Page 1

Guidelines for personal information protection in the credit field

February 2017
Personal Information Protection Commission
Ministry of Economy, Trade and Industry

Page 2

Guidelines for personal information protection in the credit field

table of contents

I. Purpose, etc ................................................. .................... 1
II. Legal Interpretation Guidelines / Examples .................................................. ........... 2
1. 1. Definitions, etc. (related to Article 2 of the Act) ..................................... .......... 2
2. 2. Obligations of credit providers, etc ....................................................... .......... 3
(1) Purpose of use of personal information (related to Articles 15 to 16 of the Act) ....................... 3
(1) Identification of purpose of use (related to Article 15 of the Act) 3
(2) Restrictions on purpose of use (related to Article 16 of the Act) .................................. 3
⑵ Sensitive information ...................................................... .. 3
(3) Acquisition of personal information (related to Article 18 of the Act) ..................... 5
⑷ Management of personal data (related to Articles 19 to 22 of the Law) ........................ 5
1) Ensuring the accuracy of data content (related to Article 19 of the Act) ............................ 5
2) Safety management measures (related to Article 20 of the Act) ...................................... .. Five
3) Employee supervision (related to Article 21 of the Act) ..................................... .. 11
4) Supervision of contractors (related to Article 22 of the Act) ..................................... .. 11
⑸ Provision to a third party (related to Article 23 of the Act) ..................................... ... 12
⑹ Procedures for responding to requests for disclosure, etc. (related to Article 32 of the Act) ........................... 15
⑺ Report of leakage of personal data, etc ..................................... . 15
III. Review of guidelines ..................................................... ...... 16

Page 3

I. Purpose, etc.

1. 1. This guideline is the Law Concerning the Protection of Personal Information (Law No. 57 of 2003; hereinafter referred to as the "Law"".
That is. ), Law Enforcement Ordinance on the Protection of Personal Information (Cabinet Order No. 507 of 2003; hereinafter referred to as "Enforcement Ordinance"
That is. ) And the Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information Protection Commission Regulations)
No. 3. Hereinafter referred to as "enforcement rules". ), About the Law Concerning the Protection of Personal Information
Guidelines (General Rules) (2016 Personal Information Protection Commission Notification No. 6; General Rules Guider
It's called "in". ), Based on Articles 6 and 8 of the Act, the portion under the jurisdiction of the Ministry of Economy, Trade and Industry
Personal information in the credit field (field related to credit provision related to the transaction of goods or services) in the field
Take necessary measures to ensure that special measures are taken for protection, and credit providers
Established as a specific guideline to support activities related to ensuring the proper handling of personal information
It is a thing.
For parts not specified in this guideline, general guidelines and personal information
Guidelines for the Protection Law (Providing to Third Parties in Foreign Countries) (2016)
Personal Information Protection Commission Notification No. 7), guidelines (confirmation / recording obligation when provided to a third party)
(2016 Personal Information Protection Commission Notification No. 8) and the guidelines (anonymously processed information) (flat)
2016 Personal Information Protection Commission Notification No. 9) is applied.
2. 2. Regarding the provisions that "must do" in this guideline,
Failure to comply may result in a violation of the law.
On the other hand, regarding the provision that states "to be done", it is also possible that we did not comply with it.
Although it is not judged to be a violation of the provisions of the law, "Personal information is based on the idea of ​respecting the personality of an individual.
If it is not handled properly in view of the fact that it should be handled with caution.
Appropriateness of personal information in the credit field based on the basic principle of the law (Article 3 of the law)
From the viewpoint of ensuring proper handling, it is hoped that we will respond as much as possible according to the characteristics and scale of the business operator.
It is rare.
3. 3. The specific examples described in this guideline are described for the purpose of limiting them.
It should be noted that there may be other factors to be considered separately depending on the individual case.
4. Authorized personal information protection organizations in the credit field have created or modified personal information protection guidelines, and
Based on the actual situation and characteristics of the business, the business associations, etc. in the credit field are the associations of the business associations, etc.
Creating or changing voluntary rules (guidelines for business associations, etc.) for member companies, etc.
In that case, it is possible, but in that case, a member of a business operator or business association that is a target of an authorized personal information protection organization.
Companies, etc. handle personal information by decree and general guidelines regarding the protection of personal information.
In addition to these guidelines, etc., it is necessary to take measures in accordance with the guidelines or rules. Special
In addition, in the certified personal information protection group, due to the revision of the law, the certified personal information protection group is the target business
Must take necessary measures to make a person comply with the Personal Information Protection Guidelines
It is also important to take into account that it was said.

