management measures) participation
Teru).

5 Handling of various information (Chapter 3 related)
Recording of communication history (related to Article 32)
Recording of communication history (related to Article 32, Paragraph 1)
Article 32
1 The telecommunications carrier has a communication history (date and time when the user used telecommunications, the phase of the telecommunications).
Information related to telecommunications of the hand and other users other than the content of the telecommunications
Say. same as below. ), Billing, billing, complaint handling, prevention of fraudulent use, etc.
It can be recorded only when it is necessary for the performance of business.

The communication history is a component of communication, is protected as a confidentiality of communication, and can be recorded.
It may be an infringement of confidentiality of communications. However, billing, billing, complaint handling, self-managed Sith
Ensuring the safety of the system If necessary for the performance of other operations, record the minimum necessary communication history.
Recording is at least prevented from being illegal as a legitimate business act.
Recording and saving communication history to the extent necessary to create a usage statement (see Article 33, Paragraph 1) is not possible.
The point of correctly calculating the usage fee and being able to show the basis of the fee billing to the subscriber
And since it is a natural right of the telecommunications carrier, which is the creditor, the telecommunications carrier agrees with the subscriber.
Even if there is no, as a legitimate business act, record and save the communication history of the limit necessary for creating usage details
be able to.
It should be noted that the analysis of the communication history for detecting the caller is not only for unintended use but also for communication.
Since it is a secret infringement, if you follow the warrant issued by the judge, it is a place that corresponds to a legitimate business act
It can only be done if there are other reasons to prevent illegality.

[Case where illegality is blocked as a legitimate business act]

108

Page 109

4 ～ Accident response, handling of various information, review of guidelines

Example) Illegal / harmful information is found in open communications such as Internet homepages.
If it is posted and you do not warn the caller, it will interfere with your service provision (self)
Identify the caller when access is restricted from your service domain, etc.)
To detect the caller from the communication history, etc. that you own for the purpose of issuing a warning.

For the communication history once recorded, set the retention period within the minimum range necessary to achieve the purpose of recording.
However, when the retention period has expired, the communication history is promptly deleted (the information corresponding to the confidentiality of communication is deleted).
In addition to doing so, it also includes making it impossible for the person in question to identify the non-applicable part. )
Must. Even if the retention period is not set, after the recording purpose is achieved.
Must be erased promptly.
Regarding the storage period, depending on the type of service provided, billing method, etc., for each telecommunications carrier,
In addition, it may differ depending on the type of communication history, but it is necessary for business execution and the shadow when saving.
Considering the sound, etc., it should be set in a limited way so as not to overthrow the purpose (*).
However, it is necessary to maintain the electromagnetic record of communication history based on Article 197, Paragraphs 3 and 4 of the Code of Criminal Procedure.
If there is a special reason other than the provisions of laws and regulations such as contracts, the retention period based on that reason
It is possible to keep it for a while before it elapses. It also protects the rights of oneself or a third party
Therefore, if it is necessary to save it as an emergency action, save it until the need is resolved.
It is possible to do.

(*) For example, in the communication history, the connection authentication log (use) in the Internet connection service.
To store a record of authenticating a person and assigning an IP address required for internet connection)
Regarding security, responding to inquiries about contracts, usage status, etc. from users
While it is considered that there is a high business need such as use for countermeasures, the expression act of the user and
Since the involvement in privacy is considered to be relatively small, telecommunications carriers are the ones.
If necessary for the performance of these operations, storage for about 6 months is generally permitted and appropriate.
When it is necessary to grasp the situation throughout the year from the viewpoint of ensuring the operation of a network
If there is a business need for longer-term storage, it is permissible to store for about a year.
To be accommodated.

Provision of communication history (related to Article 32, Paragraph 2)
Article 32
2 The telecommunications carrier is correct if it follows the warrant issued by the judge with the consent of the user.
Except for cases that fall under this defense or emergency evacuation, or for other reasons to prevent illegality.
Communication history must not be provided to others.

109

Page 110

4 ～ Accident response, handling of various information, review of guidelines

Since the communication history is protected as the confidentiality of communication, the telecommunications carrier is the same as the communication party.
Except when there is a reason to prevent illegality such as when there is a will or when following a warrant issued by a judge
It must not be provided externally. Providing communication history in response to inquiries from persons with legal inquiry authority
In principle, it is not appropriate to provide it, as it does not necessarily prevent illegality (3-5-1 (No. 1).
(Principle of restrictions on provision by three parties)).

[Case where illegality is blocked as a legitimate business act]
Case) A large amount of indiscriminate indiscriminate crimes such as computer damage (Article 234-2 of the Penal Code)
Direct mail is sent, threatening your network and services
Issued when it is deemed necessary and unavoidable to protect the rights of oneself or others
Measures to prevent such direct mail from being sent to Nobumoto's telecommunications carriers
Part of the communication history related to the direct mail (sender's IP) for the purpose of requesting that it be taken
Address, time stamp, etc.).

Usage details (related to Article 33)
Description of usage details (related to Article 33, Paragraph 1)
Article 33
1 Usage details by the telecommunications carrier (date and time when the user used telecommunications, arrival of the telecommunications)
Information about the customer, the billing information corresponding to these, and other information about the user's use of the telecommunications.
Refers to the written document. same as below. ) Achieves the purpose of the usage statement
Therefore, the required limit must not be exceeded.

The usage statement shows the basis of the charge for the business operator and the charge for the subscriber.
It is important for both sides because it makes it possible to confirm, but on the other hand, the usage statement
Since the content is almost the same as the communication history belonging to the confidentiality of communication, the confidentiality of communication and the privacy of the person
It is necessary to give consideration to. Therefore, the telecommunications carrier should read the items described in the usage statement.
Communication start date and time, communication time, telephone number of the other party, amount of individual communication, charges for international communication, etc.
It must be limited to what is necessary to justify the claim. Also, if the subscriber wishes
For example, it is desirable to take measures such as omitting the last four-digit telephone number. Further unnecessarily communicate
It is not appropriate to include information that infringes on the privacy of the other party (*).

(*) For example, when the other party of communication is using a mobile phone / PHS, the other party's
When the charge system is set according to the location and the distance to the other party, the location of the other party
Since the information about the land is necessary information as one of the grounds for billing, which unit
It is permissible to provide information about whether or not it falls under the toll area, but more than that.

