Page 1

Guidelines for personal information protection in the field of credit management and collection
(2017 Personal Information Protection Commission / Ministry of Justice Notification No. 1)

- table of contents 1st purpose, etc. (related to Article 1 of the Act)
Definition of the second term (related to Article 2 of the Act)
Third obligation regarding the purpose of use of personal information
1 Identification of purpose of use (related to Article 15, Paragraph 1 of the Law)
2 Change of purpose of use (related to Article 15, Paragraph 2 of the Law and Article 18, Paragraph 3 of the Law)
3 Restrictions on purpose of use (related to Article 16 of the Act)
Fourth sensitive information
Fifth Obligation regarding acquisition of personal information (related to Article 18 of the Act)
No. 6 Obligation regarding management of personal data
1 Ensuring the accuracy of data content (related to Article 19 of the Act)
2 Safety management measures (related to Article 20 of the Act)
3 Supervision of contractors (related to Article 22 of the Act)
Article 7 Obligation to provide personal data to a third party (related to Article 23 of the Act)
1 Principles regarding restrictions on provision to third parties
2 Exceptions regarding restrictions on provision to third parties
3 Opt-out (related to Article 23, Paragraph 2 of the Law)
4 Items that do not correspond to a third party
5 Provision to personal credit information agencies
No. 8 Obligation regarding disclosure of retained personal data, etc.
1 Publication of matters related to retained personal data (related to Article 27 of the Act)
2 Disclosure of retained personal data (related to Article 28 of the Act)
3 Explanation of reasons (related to Article 31 of the Act)
4 Procedures for responding to requests for disclosure, etc. (related to Article 32 of the Act)
Article 9 Obligation to handle grievance (related to Article 35 of the Act)
Enactment of the 10th Declaration on the Protection of Personal Information
11th Measures to be taken when a violation of the law or a risk of violation of the law is discovered
Review of the 12th guideline

Page 2

1st purpose, etc. (related to Article 1 of the Act)
1 This guideline is the Law Concerning the Protection of Personal Information (Law No. 57 of 2003; hereinafter referred to as the "Law"".
That is. ), Ordinance for Enforcement of the Law Concerning the Protection of Personal Information (Cabinet Order No. 507 of 2003.
It is called "Government". ) And the Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information Protection)
Committee Rule No. 3. Hereinafter referred to as "enforcement rules". ), Regarding the protection of personal information
Guidelines for Law (General Rules) (2016 Personal Information Protection Commission Notification No. 6).
Hereinafter referred to as "general guidelines". ), Based on Articles 6 and 8 of the Act
Of the fields under the jurisdiction of the Ministry of Justice, the protection of personal information in the credit management and collection business field
We will take necessary measures so that special measures will be taken, and the debt collection company will take personal information
Established as specific guidelines to support activities related to ensuring proper handling of
Is.
For matters not specified in this guideline, general guidelines and individuals
Guidelines for Information Protection Law (Providing to Third Parties in Foreign Countries) (Pair)
2016 Personal Information Protection Commission Notification No. 7), the same guidelines (confirmation and description when provided to a third party)
Recording Obligation Edition) (2016 Personal Information Protection Commission Notification No. 8) and the guidelines (anonymous addition)
Engineering Information) (2016 Personal Information Protection Commission Notification No. 9) is applied.
2 Regarding the provisions that state "must" in this guideline,
Failure to comply may result in a violation of the law.
In addition, regarding the provisions that are described as "to be" in this guideline,
It is not an obligation imposed by the law, and if the debt collection company does not comply with it, it will be judged as a violation of the law.
However, based on the basic principles of the law (Article 3 of the law), individuals in the field of credit management and collection business
From the perspective of ensuring the proper handling of information, the debt collection company strives to make proactive efforts.
It is an effort regulation that requires that.
3 The specific examples described in this guideline are limited to this.
Not listed. In addition, even in the specific examples described, it is different depending on the individual case.
Note that there may be factors to consider.
4 Authorized personal information protection organizations formulate or revise personal information protection guidelines, and business associations, etc.
However, based on the actual situation and characteristics of the business, it is voluntary for member companies such as the business association.
It is possible to formulate or revise rules (guidelines for business associations, etc.), but on the spot
In that case, the target business operator of the certified personal information protection group and the member companies such as the business operator group are the personal information.
In handling, laws and regulations regarding the protection of personal information, general guidelines and this guideline
In addition to the above, it is necessary to take measures in accordance with the guidelines or rules. In particular, certified individuals
In the information protection group, due to the revision of the law, the certified personal information protection group will be applied to the target business operator.
It is necessary to take necessary measures to comply with the personal information protection guidelines.
It is also important to take into account what has been said.