1

Page 4

5. Credit companies are involved in the protection of personal information in order to prevent leakage and unauthorized leakage of personal information.
In addition to the laws, general rules and guidelines, and related laws and regulations, personal information
It is necessary to establish an appropriate management system.

II. Legal Interpretation Guidelines / Examples

1. 1. Definitions, etc. (related to Article 2 of the Act)
⑴ “Credit business”
"Credit business operator" is a business operator handling personal information that uses information related to the solvency of an individual.
Installment sales stipulated in Article 2, Paragraph 1 of the Installment Sales Act (Act No. 159 of 1958), Article 2
Loan tie-up sales stipulated in Paragraph 2, comprehensive credit purchase mediation stipulated in Paragraph 3 of the same Article, Paragraph 3 of the same Article
Providing credit for transactions of individual credit purchase mediations and other goods or services prescribed in paragraph 4.
A person who does karma.

⑵ "Personal credit information agency"
"Personal credit information agency" is the collection of information on the solvency of an individual and the credit bureau.
A person whose business is to provide the relevant information.

⑶ "Personal consent"
Other than the following items, the general guidelines are used as examples.
The credit business operator, when obtaining the consent of the person stipulated in Articles 16, 23 and 24 of the Act,
As a general rule, it shall be in writing (including electromagnetic records; the same shall apply hereinafter).
In the document confirming the consent, the provisions related to the handling of personal information and other contract clauses
The provisions relating to the handling of personal information and theirs, even if they are in separate documents or the same document
It shall be clearly distinguished from other contract terms. In addition, the size of letters, the expression of sentences, etc.
Take measures to facilitate consumer understanding of matters that affect consumer understanding
I will cheat.
Consent shall be obtained by a method that reflects the intention of the person's consent.

⑷ In addition to the terms specified in ⑴ to ⑶, the terms used in this guideline are not specified.
As long as it is, follow the definition of laws and regulations regarding the protection of personal information.

2

Page 5

2. 2. Obligations of credit providers, etc.
(1) Purpose of use of personal information (related to Articles 15 to 16 of the Act)
(1) Identification of purpose of use (related to Article 15 of the Act)
Other than the following items, the general guidelines are used as examples.
In identifying the purpose of use, the correspondence between each item of personal information and each item of purpose of use
The person in charge will be clarified.
In particular, the credit bureau provides personal information to the personal credit information agency, or the personal credit information agency.
If you do not specify in the purpose of use, you must also obtain the necessary personal information from
It doesn't become. In this case, the consent of the person concerned shall be obtained for the specified purpose of use.
In addition, when changing the purpose of use, it is recognized that it is related to the purpose of use before the change.
If you do so beyond the above range, you must obtain the consent of the person again.
[Example of how to show the correspondence between personal information and purpose of use]
For the purpose of use shown in the table below, the applicant will take protective measures for the following information i) to iv).
I agree to acquire and use it.
purpose of use

Usage information

Contact information, etc.

Credit judgment and post-credit management
I) ii) iii) iv)

Chiyoda-ku, Tokyo ○○

For

TEL △△

○○ Business promotion

E-mail □

I) ii))

Etc. for the use of business information
I) Name, address, phone number, ...
Ii) Application date, product name, ...
Iii) Balance of usage after payment starts, ...
Iv) Past debt repayment status, ...

(2) Restrictions on purpose of use (related to Article 16 of the Act)
Other than the following items, the general guidelines are used as examples.
About using personal information for the purpose of sales promotion such as sending direct mail
If the person does not agree, the credit business operator will make a contract for credit provision for that reason.
Will not refuse to conclude.
The credit bureau provides information on the solvency obtained from the personal credit information agency to the individual.
It shall not be used for any purpose other than investigating the ability to pay.