110

Page 111

4 ～ Accident response, handling of various information, review of guidelines

It is unreasonable to enter the detailed location information of the other party in
It is inappropriate because it may infringe on the sea.

Viewing usage details, etc. (related to Article 33, Paragraph 2)
Article 33
2 The telecommunications carrier makes the subscriber or other person who can view the usage details view or issue it.
In doing so, it is necessary to take necessary measures to prevent unreasonable infringement of the confidentiality of communications and personal information of users.
Must be taken.

A person who can view the usage statement is basically a subscriber. However, it is permanent and different from the subscriber
Including those who have a legitimate interest in browsing, such as users who are not subscribers and payers other than subscribers.
(In addition, if you want to let someone other than the subscriber browse, you are required to obtain the consent of the subscriber.
To ).
Telecommunications carriers, when issuing usage details, from the perspective of confidentiality of communications and protection of personal information.
Therefore, necessary measures such as sending it in a sealed letter must be taken. In addition, the usage statement is temporary
Since it may contain information about the communication of various users, the telecommunications carrier is not sure.
It is necessary to prevent unreasonable infringement of the privacy and privacy of users' communications such as
Absent.

Caller information (related to Article 34)
Notification of caller information (related to Article 34, Paragraph 1)
Article 34
1 The telecommunications carrier provides a caller information notification service (caller ID, information indicating the location of the caller).
A telephone service that notifies the recipient of information about the sender of information (hereinafter referred to as "caller information").
Refers to a screw. same as below. ) Is provided, blocking notification of caller information for each communication
It is necessary to provide a function to do so.

"Caller information" is information about the caller, and the telephone number, name, etc. included in the information.
For address, date of birth and other descriptions, personalized numbers, symbols and other codes, video or audio
It means that the caller can be identified more. This is done by calling phone number notification service
The known calling phone number and the calling name notified by the calling name notification service are applicable.
When information such as a photograph of the caller's face and the position of the caller is transmitted, these are also included. In addition, it should be noted.
"Telephone service" includes subscriber telephones, ISDN, mobile phones, PHS, and IP telephones.
Since the caller information usually corresponds to the confidentiality of communication, the telecommunications carrier is the caller.

111

Page 112

4 ～ Accident response, handling of various information, review of guidelines

When providing an information notification service, it is up to the caller to decide whether to notify the caller information.
From the point of view of entrustment, it is necessary to provide a function to block the notification of caller information for each communication. Departure
If the believer does not block the notification of the caller information, the caller keeps the caller information confidential to the other party.
Since it is recognized that there is no intention to keep it secret, it will not be a confidential infringement of communications.

Provision of caller information (related to Article 34, Paragraph 2)
Article 34
2 When providing a caller information notification service, the telecommunications carrier has the right of the user.
Necessary measures must be taken to secure it.

In order for the caller to be recognized as having no intention of keeping the caller information confidential to the other party
Since it is assumed that the believer has a thorough understanding of the contents of the caller information notification service,
Telecommunications carriers provide information to ensure user rights, methods to block notifications, etc.
It is necessary to take measures such as fully disseminating the information to users (*).

(*) Regarding the caller information notification service, in 1996, "Caller information notification service"
-Guidelines for the protection of sender's personal information when using bis" have been formulated
Therefore, in providing this service, it is necessary to ask the subscribers to respect it.
There is.

Restrictions on the provision of caller information (related to Article 34, Paragraph 3)
Article 34
3 When the telecommunications carrier is required to provide caller information notification service and other services
Except for, the caller information must not be provided to others. However, if there is the consent of the user
In that case, when following the warrant issued by the judge, the person who is actually guilty of threatening by using the telephone
In some cases, when reverse detection is performed at the request of the victim and the investigative agency, human life,
When there is an emergency call to the effect that there is an imminent danger to the body, etc.
This shall not apply if there are other reasons for preventing illegality when performing reverse detection by request.

When the telecommunications carrier needs to provide the caller information notification service and other services (*)
Except for, the caller information must not be provided to others. However, it met the requirements for emergency evacuation
This does not apply if the reason for blocking illegality is applicable, such as performing reverse detection above.
For emergency calls, the caller usually receives a prompt response from the emergency call receiving organization.
Willingness to notify the emergency call receiving organization of the location of the reporting site and the location of one's own location so that it can be dismissed.

112

Page 113

4 ～ Accident response, handling of various information, review of guidelines

Since it is considered that there is, in principle, caller information is not notified for general calls other than emergency calls.
In principle, caller information will be notified for emergency calls, even if it is set to.
It is treated that notification is not given only when the function to block notification for each communication is used.
Is also recognized. However, when handling in this way, (1) general other than emergency calls
For emergency calls, even if the caller information is set to be non-notification in principle
In the normal case, the caller information is notified in principle, ② For emergency calls
It is necessary to fully inform the user of how to block the notification of caller information for each communication.
is there.

(*) "When necessary to provide other services" means, for example, billing between telecommunications carriers.
Sending and receiving outgoing telephone number information within the range necessary for the purpose of etc. and the operation of the communication network, etc.
Or to provide callees with information that can identify the caller in a collect call.
Etc. are assumed.

Location information (related to Article 35)
Acquisition of location information (related to Article 35, Paragraph 1)
Article 35
1 The telecommunications carrier provides telecommunications services if the user's consent has been obtained in advance.
Location information (mobile terminal) only when there is a legitimate business act related to
Information that indicates the location of the person who possesses the information, and is not the sender information. same as below. )
Can be obtained.

The term "mobile terminal" as used in this article refers to mobile telephone terminals (Terminal Equipment Regulations (Ministry of Posts and Telecommunications Ordinance No. 1985).
31) In addition to Article 2, Paragraph 2, Item 5) and pager terminals (Article 2, Paragraph 2, Item 11 of the same Regulation),
A terminal used for communication using radio waves or the like. In addition, "location information" referred to in this article
Is information indicating the location of the owner of the mobile terminal (base station area or location registration d.
Incoming area (unit) described in the usage statement, which indicates the rear level or a narrower range.
It does not include things like toll areas). ), Which is the location information referred to in Article 22 of the Terminal Equipment Regulations.
It is a broader concept (note that the handling of information indicating the location of the caller is stipulated in the previous article.
Therefore, it is excluded from the definition of location information. ).
The location information held by the telecommunications carrier is a component of the communication if it is related to individual communication.
Therefore, it is protected as a confidential communication, and the consent of the user (owner of the mobile terminal) is obtained in advance.
If you have obtained it, or if you are a legitimate business act related to the provision of telecommunications services or any other reason for blocking illegality
It is not allowed to obtain it except when doing so. In addition, "legitimate business act" means telecommunications service.
From the point of view of providing, the purpose of the business is justified, and the necessity of actions to achieve the purpose and