Page 3

5 The debt collection company keeps personal information in order to prevent leakage and unauthorized leakage of personal information.
In accordance with laws and regulations related to protection, general guidelines, this guideline, and related laws and regulations, etc.
It is necessary to establish an appropriate management system for personal information.

Definition of the second term (related to Article 2 of the Act)
1 Debt collection company
"Debt collection company" is the Act on Special Measures Concerning Credit Management and Collection Business (Act No. 126 of 1998).
issue. Hereinafter referred to as the "servicer method". ) From the Minister of Justice to the business of Article 3 of the Servicer Law
A licensed company (a joint-stock company defined in Article 2, Paragraph 3 of the Servicer Law).
2 Main business
"Main business" is the business of a debt collection company, Article 12 of the Servicer Law (excluding the proviso).
Refers to the work specified in.
3 Side business
"Side business" is defined in the proviso of Article 12 of the Servicer Law among the businesses of a debt collection company.
A business that has been approved by the Minister of Justice.
4 Notify the person
Other than the following items, the general guidelines are used as examples.
When notifying the person, the debt collection company, in principle, includes a document (including electromagnetic records).
same as below. ).
5 Consent of the person
Other than the following items, the general guidelines are used as examples.
When the debt collection company obtains the consent of the person stipulated in Articles 16, 23 and 24 of the Act
In principle, it shall be in writing.
At this time, by unfairly using the position of the person entrusted by the creditor or the creditor, the same
I will try not to force myself.
In the document confirming consent, items related to the handling of personal information and other items should be included.
Make a clear distinction and avoid a comprehensive agreement.
6 In addition to what is specified in 1 to 5, the terms in this guideline are other special terms.
Unless otherwise specified, it is subject to the definition of laws and regulations regarding the protection of personal information.

Third obligation regarding the purpose of use of personal information
Other than the following items, the general guidelines are used as examples.
1 Identification of purpose of use (related to Article 15, Paragraph 1 of the Law)
The debt collection company is responsible for identifying the purpose of use stipulated in Article 15 of the Act.
The results of using personal information must be specified with specificity that can be reasonably predicted.

Page 4

Absent.
Specifically, if the debt collection company intends to use it for its main business, at least
"Business prescribed in Article 12 of the Servicer Law (excluding proviso) (management of specified monetary claims and management)
And collection) ”, and if the purpose of use is to use it as a side job
At least the description in the "Business type" column of the application for approval of side business (in principle, Japanese standard production
It is supposed to be described by the detailed classification of the business classification table. Special measures for debt management and collection business
It must be specified to the extent of the law enforcement regulations (see Attachment Form No. 11 of the 1999 Ministry of Justice Ordinance No. 4).
Must be. Furthermore, if possible, the specific mode of handling personal information will be revealed to the individual.
It will be specified so that it will be.
2 Change of purpose of use (related to Article 15, Paragraph 2 of the Law and Article 18, Paragraph 3 of the Law)
It is reasonably recognized that it is related to the purpose of use before the change, as stipulated in Article 15, Paragraph 2 of the Law.
For example, the following cases are changes that exceed the "range to be specified".
(1) Change the purpose of use in the main business to the purpose of using it in a side business that has nothing to do with the main business.
Or, change the purpose of using it in a side business that has nothing to do with the main business to the purpose of using it in the main business.
That.
⑵ Use the purpose of using a certain side business in another type of side business that has nothing to do with the other business
Change to the purpose of doing.
3 Restrictions on purpose of use (related to Article 16 of the Act)
(1) “Beyond the scope necessary to achieve the purpose of use” as stipulated in Article 16, Paragraph 1 of the Law means use.
It is a case that is not necessary to achieve the purpose, for example, in the following cases.
To
A. Personal information about the debtor's neighbors that is unnecessary for business when managing and collecting claims
When handling
B. Make a list of information acquired for the purpose of managing and collecting receivables, and use it as a debt status list, etc.
When selling etc.
(2) As an example of the case prescribed in Article 16, Paragraph 3, Item 1 of the Law (when required by law), general rules
Except as listed in Guideline 3-1-5 "Exceptions to restrictions depending on purpose of use"
The following cases can be considered.
(Example)
・ When requesting a copy of the resident's card to confirm the identity of the debtor, the position of the municipal office
To prove that it is not a claim for an unreasonable purpose at the request of a member
When submitting the personal information of the debtor
・ Submit a document in response to a document submission order by a court based on Article 223 of the Code of Civil Procedure
If you do
・ Commissioned investigation based on Article 186 of the Code of Civil Procedure or sending documents based on Article 226 of the same law