⑵ Sensitive information
1) The credit business operator is required to consider personal information stipulated in Article 2, Paragraph 3 of the Act and to join the labor union.
Hometown, registered domicile, health care and sexual life (of these, those that correspond to sensitive personal information
except. ) Information (person, national institution, local public body, each item of Article 76, Paragraph 1 of the Law

3

Page 6

Is published by the persons listed in each item of Article 6 of the Enforcement Regulations, or by visually inspecting the person.
Or, the ones that are apparent in the external shape acquired by taking a picture are excluded. Below "subtleties
(Sensitive) information ". ), Except for the following cases, acquisition,
It shall not be used or provided to a third party.
① When based on laws and regulations
② When it is necessary to protect human life, body or property
③ When there is a particular need to improve public health or promote the sound development of children
④ A national institution or a local public body or a person entrusted with it performs the affairs stipulated by laws and regulations.
When you need to cooperate in accomplishing
⑤ A copy of the family register containing sensitive information and other persons can be identified.
When acquiring, using or storing documents for personal identification
* In order to confirm the identity of the bankrupt, the information on the bankruptcy published in the official bulletin
Obtaining, using or storing information on the registered domicile of the bankrupt.
⑥ Sensitivity (sensitivity) as long as it is necessary to carry out the transfer of rights and obligations through inheritance procedures.
When acquiring, using, or providing information to a third party
⑦ Based on the consent of the person, because it is necessary to ensure proper business operation of the business in the credit field
Acquire, use, or provide sensitive information to the extent necessary for business execution
If
⑧ Based on the consent of the person, the biometric authentication information corresponding to the sensitive information is given to the person.
When used for confirmation

2) The credit provider acquires, uses, or first obtains sensitive information when listed in 1).
In the case of providing by three parties, acquisition, use or provision to a third party deviating from the reasons listed in 1)
We will handle it with particular care so that it does not happen.

3) The credit provider acquires, uses, or first obtains sensitive information when listed in 1).
In the case of providing three parties, for example, when acquiring sensitive personal information, Law No. 17
In accordance with Article 2, it is required to obtain the consent of the person in advance.
However, it is necessary to take appropriate measures in accordance with laws and regulations regarding the protection of personal information.
I mean.

4) Credit providers are required to provide sensitive information to third parties under the law.
The provisions of Article 23, Paragraph 2 (opt-out) shall not apply. In addition, subtlety (sensitivity)
Ib) For sensitive personal information, use opt-out in the same section.
Keep in mind that it is not possible.

Four

Page 7

(3) Acquisition of personal information (related to Article 18 of the Act)
① Notification or publication of purpose of use
Other than the following items, the general guidelines are used as examples.
As a general rule, the method of notifying the purpose of use in business related to the credit field is written.
It depends on the surface.

② Obtained directly in writing, etc.
Other than the following items, the general guidelines are used as examples.
A place where a credit business operator obtains personal information of the person directly written in writing from the person.
In that case, we will obtain the consent of the person regarding the purpose of use. At that time, clearly indicate the purpose of use
The method is based on the example of II.2.2 (1).

⑷ Management of personal data (related to Articles 19 to 22 of the Law)
1) Ensuring the accuracy of data content (related to Article 19 of the Act)
Other than the following items, the general guidelines are used as examples.
The credit business operator sets the retention period according to the purpose of use of the personal data it holds, and the retention
After the period has passed, the personal data held will be deleted.

2) Safety management measures (related to Article 20 of the Act)
Other than the following items, the general guidelines are used as examples.
The credit business operator leaks, loses or damages the personal data it handles (hereinafter referred to as "leakage, etc."
That is. ) For the prevention of other personal data security management, systematic, human, physical and
Technical safety control measures must be taken.
Regarding specific methods for taking safety management measures, personal data leaks, etc.
Considering the magnitude of infringement of rights and interests that the person incurs if he / she does, the nature of the business and personal day
Handling status of data (including the nature and amount of data handled), media on which personal data is recorded
Be sure to make the content necessary and appropriate according to the risk caused by the nature etc.
However, it is not necessary to take all the examples of the following measures.
Moreover, the appropriate method is not limited to the contents of these examples. From the viewpoint of personal data protection
It is more desirable to adopt a method that is superior to the contents listed in each case.
Is.
Also, in charge of credit card application forms and other credit fields with personal information
The input form before configuring the personal information database, etc. is also equivalent to personal data.
It will be treated as. (Hereafter 3) [Supervision of employees], 4) [Supervision of contractors]
the same. )

Five

Page 8

■ Organizational safety management measures
(1) The credit business operator protects personal information including matters related to the security management of personal data.
Declarations on ideas and policies regarding this must be formulated and published.
* "Personal information protection including matters related to personal data security management"
And policy declarations, for example, the so-called privacy policy, privacy
Sea statement etc. is applicable.