113

Page 114

4 ～ Accident response, handling of various information, review of guidelines

An act for which the appropriateness of the means is recognized. For example, in order to communicate with a mobile phone at a base station, etc.
This corresponds to the act of acquiring location information such as location registration information.
On the other hand, every time the owner of the mobile terminal moves in the area other than during individual communication, the base station
The location registration information sent to is mechanically sent to the telecommunications carrier as a prerequisite for establishing individual communications.
Since it is only the information sent, this information stored in the service control station is the secret of communication.
It is considered to be a matter that should be protected as privacy, not as dense. However, the secret of communication
Even in the case of location information that does not correspond to, where a person is located is a ply
It is strong because it is a matter closely related to communication as well as the need for protection is particularly high in Bassie.
It is appropriate to protect it. Therefore, in the case of location information that does not correspond to the confidentiality of communication
However, with the consent of the user or legitimate business activities related to the provision of telecommunications services or other illegality
It is strongly required to acquire it only when it corresponds to the reason for blocking.
In addition, paragraphs 4 and 5 are for cases where the user's consent has been obtained in advance or for telecommunications services.
Location information can be obtained except when it corresponds to a legitimate business act related to the provision of
An example is shown.

Use of location information (related to Article 35, Paragraph 2)
Article 35
2 A telecommunications carrier may issue an order issued by a judge if the consent of the user has been obtained in advance.
If you follow the conditions, or if there are other reasons for blocking illegality, please give your location information to others.
It can be provided and used for other purposes.

Information that corresponds to the confidentiality of communications will be issued by a judge with the consent of the parties to the communications.
Provision to others, etc., unless the warrant is followed or there are other reasons for preventing illegality.
Do not use.
Therefore, the location information that corresponds to the confidentiality of communication is anonymized and provided to others and other benefits.
When using the service, link the location information with individual communications from the perspective of protecting the confidentiality of communications.
Sufficient anonymization must be performed so that it cannot be done, and anonymization is provided to others.
It is necessary to obtain the user's consent in advance for other uses. In this case, the principle
It cannot be said that there is valid consent without specific and clear consent, but the contract terms and conditions.
The contents of the above are fully informed to the user, and the user agrees at any time after the fact without any disadvantage.
It is advantageous because you can change the contents and request that you do not use the location information anonymously after that.
It is a case where it can be said that the user can avoid the risk of suffering an unexpected disadvantage, and (1) it is subject to anonymization.
Considering the range of information to be received, (2) processing method and appropriateness of management and operation system, it is a normal user.
If it can be assumed that anonymized use, etc. will be permitted, advance inclusion based on the contract terms, etc.
Even if it is consent, it is considered that there is valid consent.

114

Page 115

4 ～ Accident response, handling of various information, review of guidelines

Even for location information that does not correspond to the confidentiality of communications, where is a person?
In addition to the high need for protection in privacy, it is also closely related to communication.
Therefore, strong protection is appropriate. Therefore, when providing it to others or using it for other purposes,
It is strongly required to limit it to the case where the consent of the user is obtained or there is a reason for blocking illegality.
When creating anonymously processed information related to location information, 3-8 (anonymously processed information handling business operator, etc.)
Obligation).

Measures necessary to prevent unjustified infringement (Article 35, Paragraph 3)
Article 35
3 A service in which a telecommunications carrier notifies a subscriber or a person instructing the location information.
If you provide or have a third party provide it, the rights of the user will be unfairly infringed.
It is appropriate to take necessary measures to prevent it.

When providing location-based services by yourself or in partnership with a third party, the company
A telecommunications carrier that balances the usefulness of society with the secrecy of communications or the protection of privacy.
It is appropriate to take necessary measures so that the rights of users are not unduly infringed.
The specific contents of "necessary measures" are as follows: (1) Provide location information based on the user's intention.
That, (2) ensuring the recognition and predictability of the user regarding the provision of location information, (3) for location information
If you want to provide services in partnership with a third party, please handle them appropriately.
Consideration should be given to the privacy protection of users by describing the terms and conditions related to the contract.
Conceivable.
(1) Regarding the provision of location information based on the user's intention, obtaining consent from the user is an individual location.
In addition to providing information, it is also possible to do so in advance when the service starts to be provided. However,
Consent should be obtained clearly by operating the mobile terminal or confirming in writing.
Or, even if the location information does not correspond to the confidentiality of communication, it is not possible to obtain the consent of all comprehensive contents.
It is not appropriate, and it is desirable to specify the range of people who provide location information. Also,
Prior consent can be withdrawn in principle.
(2) To ensure user recognition and predictability, methods such as screen display and ringing of mobile terminals
It is conceivable to make it possible to recognize that the location information is provided. Also,
Allowing users to check history for a reasonable period of time, and users mistakenly send location information
Sufficient laps regarding the services provided and the functions of mobile terminals to prevent them from being released
It is desirable to call for knowledge and attention.
Regarding the handling of location information in (3), an unauthorized person can confirm the location information of the mobile terminal.
In addition to taking measures such as setting a password and limiting access terminals so that it cannot be done, other electricity
Base station information managed by the company when a telecommunications carrier provides location information services, etc.

115

Page 116

4 ～ Accident response, handling of various information, review of guidelines

Establish rules regarding the management of base station information so that the information will not be used unfairly by others.
Can be considered.
(4) Regarding the provision of services in partnership with a third party, please refer to the terms and conditions of the contract regarding the partnership.
To ensure that the above privacy protection measures are ensured by a third party.
If it is determined that the privacy of the user has been unfairly infringed, the location information will be provided.
It is conceivable to make it possible to stop the provision.
In the case where a mobile terminal is installed on an object and information on the location of the object is grasped.
However, since the rights of the owner may be unfairly infringed through the object, the above
It is considered appropriate to take the necessary measures in accordance with this.

Acquisition of location information at the request of the investigative agency (related to Article 35, Paragraph 4)
Article 35
4 When a telecommunications carrier is requested to obtain location information at the request of an investigative agency
In the case, the location information can be obtained only when the warrant issued by the judge is obeyed.
Wear.