Page 5

When accepting a commission
In addition, there is only a basis in the law about the other party who will benefit from unintended use, and the purpose
If the obligation to use outside is not imposed, the debt collection company shall be the purpose of the law.
In light of this, we shall respond within the range where the necessity and rationality of unintended use are recognized.
To

Fourth sensitive information
1 The debt collection company participates in the sensitive personal information and labor union stipulated in Article 2, Paragraph 3 of the Act.
Alliance, family home, registered domicile, health care and sexual life (among these, those that fall under sensitive personal information
Except for. ) Information (person, national institution, local public body, Article 76, Paragraph 1 of the Law)
Or those published by the persons listed in each item of Article 6 of the Enforcement Regulations, or visually inspecting the person
However, the ones that are apparent in the external shape obtained by taking a picture are excluded. Below "machine
It is called "sensitive information". ), Except for the following cases, acquisition,
It shall not be used or provided to a third party.
⑴ When based on laws and regulations
⑵ When it is necessary to protect human life, body or property
(3) When there is a particular need to improve public health or promote the sound development of children
(4) A national institution or a local public body or a person entrusted with it completes the affairs stipulated by laws and regulations.
If you need to cooperate in doing
(5) Sensitivity (sensitivity) as long as it is necessary to carry out the transfer of rights and obligations through inheritance procedures.
When acquiring, using, or providing information to a third party
⑹ A copy of the family register and other documents that can identify the person are required to identify the person.
If
⑺ Obtain sensitive information and interest as long as it is necessary to identify the content of the claim.
For use or when provided to a third party
⑻ It is necessary to secure appropriate business operations of the main business, side business and other business in the field of credit management and collection business.
From, sensitive information is collected to the extent necessary for business execution based on the consent of the person.
When obtaining, using or providing to a third party
⑼ Based on the consent of the person, the biometric authentication information corresponding to the sensitive information is given to the person.
When used for confirmation
2 The debt collection company acquires, uses, or obtains sensitive information when listed in 1.
When providing to a third party, acquire, use, or provide to a third party that deviates from the reasons listed in 1.
Handle with particular care so as not to cause any damage.
3 The debt collection company acquires, uses, or obtains sensitive information when listed in 1.
When providing to a third party, for example, when acquiring sensitive personal information, Law No. 17

Page 6

In accordance with Article 2, it is required to obtain the consent of the person in advance, etc.
Keep in mind that you must take appropriate measures in accordance with laws and regulations regarding the protection of personal information.
To
4 Debt collection companies are required to provide sensitive information to third parties by law.
The provisions of Article 23, Paragraph 2 (opt-out) shall not apply. In addition, subtlety (Sen
Citive) For sensitive personal information, use opt-out in the same section.
Keep in mind that it is not possible to be.