(2) Credit business operators have established rules regarding security management measures for personal data in accordance with this guideline.
It is necessary to prepare a procedure and a procedure manual.

③ The credit business operator must appoint a person in charge of personal information protection.
* The above includes, for example, the so-called Chief Privacy Officer (CPO), etc.
Is applicable.
* Appointment of work managers and limitation of work personnel in handling personal data, individuals
Appointment and person in charge of information system operation manager who handles data (system administrator)
including. ) Will be limited.

④ The credit business operator includes matters related to security management measures for personal data in the job rules, etc.
Must wait.
[Examples of matters to be stated in job regulations]
・ Matters concerning safety management measures in accordance with this guideline
・ Roles and responsibilities of employees regarding the safety management of personal data
・ Disciplinary action against the company and disciplinary action when personal data is leaked or leaked intentionally or negligently
Matters concerning compensation for damages

In addition, "employee" is within the organization of the credit business operator and directly and indirectly directs and supervises the business operator.
An employee who has an employment relationship (regular employee,) who is engaged in the business of a business operator under the supervision.
Not only contract employees, part-time employees, part-time employees, part-time employees, etc.), but also directors and executives
It also includes roles, directors, corporate auditors, auditors, dispatched employees, etc.
[Example of clarification of roles and responsibilities]
・ Handling of personal data (acquisition / input, transfer / transmission, use / processing, storage / backup, erasure /
Work manager and person in charge of work such as disposal)
・ Operation managers and persons in charge of information systems that handle personal data
・ Roles of departments and branches that handle personal data
・ Audit manager

⑤ Credit business operators should deal with accidents such as leakage of personal data.

6

Page 9

The following system must be established.
・ Internal report communication system
* Not only when an accident such as leakage of personal data occurs, but also when it occurs.
Even if there is such a case, a reporting communication system will be established.
・ Information provision system to the person who may be affected by an accident such as leakage (to the person)
System for notifying or making it easy for the person to know)
・ Report communication system to the Ministry of Economy, Trade and Industry and authorized personal information protection organizations

⑥ Credit companies handle personal data (including those handled by trustees) that they handle.
From the viewpoint of preventing secondary damage related to leaks, avoiding the occurrence of similar cases, etc., the following
Appropriate measures must be taken.
・ Promptly notify the person of the facts or put them in a state where the person can easily know them.
・ Publicize the facts as much as possible without delay.
・ As soon as possible, matters related to facts, causes of occurrence, countermeasures and other leaks, etc.
Report to the Ministry of Economy, Trade and Industry and authorized personal information protection organizations. Further industry
It is desirable to report to related organizations such as organizations.

⑦ Credit companies must develop means to check the handling status of personal data.
Absent.
[Example of establishing means to check the handling status of personal data]
Items to be acquired, purpose of use notified, storage location, storage method, person with access authority, use
Maintenance of personal data handling ledger that describes deadlines and other information necessary for proper handling of personal data

⑧ Credit providers are subject to audits and other safety management measures in accordance with this guideline.
A mechanism must be introduced to confirm that this is the case.

⑨ The credit company must evaluate, review and improve the security management measures for personal data.
It doesn't become.
[Examples of how to evaluate, review and improve safety management measures]
・ Drafting an audit plan and conducting audits based on the plan (internal audit or external audit)
・ Summary of audit results and report to representatives
・ Audit reports received from the person in charge of auditing, changes in social norms regarding personal data, and advances in information technology
Regular review and improvement of safety management measures according to

■ Human safety management measures
(1) The credit business operator is a non-disclosure contract or other personal contract at the time of employment contract and consignment contract

7

Page 10

A contract must be signed that includes matters related to the safety management measures of the data.
* Check non-disclosure clauses in employment contracts or consignment contracts at regular intervals.
In addition, it will be valid for a certain period of time even after the contract ends.
* Although not an employee who handles personal data, he stands in a building that holds personal data.
Persons who may enter, access to information systems that handle personal data
Regarding the range and access conditions of the parties who can access even those who have the potential
It will be clearly stated in the contract. Persons other than employees who handle personal data
Includes information system development / maintenance personnel, cleaning personnel, security guards, etc.