Location information is a component of communication when it is related to individual communication, so it is a secret of communication.
It is understood that it will be protected. Also, when the location information is not related to individual communication and does not correspond to the confidentiality of communication.
Even if it is, where a person is located is especially protective in privacy.
Since it is highly necessary and closely related to communication, it is ranked at the request of the investigative agency.
If you are asked to obtain the location information, the position is only when you follow the warrant issued by the judge.
Information can be obtained.

Acquisition of location information at the request of the rescue organization (Article 35, Paragraph 5)
Article 35
5 In addition to the preceding paragraph, telecommunications carriers search for and rescue persons in need of rescue, police and maritime insurance.
Location information of persons requiring rescue at the request of the Security Agency, fire department, or other similar organizations
When requested to obtain it, there is an imminent danger to the person's life or body.
And it is indispensable to acquire the location information in order to detect the person at an early stage.
The location information can be acquired only when it is recognized that.

GPS location information, which is not necessary information to establish communication, is a secret of communication.
This information should be treated as a privacy issue, but it is higher than the location information related to the base station.
Has good privacy.

116

Page 117

4 ～ Accident response, handling of various information, review of guidelines

For this reason, if the telecommunications carrier can acquire GPS location information in an emergency, ① Rescue
There is a serious danger to the life or body of a person in need of assistance (hereinafter referred to as "rescuer").
It is imminent, and (2) Acquire GPS position information related to the person requiring rescue in order to detect it at an early stage.
GPS location information can only be obtained when it is essential to do so. And this requirement
Regarding whether or not it corresponds to, it is necessary to search for and rescue those who are in such a situation.
The police, Japan Coast Guard, fire department, and other organizations that have authority, knowledge, and responsibility (hereinafter referred to as "rescue organizations").
Based on the objective facts recognized from the declarations, etc. from the family members of the rescue-requiring person, etc.
Since it is essential to go through a gated judgment, only when requested by these institutions
It is strongly required to determine. Also, even if it is based on a request from a rescue organization, rescue
Appropriate measures are taken by telecommunications carriers that receive requests for acquisition and provision of GPS location information from auxiliary organizations.
In order to be able to do so, (1) based on the above objective facts, the rescue organization must make this request.
Provided that it was judged that the matter was prepared and (2) a reason sufficient to guarantee the appropriateness of the judgment was provided.
It is necessary to be done.

Exchange of information on non-payers, etc. (related to Article 36)
Exchange of information on non-payers, etc. (related to Article 36, Paragraphs 1 to 3)
Article 36
1 The telecommunications carrier does not pay the charges related to the telecommunications service or the mobile voice communication service is fraudulent.
Other telecommunications when it is deemed particularly necessary and appropriate to prevent its use
Information on non-payers, etc. with the business operator (telecommunications even though the payment deadline has passed)
Identity verification of contractors, etc. by persons who do not pay fees for services or mobile voice communication carriers, etc.
And Act on Prevention of Unauthorized Use of Mobile Voice Communication Services (Act No. 31 of 2005) No.
Name related to the contract regarding the provision of mobile voice communication services, etc. in cases where each item of Article 11 applies
Information about a person's name, address, non-payment amount, telephone number and other information about the person or the person concerned
U. same as below. ) Can be exchanged. However, the information on the non-payers, etc. is subject to exchange.
When it is recognized that there is a risk of unreasonably infringing the rights and interests of the person
Not limited to.
2 When a telecommunications carrier exchanges information such as nonpayers with another telecommunications carrier,
To that effect, information items such as non-payers to be exchanged, the range of telecommunications carriers to be exchanged, and
Regarding the name or name of the person responsible for managing the information such as non-payers exchanged
It is appropriate to notify the person in advance or put it in a state that the person can easily know.
3 The telecommunications carrier is responsible for the management of the exchanged non-payment information set forth in the preceding paragraph.
When changing a person's name or name, notify the person in advance of the content to be changed.
Or, it is appropriate to put it in a state that the person can easily know.

117

Page 118

4 ～ Accident response, handling of various information, review of guidelines

"Non-payment information" is an individual such as the name, address, date of birth, and non-payment amount information of the non-payment person.
Since it contains information that can identify the person, it corresponds to personal information, so it should be provided externally without permission.
Is not allowed.
However, for example, in the mobile business,
・ As a result of concluding a contract with a person whose contract was canceled without paying a fee at another business, the same
There are an increasing number of cases where people are not able to respond to billing.
・ Contract with a person who has been suspended due to reasons such as not responding to contractor confirmation at another business operator
As a result of concluding the above, it is not possible to claim the fee due to the fact that the identity cannot be verified in the same way.
Not only has become extremely difficult, but it has also led to unauthorized use such as the occurrence of anonymous mobile phones.
ing.
In order to deal with such problems, the minimum amount of non-payers, etc.
Management risk is reduced by exchanging information between telecommunications carriers and preventing new members such as non-payers.
There is a special need to mitigate. Therefore, the telecommunications carrier states that in the contract terms.
By clearly stating that, the consent of the subscriber to exchange information such as non-payers between businesses
A place to provide personal information to a third party after obtaining it (hence, with the consent of the person in Article 15, Paragraph 1)
Applicable to the case. ), In cases where the legitimate rights worthy of the protection of the person (non-payers, etc.) are also protected.
It is also possible to exchange information such as non-payers.
At this time, in order to prevent "unreasonably infringing the rights and interests of the person", the target of exchange should be
Persons who have canceled the contract and are actually unpaid and "identification of the contractor, etc. by the mobile voice communication carrier"
Etc. and the Act on Prevention of Unauthorized Use of Mobile Voice Communication Services ”(Act No. 31 of 2005) No. 11
To subscribers in accordance with the provisions of paragraphs 2 and 3, limited to contract holders who fall under each item of the Article
It is appropriate to take measures such as disseminating the exchange mechanism.
In addition, when utilizing the exchanged data, do not violate the provision obligation under the Telecommunications Business Law.
If you do not accept the subscription using the exchanged non-payment information, limit the case to those who are delinquent for a certain amount or more.
For those who have less than a certain amount, use deposits, etc., and after the fact, at the exchange source company, "Mobile voice"
Regarding identity verification of contractors, etc. by telecommunications carriers and prevention of unauthorized use of mobile voice communication services
If you no longer fall under each item of Article 11 of "Law No. 31 of 2005", you will be examined for membership.
Careful handling such as squeezing is required.
The exchange of information on non-payers, etc. is also subject to Articles 17 and 18.