Fifth Obligation regarding acquisition of personal information (related to Article 18 of the Act)
Other than the following items, the general guidelines are used as examples.
1 Personal information handled in the notification prescribed in Article 18, Paragraph 1 of the Act issued by the debt collection company
It is not necessary to clarify the specific content of the report, but as much as possible the items of personal information to be handled
If the purpose of use is different for each item, it will be clarified.
For example, the following examples can be considered.
(Example)
・ We handle personal information of items A, B, and C, and for A, we also handle the main business and
Business a is the purpose of use, B is the purpose of use only the main business, and C is a side business.
When the purpose of use is a and side business b, "Personal information A, B, C are books.
The purpose of use is business and side business a and b. Should give comprehensive notices such as
Instead, the purpose of use and the correspondence between the items of personal information will be clarified and notified.
In addition, in the publication prescribed in the same paragraph, each person shall be individually published and handled.
It is not necessary to clarify the specific content of personal information, but we will handle it as much as possible.
We will clarify the items of personal information, and if the purpose of use is different for each item,
Let this be clear.
2 The debt collection company clearly indicates the purpose of use to the person in accordance with Article 18, Paragraph 2 of the Act.
In the case, the purpose of use shall be stated in a document, and the same document as the document shall be used for the purpose.
We will obtain the consent of the person to use it.
3 As an example of the case of Article 18, Paragraph 4 of the Law, General Guidelines 3-2-5 "Purpose of Use"
In addition to the cases listed in "When you do not need to give notice, etc.", the following cases can be considered.
(1) Life, body, life, body, of the person or a third party by notifying or disclosing the purpose of use to the person
When there is a risk of harming property or other rights and interests
(Example)
・ Information on antisocial forces such as gangsters, information on suspicious transaction notifications, business interruption
When there is a risk that the provider of malicious information will buy a resentment
(2) Right or justification of the debt collection company by notifying or disclosing the purpose of use to the person

Page 7

When there is a risk of harming profits
(Example)
・ By knowing the purpose of use, matters related to corporate secrets will be clarified.
When it impairs the healthy competition of a company
(3) When it is recognized that the purpose of use is clear from the status of acquisition
(Example)
・ As an office work agency business, we are entrusted with processing work such as input of personal information, and the consignor
When handling the personal information as mechanical office work under instructions

No. 6 Obligation regarding management of personal data
Other than the following items, the general guidelines are used as examples.
1 Ensuring the accuracy of data content (related to Article 19 of the Act)
(1) Is the debt collection company accurate in personal data within the range necessary to achieve the purpose of use?
We will keep it up to date.
(2) “Accurate and up-to-date content” means that it matches the latest facts in light of the purpose of use.
Say. The effort obligation stipulated in (1) does not extend to personal data related to evaluation or judgment.
(3) In order to achieve the purpose of the provisions of (1), the debt collection company shall prepare the following procedures, etc.
I will do it.
A. Procedures for collation / confirmation when entering personal data into a personal information database, etc.
B. Procedures for correction / addition / deletion when an error in personal data is found
C. Procedures for erasing / returning personal data that is no longer needed
(4) The debt collection company sets a retention period for personal data and does not need to achieve the purpose of use.
The following personal data, etc. will be handled by promptly returning or erasing them.
I will stop it.
A. Individuals listed in the statutory books based on Article 20 of the Servicer Law whose retention period has expired.
data
B. Personal data was acquired for the purpose of assessing the purchase of receivables, but the receivables were not transferred after all.
Personal data in case of
2 Safety management measures (related to Article 20 of the Act)
As a safety management measure stipulated in Article 20 of the Act, the debt collection company must take concrete measures.
For examples of measures that are not required and methods for practicing the item, General Guidelines 8
In addition to the items listed in "(Attachment) Details of safety management measures to be taken", in particular, inside the business operator
Is an example of a method to prevent leakage of personal data due to fraudulent acts from the outside.
For example, the following measures will be taken.
(1) Measures to clarify where responsibility lies