(2) The credit business operator continues to educate and train employees regarding the safety management of personal data.
Must be implemented in a targeted manner.
[Example of continuous education and training regarding the security management of personal data]
・ Creating an education / training plan for the safety management of personal data
・ Development of curriculum, etc. necessary for conducting education and training related to the safety management of personal data
・ Regular (for example, once a year) or hourly education / lessons deemed necessary for employee supervision
Implementation of training
・ Regular confirmation of the implementation status of education and training

■ Physical safety management measures
(1) The credit business operator must manage the facilities that handle personal data.
(Example of management in office facilities and personal data processing facilities)
・ Management of facilities and rooms by locking, etc.
(Example of management in a personal data processing facility)
・ Qualification and certification of persons entering and exiting (rooms)
・ Record of entrance / exit (room)
* "Office facilities" include offices such as the head office, branch offices, and sales offices, and are "individual departments".
"Data processing facility" means, for example, computer center, call center, server room, etc.
including.

(2) The credit provider has stolen the personal data itself, documents containing personal data, magnetic media, etc.
Measures must be taken to prevent this.
[Example of measures to prevent theft]
・ Locked storage of media containing personal data
・ Separate storage of personal data containing name, address, email address, etc. and other personal data

(3) The credit business operator must physically protect the equipment and devices.

8

Page 11

[Example of physical protection measures]
・ Installation in a physically protected room that manages entrance / exit (room)
・ Installation in a locked rack, etc.
・ Prohibition of taking out of the site

■ Technical safety management measures
① The credit provider must identify and authenticate the access to personal data.
Not.
[Example of identification and authentication]
・ Authentication by ID and password
* When using an ID and password, set the expiration date of the password, and use the same or similar password.
Limit reuse of words, set minimum password characters, fail to log in more than a certain number of times
We will take measures such as suspending the ID.
・ Biometric authentication
・ Client authentication using digital certificates for devices such as terminals

(2) The credit business operator must control access to personal data.
[Example of access control]
• Minimize the number of employees who should be granted access to personal data
・ Access control based on identification
・ Limitation on the number of simultaneous users to the information system that stores personal data
・ Limitations on the usage time of the information system that stores personal data (for example, on holidays and after business hours)
Make the information system inaccessible during the time period, etc.)
-Verification of the effectiveness of access control functions installed in information systems that handle personal data (for example)
For example, verification of the presence or absence of vulnerabilities in web applications)
-Proper management of passwords (for example, do not write down passwords)
・ Limited communication routes and terminals that can access personal data from the outside via a network
・ Minimization of access rights given to employees
-Protection from unauthorized access to the information system that stores personal data (for example, Fireau)
Settings for all, routers, etc.)
-Preventing unauthorized use of applications that can access personal data (for example, appliqué)
Implementing an authentication system in the application system, which is used by employees who need it for business
A machine necessary for business to install the application system required only for the putter
Display only Noh in the menu, etc.)

(3) The credit business operator must manage the access authority to personal data.

9

Page 12

[Example of access authority management]
-Appropriate implementation of authority management that allows anyone who can access personal data (for example, personal data)
The person in charge of registering the person who accesses the site is the person who has thoroughly examined the appropriateness.
Injury, to be able to perform work such as registration)
-Regular review of the validity of access authority in light of business content
・ Prompt deprivation of access authority for retirees and transferees

④ The credit business operator must record the access of personal data.
[Example of access record]
-Recording the success and failure of access to personal data and operations (for example, access to personal data)
If you cannot record the operation or operation, record the success or failure of access to the information system)
・ Appropriate protection from leakage of collected records

* Records of information systems that handle personal data may correspond to personal information.
Keep in mind that.