Restrictions on the purpose of use of information such as non-payers (related to Article 36, Paragraph 4)
Article 36
4 The telecommunications carrier that exchanged information on non-payers, etc. shall refer the information on non-payers, etc. at the time of subscription.
It is appropriate not to use it for any purpose other than inspection.

118

Page 119

4 ～ Accident response, handling of various information, review of guidelines

The exchanged non-payment information is a kind of personal credit information and should not be used for any other purpose.
And.

Appropriate management of information on non-payers, etc. (related to Article 36, Paragraph 5)
Article 36
5 The telecommunications carrier that provided or received information on nonpayers, etc., is the information on the nonpayers, etc.
It is appropriate to take particular precautions for proper management of information.

If the non-payment information is not up-to-date and accurate, or if it is leaked, the person's right
Since there is a strong risk of infringing profits, the electric communication that provided or received information on nonpayers, etc.
It is appropriate for the credit business operator to take particular measures to properly manage the information on the non-payers.

Subscriber information related to sending junk mail (related to Article 37)
Exchange of subscriber information related to sending junk e-mail, etc. (related to Article 37, Paragraphs 1 to 3)
Article 37
1 A telecommunications carrier sends an e-mail to a large number of people at one time by sending an e-mail.
It is recognized that it is particularly necessary and appropriate to prevent problems in sending and receiving data.
When, with other telecommunications carriers, subscriber information (for a large number of people at one time, special
Violation of the provisions of the Act on the Appropriate Transmission of E-mail (Act No. 26 of 2002)
Sending e-mails and other e-mails may cause problems in sending and receiving e-mails.
The telecommunications carrier has taken measures to suspend the use of the service because it sent an e-mail.
Or, it is limited to the name, address and other information about the subscriber who canceled the contract. Less than
the same. ) Can be exchanged. However, the subscriber information may be subject to exchange.
This shall not apply when it is recognized that there is a risk of unreasonably infringing the rights and interests of the person.
2 When a telecommunications carrier exchanges subscriber information with another telecommunications carrier,
And the items of subscriber information to be exchanged, the scope of telecommunications carriers to be exchanged and exchanged.
Regarding the name or name of the person responsible for managing the subscriber information
It is appropriate to notify the person or put it in a state that the person can easily know.
3 The telecommunications carrier is responsible for managing the exchanged subscriber information set forth in the preceding paragraph.
When changing the name or name, notify the person in advance of the content to be changed.
Alternatively, it is appropriate to put it in a state that the person can easily know.

Send a large amount of sender information (sender's e-mail address, etc.) for the purpose of advertising, promotion, etc.
E-mail to be sent or to a fictitious e-mail address for your own or others' business

119

Page 120

4 ～ Accident response, handling of various information, review of guidelines

Sending a large amount of e-mail, etc. (hereinafter referred to as "junk mail") is a specific e-mail.
In addition to violating the law, if there is a large amount of transmission, it will be negative for the system such as the server of the telecommunications carrier.
Information and communication network, such as loading and causing problems such as delays in sending and receiving e-mails of other users
It causes a great deal of damage to the coffee.
As a countermeasure against mass transmission of unsolicited e-mails by telecommunications carriers, a large number of people at one time
It causes troubles in sending and receiving e-mails that violate the Specified E-mail Law.
The range necessary to prevent problems for subscribers who have sent a large amount of data
Measures to suspend the use of services (including cancellation of contracts; the same shall apply hereinafter) have been taken in
Although it had a certain effect on the mass transmission act of, a telecommunications carrier stopped using it.
After that, the person who received the deposit concludes a contract with another telecommunications carrier and sends a large amount of junk mail etc.
There were cases of continuation (so-called “migration”).
As mentioned above, mass transmission of unsolicited e-mails causes great damage to information and communication networks.
In view of this, effective measures against mass transmission of unsolicited e-mails by telecommunications carriers
Mass transmission of unsolicited e-mail, etc. by "migration" to enhance the nature and protect the information and communication network
The special need to take appropriate measures was recognized for those who continue to act.
Therefore, the legitimate rights worthy of the protection of the person (subscriber who has been suspended from use) are protected.
Then, between telecommunications carriers, sending e-mails that violate the Specified E-mail Law to a large number of people at one time
Information of subscribers who sent a large amount of data that may cause other problems in sending and receiving e-mail
It was thought that it would be possible to exchange information (*) and use it for examination at the time of joining.

(*) The information to be exchanged includes "a large amount that may cause problems in sending and receiving e-mail.
The name, address, and year of birth of the subscriber who was suspended due to the amount transmission.
Information about the subscriber, such as the date (hereinafter referred to as "subscriber information related to sending junk mail, etc."
Say. ) ”Is considered to be included. Subscriber information related to sending such junk mail, etc.
The information is related to the facts such as the content of the email, the recipient, the date and time of transmission, the place of transmission and reception, and the number of transmissions.
It belongs to the secrecy of communication because it is not information related to individual mail transmission.
It is understood that it does not correspond to the information (Note that the sender related to the specified individual email transmission
Information is a component of individual communication and is a secret of communication, so its knowledge and third
With regard to provision to persons, except with the consent of the communication parties, illegal evacuation, etc.
Only if there is a reason for sexual obstruction).

However, the subscriber information related to the transmission of junk mail, etc. is "Electronic mail by the telecommunications carrier.
Suspended due to the judgment that a large amount of transmission has been performed, which may cause problems in the transmission and reception of
It should be protected as privacy in the sense that it is enough information to identify "the person who has been treated".
It is necessary to handle the information carefully and rigorously as personal information.
Therefore, in order to prevent "unreasonable infringement of the rights and interests of the person", the exchange pair

120

Page 121

4 ～ Accident response, handling of various information, review of guidelines

Mass transmission of elephant information that may cause problems in sending and receiving e-mail
To limit the information to the subscribers who have been suspended for the reason, and to exchange
Ensuring the accuracy of the subscriber information, and sending junk e-mails, etc.
Participant's consent by clearly stating in the contract terms, etc. regarding proper certification and exchange
(Therefore, in the application of Article 15, obtain "the consent of the person in advance" in Paragraph 1 of the same Article.
Applicable when providing personal information to a third party. ), Subscribers in accordance with the provisions of paragraphs 2 and 3
Inform the exchange mechanism and take sufficient security measures for the exchanged information.
Things are required.
Prohibition of unfair discriminatory treatment under the Telecommunications Business Law when utilizing the exchanged information (electricity)
Information exchanged so as not to violate the Telecommunications Business Law Article 6) and the service provision obligation (Article 121, Paragraph 1 of the same law)
If you do not approve the subscription by using the information, within a reasonable period of time after taking the suspension measures
If the business operator who has taken the suspension of use measures cancels the measures, it will be exchanged.
Appropriate operation such as deleting from the exchanged information is required.
The exchange of subscriber information related to the transmission of junk e-mail, etc. is also subject to Articles 17 and 18.
Become.