Page 8

(Example)
・ Establishment of a department that supervises the handling of personal data within the business, such as inspection and improvement.
・ A collegial committee that supervises the inspection and improvement of the handling of personal data within the business operator.
Installation
(2) To evaluate, review and improve safety management measures to respond to new risks
Improvement of audit implementation system
(Example)
・ Personal information protection measures and information security measures based on the latest technological trends
Confirmation of correspondence within the business operator by a person who has sufficient knowledge (if necessary, external knowledge
Includes utilizing and confirming those who have it. )
(3) For business purposes, the function given to terminals that handle personal data to prevent unauthorized operations
Limited based on the need for
(Example)
・ Restrictions on connection of devices with recording functions such as smartphones and personal computers and devices
Correspondence to update of
(4) Business location and information system to prevent fraudulent activities by visitors (rooms)
Implementation of entrance / exit (room) management of installation locations such as
(Example)
・ Preservation of entry / exit (room) records
・ Protection from destruction, fire, power outage, etc. of equipment / devices that handle personal data
⑸ Measures to prevent theft, etc.
(Example)
・ Implementation of recording or monitoring by taking pictures with a camera or witnessing work
・ Prohibition of bringing in / out of media with recording function or implementation of inspection
・ Prohibition of leaving personal data when leaving the desk
⑹ Formulation of internal rules regarding the protection of personal data regarding each of the following items and in accordance with them
Operation
・ Organizational matters related to safety management
・ Each scene of handling personal data (acquisition / input, verification / confirmation, transfer / transmission, use /
Processing, storage / backup, correction / addition and erasure / disposal / return work)
Procedural matters to be done
・ Matters concerning the physical protection equipment and equipment installation environment for crime prevention and disaster prevention
・ Matters concerning safety management of information systems
・ Matters concerning education and training for employees
・ Matters concerning supervision of the outsourcee when outsourcing the handling of personal data (of the outsourcee

Page 9

Includes evaluation and selection criteria and items to be included in the consignment contract. )
・ Matters concerning audits of employees and contractors
・ Matters concerning measures to be taken in the event of leakage of personal data, etc.
・ Matters concerning measures against violations of laws and internal regulations
In addition, "Small and medium-sized" listed in General Guidelines 8 "(Attachment) Contents of safety management measures to be taken"
Regarding the debt collection companies that fall under the category of "scale business operators," the nature of the personal information they handle is other than that.
Since it is the same as the business operator handling personal information, based on the basic idea of ​the law (Article 3 of the law)
Take measures in accordance with the content of safety management measures that other business operators handling personal information should take
And.
3 Supervision of contractors (related to Article 22 of the Act)
(1) Debt collection companies have few safety management measures for outsourcers when selecting outsourcers.
To confirm that both are equivalent to those required by Article 20 of the Act, the general rules guideline
And the items of safety management measures illustrated in 6.2, etc., depending on the business content to be entrusted.
In addition to confirming the contractor's system, regulations, etc., to ensure that it is implemented, if necessary
Go to the place where personal data is handled or confirm by a reasonable alternative method
After that, the personal information protection manager, etc. will evaluate it appropriately.
(2) “Consignment” means that the debt collection company gives personal data to another person regardless of the form or type of contract.
A contract that requests all or part of the handling of.
(3) The following measures will be taken as “necessary and appropriate supervision”.
A. Matters to be included in the consignment contract
In the contract with the contractor, for example, as matters related to specific safety measures, etc.
Specify the following items.
・ Matters concerning the confidentiality of the contractor
・ Matters concerning clarification of responsibilities of trustees and trustees
・ Matters concerning subcontracting (prohibition of subcontracting or protection of personal data when subcontracting)
Level conditions, etc.)
・ Matters concerning restrictions on the handling of personal data (prohibition of handling outside the scope of the consignment contract, etc.)
Matters concerning
・ Matters concerning safety management measures related to the handling of personal data
・ Matters concerning reporting and auditing of personal data management status
・ Matters concerning measures to be taken in the event of leakage of personal data, etc.
・ Matters concerning the return / deletion of personal data at the end of consignment
・ Measures to cancel the contract in case of breach of the contract Other necessary matters ("Other necessary matters"
As for "item", the duty of care of a good manager and the subject in the event of a leak, etc.
There is liability for damages. )