⑤ The credit provider is malicious software for information systems that handle personal data.
Measures must be taken.
[Example of countermeasures against malicious software]
・ Introduction of antivirus software
-Correction for security measures for operating system (OS), applications, etc.
Applying software (so-called security patches)
-Checking the effectiveness and stability of anti-malware measures (for example, pattern files and correction software)
Check for ware updates)
-Prohibition of use of software not permitted by the system administrator

⑥ The credit business operator must take appropriate measures when transferring / transmitting personal data.
It doesn't become.
[Example of appropriate measures]
-When transferring electronic media containing personal data, encrypt or password lock.
・ When sending personal data by attaching it to an e-mail via the Internet, e-mail
To encrypt the file itself.

* Note that the length of the encryption key, the encryption algorithm used, the number of characters in the password, and the number of characters
Regarding miscellaneousness, the right that the person suffers if the electronic medium containing personal data is lost.
It is desirable to set it appropriately in consideration of the magnitude of infringement of interests.

⑦ The credit company takes measures when checking the operation of the information system that handles personal data.

Ten

Page 13

There must be.
[Examples of measures to be taken when checking the operation of an information system that handles personal data]
・ Prohibition of using personal data as test data when checking the operation of information systems
・ When the information system is changed, the security of the information system or operating environment is changed by those changes.
Verification that tee is not damaged
-When system management is performed from the outside via a network, appropriate authentication function and encryption function
And introduction of access control function

⑧ Credit companies must monitor information systems that handle personal data.
[Example of monitoring an information system that handles personal data]
・ Monitoring the usage status of information systems that handle personal data
-Monitoring the access status (including operation details) to personal data

* The record of the result of monitoring the information system that handles personal data is the personal information.
Keep in mind that it may be true.

3) Employee supervision (related to Article 21 of the Act)
Other than the following items, the general guidelines are used as examples.
(1) The credit business operator makes employees comply with safety management measures based on Article 20 of the Act.
You must supervise it properly.

(2) As a result of supervision, the credit business operator gives appropriate instructions / orders when there is a problem with the employee.
It must be made.

4) Supervision of contractors (related to Article 22 of the Act)
Other than the following items, the general guidelines are used as examples.
(1) When selecting a contractor, the credit business operator should maintain the organizational structure of the contractor.
Based on the selection criteria, the basic policy related to safety management and the status of formulation of handling rules are set as the selection criteria.
Appropriate persons must be selected for the handling of personal data based on the standards.
[Examples of selection criteria]
・ Order record of consignment business
・ A system that can comply with the rules implemented by the consignor itself or these guidelines, etc.
・ Maintenance and implementation status of personal data handling procedures related to outsourced operations
・ Development and implementation status of safety management measures for personal data related to outsourced operations
・ Facts of problems related to leakage of personal information in the past, details of recurrence prevention measures, implementation status, etc.

(2) In the consignment contract, the credit company is the consignor and contractor regarding the handling of personal data.

11

Page 14

The contents agreed by both parties must be included in the contract.
[Examples of items described in the consignment contract]
・ Matters concerning the purpose of use of personal information related to outsourced business (identification of purpose of use at the outsourcee)
・ Matters concerning clarification of responsibilities of contractors and contractors
・ Regarding the appointment of a person in charge of handling personal data and the identification of employees who handle personal data
Matters
・ Matters concerning the transfer and delivery of personal data and commissioned business results
・ Matters concerning the storage method and storage location of personal data and recording media
・ Matters concerning the retention period of personal data and recording media and the method of returning, erasing, and disposing of them
・ Matters concerning prevention of leakage of personal data and prohibition of theft
・ Matters concerning prohibition of provision of personal data related to consignment contracts to third parties
・ Prohibition of processing and use outside the scope of the consignment contract
・ Prohibition of copying and duplication outside the scope of the consignment contract
・ Matters concerning the prohibition of handling personal data other than those required for the purpose of the consignment contract
・ Matters concerning subcontracting
・ Matters concerning the content and frequency of reports to the consignor regarding the handling status of personal data
・ Matters concerning the rights of businesses related to on-site inspections and collection of reports to contractors
・ Matters concerning the right to conduct audits by contractors or to conduct audits by business operators
・ Matters concerning measures and measures based on crisis management and crisis response procedures in the event of an accident such as a leak
・ Matters concerning compensation for damages and cancellation of contract in case of breach of contract