Restrictions on the purpose of use of subscriber information related to sending junk e-mail, etc. (Article 37, Paragraphs 4 to 5)
Person in charge)
Article 37
4 The telecommunications carrier that exchanged the subscriber information does not examine the subscriber information at the time of subscription.
It is appropriate not to use it for any purpose.
5 The telecommunications carrier that provided or received the subscriber information is appropriate for the subscriber information.
It is appropriate to take special measures for proper management.

The concept of paragraphs 4 and 5 is the same as the concept of Article 36, paragraphs 4 and 5.
To

Phone number information (related to Article 38)
Posting of telephone number information in the telephone directory, etc. (Article 38, Paragraph 1)
Article 38
1 Telephone number information from the telecommunications carrier (the telecommunications carrier can know when the telephone subscription contract is concluded
The name of the subscriber or the name that the subscriber wants to be listed in the telephone directory and the telephone number is provided.
Corresponding phone number and other information about the subscriber. same as below. ) To make a phone book
When issuing or providing directory assistance, the subscriber should be listed in the telephone directory or telephone.
It is appropriate to give them the opportunity to choose not to give numbers. in this case

121

Page 122

4 ～ Accident response, handling of various information, review of guidelines

If the subscriber chooses to omit in, the subscriber's information will be posted in the telephone directory without delay.
Must be excluded from listing or directory assistance services.

Communicate if you don't know the phone number when you want to call someone
Since it is not possible to do so, even if the telephone number information is personal information, it is requested to be disclosed to the public.
It can be known from the telephone directory or directory assistance. However, such a request
Does not prioritize the privacy of the subscriber, so the telecommunications carrier will tell the subscriber.
It is appropriate to give an opportunity to choose whether to list in the phone book or omit the telephone number guidance.
(*).

(*) For IDs (email addresses, etc.) in communication services other than telephone services, call
Since there is currently no request for disclosure as much as the number, these are not subject to this article.
Regarding the handling of personal information, please refer to Chapter 2 (Articles 4 to 31).
It will be in accordance with the provisions of).

Restrictions on the provision of telephone number information (related to Article 38, Paragraph 2)
Article 38
2 Telephone number provided when a telecommunications carrier issues a telephone directory or conducts directory assistance services.
It is appropriate that the scope of information does not exceed the limit necessary to achieve the purpose of each business.
Is. However, this does not apply with the consent of the subscriber.

The phone book should contain the minimum information to identify the subscriber, including name, address,
Phone numbers need to be posted, but it is appropriate to post more personal information
No (of course, it is possible to list occupations in the occupational phone book). Also, part of the address
It is also worth considering providing options such as deleting.

Form of provision of telephone number information (related to Article 38, Paragraph 3)
Article 38
3 Provision of telephone number information when a telecommunications carrier issues a telephone directory or provides directory assistance.
It is appropriate that the state does not unreasonably infringe the rights and interests of the person.

When a telecommunications carrier issues a telephone directory or provides directory assistance, the form of providing telephone number information is
You must not unreasonably infringe the rights and interests of the person.
In the past, telephone directories were printed on paper, and directory assistance was usually provided by the operator.

122

Page 123

4 ～ Accident response, handling of various information, review of guidelines

However, as computer processing progresses, a telephone directory using a CD-ROM and a telephone number proposal using the Internet
The form of inside is emerging. These are used in terms of improving convenience
It is in the interest of the person, but on the other hand, it is necessary to consider the privacy of the subscriber. For example, by 50 sounds
Speaking of making a telephone directory into a CD-ROM, it is an unjust secondary secondary of personal information due to the processing and processing of electronic data.
From the viewpoint of preventing usage, data download and reverse search functions are not provided.
And at least are needed. On the other hand, when converting to CD-ROM, we will reconfirm our intention to publish it.
Whether it is necessary or not, while paying attention to the trends of European countries and other countries, the company
It is necessary to judge whether there is a social consensus. The telephone directory by occupation is posted.
There is a great advantage in disseminating information socially, and the information is kept as personal information.
Since there is not much content to be protected, it is already provided on CD-ROM or on the Internet.
Is being implemented.

External provision of telephone number information (related to Article 38, Paragraph 4)
Article 38
4 Telecommunications carriers use telephone numbers, except when issuing telephone directories or providing directory assistance services.
It is appropriate not to provide information. However, this does not apply in the following cases.
(1)

When issuing a phone book or outsourcing directory assistance services

(2)

When issuing a telephone directory or providing it to a person who performs directory assistance business

(3)

Other cases that fall under each item of Article 5, Paragraph 3

Regarding the external provision of telephone number information, refer to 3-5-1 (Principle of restrictions on provision to third parties) (*).

(*) For example, inquiries about who is the subscriber corresponding to the caller's phone number in this call.
In that case, since it is related to matters belonging to the confidentiality of communications, the warrant issued by the judge, etc.
It is necessary, but if it is an inquiry such as who is the subscriber corresponding to this phone number, it will be accepted.
It does not infringe the secret of trust, so it is from a person who has legal inquiry authority
If so, it is possible to respond.

Provision of telephone number information to those who issue telephone directories or provide directory assistance services (Article 38, Paragraph 5)
Relationship)
Article 38
5 The telecommunications carrier issues telephone number information, issues a telephone directory, or provides directory assistance.
When providing to a person, the provision contract, etc. shall be handled in accordance with the preceding paragraphs.
Is appropriate.

one two Three

Page 124

4 ～ Accident response, handling of various information, review of guidelines

Issuing a telephone directory or providing it to a person who intends to carry out directory assistance business is an eye.
It is considered to be permitted as an act within the scope of the target. Regarding the medium provided in this case,
It is considered possible to provide it in a magnetic medium. However, for the recipient, the use of information is made in the telephone directory.
Limit to issuing business or directory assistance business, and maintain the same form as the original telephone directory, etc.
Conclude an agreement on the handling of information, such as taking measures to prevent information leakage.
There is a need.