Page 10

B. Management of contractors
In order to grasp the handling status of the entrusted personal data at the outsourcee, it is necessary to regularly
After investigating the degree of implementation of the contents included in the consignment contract by conducting an audit etc.
While recording the results, the personal information protection manager, etc. will review the contents of the entrustment, etc.
Appropriately evaluate, including considering, and take necessary measures if there are matters to be improved.
I will cheat.
(4) If the subcontractor intends to subcontract, the consignor will subcontract in the same way as when subcontracting.
Regarding the other party, the content of the business to be subcontracted, and the handling method of personal data of the subcontractor, etc.
Request prior reporting or approval procedures from the contractor, perform regular audits directly or through the contractor
By implementing, etc., the subcontractor appropriately supervised the subcontractor in this Article to the subcontractor.
Sufficiently confirm that the subcontractor will take safety management measures based on Article 20 of the Act.
I will do it. The same applies to the case where the subcontractor subcontracts again and thereafter.
To

Article 7 Obligation to provide personal data to a third party (related to Article 23 of the Act)
Other than the following items, the general guidelines are used as examples.
1 Principles regarding restrictions on provision to third parties
In accordance with Article 23 of the Act, a debt collection company shall obtain the consent of the person to provide it to a third party.
As a general rule, the following matters should be shown in writing to the person in advance and consent should be obtained.
To do.
(1) Name or contact information of a third party to whom personal data is provided
⑵ Items of personal data provided to a third party
(3) Purpose of use of personal data at the destination
2 Exceptions regarding restrictions on provision to third parties
To the extent necessary to manage the claim from the transferor to the transferee in connection with the transfer of the claim
If personal data regarding the debtor and guarantor is provided, it will be requested in accordance with Article 23 of the Act.
Assuming that the consent of the person regarding the provision to a third party is presumed, and the transfer of the claim
Of course, necessary preparatory actions such as due diligence and selection of transferees related to
Even so, it is assumed that consent can be presumed because it is included in the range necessary for managing claims.
You can handle it. In addition, the debtor or guarantor, etc., who is the principal, is the individual who accompanies the transfer of the debt.
Explicitly refused to provide the data to a third party, thereby managing the claim.
If it interferes with the reason and is necessary for the protection of the property, etc. of the transferor or transferee of the claim,
It falls under Article 23, Paragraph 1, Item 2 of the Act.
3 Opt-out (related to Article 23, Paragraph 2 of the Law)
In the main business, the debt collection company provides personal data to a third party based on Article 23, Paragraph 2 of the Act.

Page 11

Offer (opt-out) shall not be used.
In addition, the debt collection company is a sir when using a new opt-out in a side business.
Based on the fact that Article 12 of the Visa Law imposes a full-time obligation for the main business, we accept a side business.
Do not carry out business beyond the approved range, and obtain approval for side business as necessary.
And.
In providing information on an individual's solvency to a personal credit information agency,
We will not use opt-out and will obtain the consent of the person in accordance with 1.
4 Items that do not correspond to a third party
The debt collection company states that the matters stipulated in Article 23, Paragraph 5, Item 3 of the Act are as follows.
To do.
(1) Regarding the "range of people who use it jointly", objectively to the extent that the person can understand it.
Must be clearly stated, but in addition to this, indicate individual company names as much as possible.
And.
⑵ "Name or name of the person responsible for the management of the personal data" (hereinafter "management responsibility"
It is called "the person in charge". ) Is responsible for handling complaints related to the personal data of the personal data.
Regarding the contents, etc., among those who use it jointly, primary disclosure, correction, etc. or suspension of use, etc.
It is a person who is authorized to do the above, and there may be more than one.
In addition, the same item is safe for people who use it jointly other than the person in charge of management specified in the same item.
Please note that this does not mean that management responsibility is exempted.
5 Provision to personal credit information agencies
The debt collection company is a personal credit information agency (information about an individual's ability to repay or pay)
A person whose business is to collect and provide the information to members. same as below. )
When providing data, if the provision falls under the provisions of Article 23, Paragraph 5, Item 3 of the Act.
Even if there is, the consent of the person will be obtained in advance (however, the debt collection company will be responsible for the debt.
Before receiving the transfer or entrustment, the creditor has a personal day to the personal credit information agency.
This does not apply if the consent of the person has been obtained for the provision of data. ). In this case and the same
When obtaining consent pursuant to the provisions of Article 1, Paragraph 1, obtain consent based on the provisions of 1.
However, in addition to the matters from 1 ⑴ to ⑶, personal data is the personal credit information agency and the relevant
Also provided to personal credit bureaus affiliated with personal credit bureaus and their member companies
It shall be shown to that effect. In addition, as much as possible, regulations regarding eligibility to join a personal credit information agency
Approximately, join a personal credit information agency and a personal credit information agency affiliated with the personal credit information agency
The list of member companies to be registered shall be kept in a state that the person can easily know.