③ The credit company must confirm that the contractor is in compliance with the contract details.
It doesn't become.
[Example of items to be implemented at the time of confirmation]
・ Implementation of work related to supervision of contractors by personal data managers
・ Regular reports on work status, rule compliance status, etc. from contractors
・ Submission of evidence necessary for confirming work status, rule compliance status, etc. from the contractor
・ Submission of evidence necessary to confirm the supervision status of the subcontractor

⑸ Provision to a third party (related to Article 23 of the Act)
① Principle
Other than the following items, the general guidelines are used as examples.
For third parties who provide personal data, in principle, enter their name or name.
By doing so, it will be specified.
Describe the purpose of use of personal data by a third party as specifically as possible.
There must be.

12

Page 15

[ Examples of specific description]
(Third party providing personal data and purpose of use)
company name

purpose of use

Usage information

contact information

A Co., Ltd.

Credit judgment / post-credit administration
2. 2. (1) ① i) ii) iii)

Chiyoda-ku, Tokyo ○○

For reason

Iv)

TEL △△

○○ Business declaration

Ⅱ 2. (1) ① i) ii)

E-mail □

Benefits of business information such as transmissions
For use
○○ Business declaration

B Co., Ltd.

2. 2. (1) ① i) ii) Chiyoda-ku, Tokyo ○○

Benefits of business information such as transmissions

TEL △△

For use

E-mail □

A credit bureau is a place to provide personal data to a personal credit information agency as a third party.
In that case, the consent of the person must be obtained in advance. In that case, personal data
Member companies of personal credit information agencies and personal credit information machines affiliated with the personal credit information agencies
It shall be clearly stated in writing that it will be provided to Seki and these member companies. That
Take steps to facilitate consumer understanding of personal credit bureaus
And.
[Example of how to indicate a personal credit information agency]
The applicant is a member of the Company with personal information based on the objective transaction facts of the contractor regarding this contract.
Personal credit information agency (collecting information on individual solvency and providing such information to members)
The personal credit information agency to which the Company is a member and the relevant machine, registered for the period specified in the table below.
To investigate the solvency of contractors by member members of personal credit information agencies affiliated with Seki
I agree to be used.
Personal credit information agencies affiliated with the Company and personal credit information agencies affiliated with the Company
The names and contact information of the information agencies are as follows.
company name

Street address

homepage address

phone number
Chiyoda-ku, Tokyo ○○

C Co., Ltd. (member)

http: // www. ○○ /

○○ － ○○○○ － ○○○○
D Information Center Co., Ltd.

Chiyoda-ku, Tokyo △△

http: // www. △△ /

(Partner)

△△ － △△△△ － △△△△

E Information Center (Partner) Chiyoda-ku, Tokyo □□

http: // www. □□ /

□□ － □□□□ － □□□□
C Co., Ltd .: Personal credit information agency whose member is mainly XX company

13

Page 16

D Information Center Co., Ltd .: Personal credit information agency whose members are companies that are members of the XX Association.
E Information Center: Personal credit information agency whose member members are mainly XX companies

[Example of how to indicate personal data items and registration period]
item

A information

B information

C information

company name
C Co., Ltd. (Membership

From the day

From the day

From the day

Destination)

XX months

XX years

XX years

D Information Center Co., Ltd.

○

-

○

○

○

-

Inter (partner)
E Information Center
Carrier)

Terms and conditions regarding eligibility to join a personal credit information agency, personal credit information agency and the personal credit
For a list of member companies that join personal credit bureaus affiliated with information agencies, see the book
It will be placed in a state that people can easily know, and it will be added in the terms and conditions of personal credit information agencies.
Enrollment qualifications, business of member companies, business violations so that the extension of eligible companies can be clarified
Describe sanctions, etc. as specifically as possible.

② Opt-out
Other than the following items, the general guidelines are used as examples.
Credit bureaus provide information about an individual's solvency to a personal credit bureau.
Therefore, the provisions of Article 23, Paragraph 2 of the Law shall not be applied, and the person himself / herself shall comply with II.2.2⑸①.
We will obtain consent.