6 Review of guidelines (related to Article 39)
Article 39
Regarding this guideline, changes in social conditions, changes in public awareness, changes in technological trends, etc.
Review as necessary in light of changes in the environment.

The way of thinking about the protection of personal information is the change of social situation, the change of public perception, the progress of technology,
It may change according to international trends, etc., and this guideline is related to the situation after the enforcement of the law.
It shall be reviewed as necessary in light of changes in the boundaries.

124

Page 125

7 (Attachment) Safety management measures

7 (Attachment) Details of safety management measures to be taken

As safety management measures stipulated in Article 11, the following are examples of measures that telecommunications carriers must take concretely and methods for implementing such measures.
Shown.
Regarding specific methods for taking safety management measures, considering the magnitude of infringement of rights and interests incurred by the person in the event of leakage of personal data, etc.,
Due to the scale and nature of the business, the handling status of personal data, etc. (including the nature and amount of personal data handled), the nature of the medium on which personal data, etc. are recorded, etc.
It is not always necessary to take all of the following example contents because the contents should be necessary and appropriate according to the risk.
Moreover, the appropriate method is not limited to the contents of these examples.

125

Page 126

7 (Attachment) Safety management measures

Formulation of basic policy

It is important for telecommunications carriers to formulate basic policies in order to work as an organization to ensure the proper handling of personal data.
Examples of specific items to be specified include "name of business operator", "compliance with related laws and guidelines", "matters related to safety management measures", "questions and complaints".
A "window of reason" etc. can be considered.

Development of discipline regarding the handling of personal data, etc.

Telecommunications carriers specifically handle personal data, etc. to prevent leakage of the personal data, etc. they handle and to manage the safety of other personal data, etc.
Discipline must be put in place.
If you do not take
Example of method
Measures not to be
○ Handling of personal data, etc.

The handling method, responsible person / person in charge, and their duties are determined for each stage of acquisition, use, storage, provision, deletion / disposal, etc.

Development of discipline related
It istoconceivable to formulate rules for handling personal data, etc. In addition, about the matters to be specified concretely, the organization described below
Contents of personal safety management measures, personal safety management measures and physical safety management measures, and information systems (including devices such as personal computers)
When handling personal data etc. using (including the case of sending and receiving to the outside via the Internet etc.), it is technically safe
It is important to incorporate the content of all control measures.

Organizational safety management measures

Telecommunications carriers must take the following measures as organizational safety management measures.

126

Page 127

7 (Attachment) Safety management measures

(1) Development of organizational structure
An organizational structure must be put in place to take safety management measures.
(2) Operation in accordance with discipline regarding the handling of personal data, etc.
Personal data, etc. must be handled in accordance with the discipline regarding the handling of personal data, etc. prepared in advance.
In addition, it is also important to record the system log or usage record in order to confirm the operation status according to the discipline related to the handling of the prepared personal data etc.
It is important.
(3) Development of means for checking the handling status of personal data, etc.
Means for confirming the handling status of personal data, etc. must be established.
(4) Establishing a system to respond to cases such as leaks
A system must be put in place to respond appropriately and promptly when the occurrence or signs of a leak or other incident are identified.
In the event of a leak, etc., from the perspective of preventing secondary damage and preventing the occurrence of similar cases, the facts and recurrence prevention measures, etc., depending on the case, etc.
It is important to announce the information as soon as possible (*).
(*) Details of measures to be taken in the event of a leak or other incident at a telecommunications carrier will be specified separately (4 (When a leak or other incident occurs, etc.)
Correspondence)).
(5) Understanding the handling status and reviewing safety management measures
It is necessary to grasp the handling status of personal data, etc., and work on evaluation, review and improvement of safety management measures.

127

Page 128

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(1) Development of organizational(Examples
structure of items to be maintained as an organizational structure)
・ Establishment of a person in charge (personal information protection manager) regarding the handling of personal data, etc. and clarification of responsibility ・ Handling of personal data, etc.
Clarification of employees and their roles
・ Clarification of the range of personal data handled by the above employees
・ Facts or signs that violate the law or discipline regarding the handling of personal data, etc. maintained by telecommunications carriers
Report communication system to the person in charge when grasped
・ Report communication system to the person in charge when the occurrence or sign of an incident such as leakage of personal data etc. is grasped
・ Clarification of roles and responsibilities of each department when handling personal data etc. in multiple departments

128

Page 129

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(2) Collection of personal data, etc. In order to ensure the operation in accordance with the discipline related to the handling of personal data, for example, the system log for the following items
For discipline regarding handling
It is possible to verify the handling of personal data, etc. by maintaining records related to the handling of other personal data, etc. and creating a business diary.
Followed operation

Is conceivable.
・ Usage status of personal data, etc.
・ Status of carrying documents, media, etc. in which personal data, etc. are described or recorded
・ Status of deletion / disposal of personal data, etc. (including records certifying deletion / disposal when entrusted)
・ When handling personal data etc. in the information system, the usage status of the information system of the person in charge (login record, access)
Log etc.)

(3) Collection of personal data, etc. For example, by clarifying the following items in advance, it is possible to grasp the handling status of personal data, etc.
Check the handling status

Can be considered.

Maintenance of means

・ Items such as personal data
・ Responsible person / handling department
·purpose of use
・ Persons with access rights, etc.

129

Page 130

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(4) For cases such as leaks

It is conceivable to establish a system to take the following measures in the event of a leak or other incident.

Arrangement of corresponding system
・ Investigation of facts and investigation of causes
Equipment

・ Contact the person who may be affected
・ Report to the Personal Information Protection Commission, etc.
・ Examination and decision of recurrence prevention measures
・ Publication of facts and measures to prevent recurrence, etc.

(5) Understanding the handling status・ Regularly carry out self-inspections or audits by other departments regarding the handling status of personal data, etc.
And safety management measures
-Perform audits in conjunction with audit activities by external entities.
Review

130

Page 131

7 (Attachment) Safety management measures

Human safety management measures

Telecommunications carriers must take the following measures as personal safety management measures. In addition, telecommunications carriers provide employees with personal data, etc.
In order to handle it, the employee must be supervised based on Article 12, Paragraph 1 (see 3-3-5 (Employee supervision)). Also, personal day
When outsourcing the handling of data, etc., the telecommunications carrier must supervise the outsourcee based on Article 12, Paragraph 3 (3-3-6 (commission).
See (supervision of contractor)).