No. 8 Obligation regarding disclosure of retained personal data, etc.
Other than the following items, the general guidelines are used as examples.

Page 12

1 Publication of matters related to retained personal data (related to Article 27 of the Act)
A debt collection company can know matters related to retained personal data in accordance with Article 27 of the Act.
When putting it in the state, for example, posting it on the Internet homepage, pamphlet
It is conceivable to continuously distribute the items and install them at the sales office counters such as the head office.
2 Disclosure of retained personal data (related to Article 28 of the Act)
(1) As an example of the case of Article 28, Paragraph 2 of the Law, General Guidelines 3-5-2 "Owned Individual Degree"
In addition to the cases listed in "Disclosure of data", the following cases can be considered.

A place where there is a risk of harming the life, body, property or other rights and interests of the person or a third party
Go
(Example)
・ Personal data held by antisocial forces and to be disclosed to the person concerned
This may cause business interruption or harm to employees by the antisocial forces.
If there is
B. When there is a risk of significant hindrance to the proper implementation of the business of the debt collection company
(Example)
・ By disclosing retained personal data, matters related to corporate secrets are clarified.
When
・ The retained personal data is related to the person other than the person such as a debt collection company.
It is an evaluation or judgment, and by disclosing it, it can be used for credit management and collection business.
It may be extremely difficult to carry out negotiations with the debtor and guarantor who are the principals.
If there is
(2) Only a part of the retained personal data requested to be disclosed by the person is in any of the items of the same paragraph.
If applicable, the debt collection company will disclose the remaining part to be disclosed.
Don't refuse.
(3) When entrusted or outsourced to manage and collect claims, the disclosure obligation of this article is entrusted.
Whether it is a person or a trustee is an individual to the trustee in the contractual relationship between the trustee and the trustee.
It depends on whether you are authorized to disclose data or correct the contents. did
Therefore, if the trustee is authorized, both the trustee and the trustee
If there is an obligation to disclose and the trustee is not authorized, it will be open only to the trustee.
There is an obligation to show.
3 Explanation of reasons (related to Article 31 of the Act)
The debt collection company shall comply with Article 31 of the Act, Article 27, Paragraph 3 of the Act (Purpose of use of retained personal data).
(Request for notification), Article 28, Paragraph 3 of the Act (request for disclosure), Article 29, Paragraph 3 of the Act (request for correction, etc.),
According to the provisions of Article 30, Paragraph 5 of the Act (request for suspension of use, etc. or request for suspension of provision to a third party), this
Do not take all or part of the measures requested or requested by a person

Page 13

When notifying the fact or when notifying that measures different from the measures will be taken
As a general rule, the notification shall be in writing and the reason shall be stated.
In addition, we will not take any measures when explaining the reason to the person in the notification.
Show the grounds and facts of the decision to take or to take different measures
I will do it.
4 Procedures for responding to requests for disclosure, etc. (related to Article 32 of the Act)
The debt collection company shall disclose to unauthorized persons regarding Article 32, Paragraphs 2 and 3 of the Act.
As for the confirmation of the identity of the person or the agent, the person who proves his / her identity is presented.
Sufficient and appropriate confirmation procedures will be taken, such as requesting.
In addition, debt collection in response to "requests for disclosure, etc." by the agent of Article 11, Item 2 of the Enforcement Ordinance
It is not prevented that the company makes "disclosure, etc." directly only to the person himself / herself.