③ Items that do not correspond to a third party
Other than the following items, the general guidelines are used as examples.
・ Shared use
As a general rule, credit business operators should write the "notification" stipulated in Article 23, Paragraph 5, Item 3 of the Act.
I will do it.
As a general rule, individual company names are listed for notifications of "range of people who use jointly".
I will list it. In addition, notify the person by showing the extension of the person who uses it jointly.
In the case of such cases, specifically specify the person who jointly uses it so that the person can easily understand it.
Must be determined.
* The same item is not for those who are responsible for the management of personal data specified in the same item.

14

Page 17

It does not mean that the person who shares the service is exempted from the responsibility for safety management.
[Example of how to show the extension of joint users]
・ Our subsidiary listed in our company and securities reports, etc.
・ Company consolidated by the Company and equity-method affiliates listed in the Company and securities reports, etc.

The "purpose of use of the user" must be stated as specifically as possible. Ingredients
Physically, it is based on the case of II.2.2 (1).

⑹ Procedures for responding to requests for disclosure, etc. (related to Article 32 of the Act)
Other than the following items, the general guidelines are used as examples.
The credit business operator confirms that the person making the request for disclosure, etc. is the person or the agent.
In establishing the above, a sufficient and appropriate confirmation procedure shall be adopted.
In response to a request for disclosure, etc. by an agent under Article 11, Item 2 of the Enforcement Ordinance, the credit business operator
It is not hindered to disclose directly only to the person.

⑺ Report of personal data leakage, etc.
(1) The credit company has deleted the personal information used to create the anonymously processed information it holds.
Etc., personal identification code, and processing method performed pursuant to the provisions of Article 36, Paragraph 1 of the Act.
If an accident occurs in which information (hereinafter referred to as "processing method information") is leaked, it is secondary.
From the perspective of preventing damage and avoiding the occurrence of similar cases, the facts, etc. will be made public as much as possible without delay.
A state in which the facts can be promptly notified to the person or the person can easily know the facts.
I will put it in.

(2) The credit business operator leaks personal data (including those handled by the trustee) that it handles.
In the event of an accident such as swelling, the facts, the cause of the accident, countermeasures, and other leaks
As soon as possible, the Ministry of Economy, Trade and Industry and accreditation shall be made in accordance with the following a or b.
You must report to a personal information protection organization. In addition, accidents of information leakage such as processing methods
If this occurs, it will be reported in the same way. Furthermore, the relationship with the industry group to which you belong
It is advisable to report to the institution.
A. Credit business operators that are the target of the business of certified personal information protection organizations (hereinafter referred to as "target business operators")
U. ) Should be reported to an authorized personal information protection organization instead of reporting to the Minister of Economy, Trade and Industry.
Can be done. The authorized personal information protection organization provides an overview of accidents or violations of the target business operator.
Report to the Ministry of Industry on a regular basis. However, the target business operator is the Minister of Economy, Trade and Industry in the following cases:
It is desirable to report promptly one after another.
・ A place where personal data including sensitive information specified in II.2.2 (2) is leaked
Go
・ When personal data including credit information, credit card number, etc. is leaked

15

Page 18

When there is a high possibility of secondary damage
・ When the scale of leakage etc. is large
・ When accidents such as leaks (especially similar cases) occur repeatedly in the same business operator
・ When other authorized personal information protection organizations think it is necessary
B. If the credit business is not the target business, report it to the Minister of Economy, Trade and Industry.

③ If the credit provider falls under any of the following a, b, c or d, the Ministry of Economy, Trade and Industry
And it is not necessary to report to the authorized personal information protection organization.
A. Mistransmission of facsimiles and emails (personal information is included in addition to the address and sender's name)
Only if not. )
B. When I entrusted the delivery of parcels, etc. that do not contain personal information in the contents, due to misdelivery
When the personal data described in the address is disclosed to a third party
C. When mail is misdelivered
D. There is an error in the contact information (address, telephone / fax number, email address, etc.) declared by the person.
Or because the person did not report the change of contact information to the credit provider.
When faxing or emailing to three parties, or delivering mail or parcels

III. Review of guidelines
The way of thinking about the protection of personal information is the change of social situation, the change of public perception, the progress of technology,
It may change according to international trends, etc., and this guideline is related to the situation after the enforcement of the law.
It shall be reviewed as necessary in light of changes in the boundaries.

16