○ Employee education
Employees must be thoroughly informed of the proper handling of personal data, etc., and appropriate education must be provided.
○ Non-disclosure contract
Employees or outsourced employees must not inform others of the contents of personal data, etc. that they have learned about their business, and do not use it for unreasonable purposes.
Not.

If you do not take
Example of method
Measures not to be
○ Employee education

・ Regular training will be provided to employees regarding points to note regarding the handling of personal data.
・ Incorporate matters related to confidentiality of personal data, etc. into work regulations, etc.

○ Non-disclosure contract

・ Conclusion of non-disclosure contracts with employees at the time of employment contracts, and consignment sources and contractors in consignment contracts (including dispatch contracts)
Conclusion of non-disclosure agreement between.
・ The obligation to not disclose personal data, etc. is stipulated in internal regulations such as work regulations.

131

Page 132

7 (Attachment) Safety management measures

Physical safety management measures

Telecommunications carriers must take the following measures as physical safety management measures.

(1) Management of areas that handle personal data, etc.
Areas that manage important information systems such as servers and main computers that handle personal data (hereinafter referred to as "managed areas") and other areas
Appropriate management must be carried out for each area where office work that handles personal data, etc. (hereinafter referred to as "handling area") is carried out.
(2) Prevention of theft of equipment and electronic media, etc.
Appropriate management must be performed to prevent theft or loss of devices, electronic media, documents, etc. that handle personal data.
(3) Prevention of leakage when carrying electronic media, etc.
When carrying electronic media or documents on which personal data, etc. are recorded, safe measures must be taken so that personal data, etc. are not easily revealed.
Absent.
In addition, "carrying" means moving personal data, etc. from the controlled area or handling area to the outside, or moving from outside the area to the area.
It is necessary to pay attention to the loss or theft of personal data, etc., even when moving within the office.
(4) Deletion of personal data, etc. and disposal of equipment, electronic media, etc.
When deleting personal data, etc., or disposing of devices, electronic media, etc. on which personal data, etc. are recorded, it must be done by irrecoverable means.
In addition, when personal data, etc. is deleted, or when devices, electronic media, etc. on which personal data, etc. are recorded are discarded, the deleted or discarded record is recorded.
When preserving or entrusting such work, it is also important to confirm with a certificate etc. that the consignee has definitely deleted or discarded it.
is there.

132

Page 133

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(1) Collect personal data, etc.

(Example of management method of controlled area)

Management of areas to be handled
・ Entry / exit management and restrictions on equipment brought in, etc.
As a method of entry / exit management, installation of an entry / exit management system using an IC card, number key, etc. can be considered.
To
(Example of management method of handling area)
・ For those who do not have authority by installing walls or partitions, devising seat arrangements, implementing measures to prevent peeping, etc.
Prevention of browsing of personal data, etc.
(2) Equipment and electronic media ・ Equipment that handles personal data, electronic media on which personal data is recorded, or documents containing personal data, etc.
Prevention of theft, etc.

Store in a lockable cabinet, library, etc.
・ If the information system that handles personal data is operated only by the device, use the security wire for the device.
Fix by etc.

(3) Have an electronic medium, etc. ・ It is necessary to comprehensively evaluate the specific risks that are expected when taking out personal data, etc., and to respond to the risks.
Leakage when carrying

Measures ( personal authentication when starting up a computer, restriction of external media connection, preparation for information leakage due to virus intrusion, etc.

Etc. prevention

Maintaining the latest security standards, advanced encryption measures and proper decryption key management, communication path encryption, in-house services
(Terminal authentication, etc.) will be examined and decided, and the decided measures will be operated appropriately.
・ Encrypt personal data to be carried, protect it with a password, and save it on an electronic medium.
・ Seal and attach a blindfold sticker.
-Use a lockable transport container.

133

Page 134

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(4) Deletion of personal data, etc. (Example of how to dispose of documents containing personal data, etc.)
Removal and equipment, electronic
-Adopt non-restorable means such as incineration, melting, and proper shredder treatment.
Disposal of media, etc.

(Example of a method of deleting personal data, etc., or discarding devices, electronic media, etc. on which personal data, etc. are recorded)
-Means that cannot be easily restored when deleting personal data, etc. in information systems (including devices such as personal computers)
Is adopted.
-When disposing of devices, electronic media, etc. on which personal data etc. are recorded, use dedicated data deletion software or physically
Adopt means such as destructive.

134

Page 135

7 (Attachment) Safety management measures

Technical safety management measures

When a telecommunications carrier handles personal data, etc. using an information system (including devices such as personal computers) (sending to the outside via the Internet, etc.)
Including the case of receiving. ) Must take the following measures as technical safety management measures.
(1) Access control
Appropriate access control must be performed to limit the range of personal data handled by the person in charge.
(2) Accessor identification and authentication
Employees who use information systems that handle personal data, etc. must be authenticated based on the identified results as having legitimate access rights.
Must be.
(3) Prevention of unauthorized access from the outside
Information systems that handle personal data, etc. must be properly operated by introducing a mechanism to protect them from unauthorized access or software from the outside.
Must be.
(4) Prevention of information leakage, etc.
It is necessary to take measures to prevent leakage of personal data, etc. through the use of information systems and operate them appropriately.

135

Page 136

7 (Attachment) Safety management measures

If you do not take
Example of method
Measures not to be
(1) Access control

-Limit information systems that can handle personal data, etc.
-Limit the personal data that can be accessed by the information system.
-Limit the employees who can use the information system that handles personal data, etc. by the access right given to the user ID.
To

(2) Identification of accessor
And authentication
(3) Illegal from the outside
Prevention of access etc.

(Example of employee identification / authentication method using information system)
・ User ID, password, magnetic / IC card, etc.
-Install a firewall, etc. at the connection point between the information system and the external network to block unauthorized access.
-Install security software (antivirus software, etc.) in information systems and devices.
-Updating the software, etc. by utilizing the automatic update function, etc. that is standard equipment on the equipment and software.
-Detect unauthorized access, etc. by periodic analysis of logs, etc.

(4) Use of information system
Leakage etc. due to use
Prevention

・ Ensure safety when designing information systems and continuously review them (take measures against attacks that exploit vulnerabilities in information systems)
Including cheating. ).
-Encrypt the communication path or content including personal data.
・ Protect personal data to be transferred with passwords.

136