Article 9 Obligation to handle grievance (related to Article 35 of the Act)
Other than the following items, the general guidelines are used as examples.
As an example of the development of the necessary system stipulated in Article 35, Paragraph 2 of the Law, General Rules Guideline 3-6
Grievance processing other than those listed in "Grievance processing regarding the handling of personal information"
Sufficient education and training can be considered for the employees who fall under this category.

Enactment of the 10th Declaration on the Protection of Personal Information
1 The debt collection company has laws and regulations regarding the protection of personal information, general guidelines and this guideline.
Declaration on the way of thinking and policy regarding the protection of personal information of businesses based on the inn etc. (Iwayu)
Privacy policy, privacy statement, etc. Below "Personal Information Protection Declaration"
That is. ) Will be formulated and announced.
In the Declaration of Personal Information Protection, Article 18 of the Act, Matters Concerning Notification and Publication of Purpose of Use, Article 20
Outline of Article Safety Management Measures, Article 21 Employee Supervision Policy, Article 22 Outsourcer Supervision Policy,
Matters concerning retained personal data in Article 27, procedures for responding to requests for disclosure, etc. in Article 32, Article 35
Matters concerning the grievance window of the article shall be clarified.
2 The declaration of protection of personal information includes the special features of business activities from the viewpoint of protecting the rights and interests of consumers, etc.
Incorporate as much description as possible in consideration of the following points according to gender, scale and actual situation.
And.
(1) The business operator may limit the purpose of use for each type of customer in consideration of the business content.
For the person himself / herself, such as the business operator voluntarily working to limit the purpose of use according to the person's choice.
Make the purpose of use clearer.
(2) Promote transparency of outsourced processing, such as clarifying the presence or absence of outsourced work and the content of outsourced office work.
thing.

Page 14

(3) Be as specific as possible about the source of personal information or the method of obtaining it (type of acquisition source, etc.)
Please specify.
(4) Direct mail will be sent when requested by the person regarding the retained personal data.
Voluntarily respond to suspension of use, such as suspension of delivery.

11th Measures to be taken when a violation of the law or a risk of violation of the law is discovered
In addition to the following items, what to do in case of leakage of personal data, etc.
(2017 Personal Information Protection Commission Notification No. 1; hereinafter referred to as "Notification of Response to Personal Data Leakage, etc."
Say. ) According to the example.
1 The debt collection company handles personal information (including information handled by the entrusted person).
If it is discovered that there is a violation of the law or a risk of violation of the law, personal data leakage, etc. will be dealt with.
In addition to taking measures in accordance with the notification, for example, the following measures will be taken promptly.
I will do it.
⑴ Implementation of secondary damage prevention measures
The debt collection company specifies the scope of impact according to the provisions of 2. (3) of the notification of response to personal data leakage, etc.
If this happens, promptly implement measures to prevent secondary damage, such as collecting leaked information.
2 Report to the minister in charge of the business
If a debt collection company discovers a violation of the law or a risk of violating the law, the facts will be affected.
And promptly, the Minister of Justice (Ministry of Justice Minister's Office, Judiciary and Legal Affairs Department, Examination and Supervision)
I will report to the section).
If the debt collection company is a member of an authorized personal information protection organization, the authorization
We will also report to the personal information protection organization.
3 The debt collection company needs to take special measures regarding the handling of personal information.
In view of this, even in the case specified in 3. (2) of the Notification of Response to Personal Data Leakage, etc., in accordance with 2.
We will report to the Minister of Justice.

Review of the 12th guideline
The way of thinking about the protection of personal information is the change of social situation, the change of public perception, and the technology.
It may change according to progress, international trends, etc., and this guideline will be applied after the enforcement of the law.
It shall be reviewed as necessary in consideration of changes in various environments such as the situation of.

