Date of enactment: 2005.4.1
Date of revision: 2022.4.1
AT TOKYO Corporation
President & Chief Executive Officer
AT TOKYO (the Company), as a data center service provider, acknowledges the importance of information management and has placed strict controls on all information in relation with our business as a corporate asset. The Company has achieved certification of Japan Privacy Mark (Personal Information Management System) and ISMS (Information Security Management System).
The Company also complies with the laws, regulations, the National guidelines and rules in connection with the protection of personal information, and hereby sets forth the following principles for proper use and management of personal information:
1. Compliance with laws and regulations
The Company will properly handle personal information acquired, managed and used in its business activities in compliance with applicable laws and regulations, including, but not limited to, the Personal Information Protection Act, and this policy.
The Company will acquire personal information through legitimate means, directly or indirectly, orally, in writing, or by electromagnetic records, sound recording, and video recording, in any manner whatsoever. With regards to telephone calls, the Company may record telephone conversations for the purpose of ensuring accuracy of information received, and confirmation of such conversations, as well as for process quality improvements of the telephone operators.
3. Purpose of Use
The purpose of use of personal information is as follows:
(1)Personal information acquired during business negotiations:
- For business negotiations and related communications, and implementation of the executed agreements.
- To provide information on products or systems newly developed. To provide information on existing products or services supplied by either the Company, or companies collaborating with the Company, that have not been contracted for.
- To gather the requests from users, and develop or improve services or systems of the Company.
(2)Personal information acquired through providing the Company’s data center services:
- To Confirm personal identification of individuals intending to use the Company’s data centers.
- For provision of data center services or subcontracting, and implementation of the executed agreements.
- To gather the requests form users, and develop or improve services or systems of the Company.
- For maintenance of the security of the Company’s facilities.
(3)Personal information of retirees, employees, job applicants, etc.:
- For performing tasks carried out in accordance with related labour laws and regulations, human resource administration, and the welfare programs.
- For work related administrative and/or emergency contacts.
- For providing information on recruitment activities, company briefings, event information, etc, as well as for sending materials and recruitment tasks such as identification confirmation, etc.
(4)Personal information acquired through inquiries, questionnaires, requests, etc. :
- For improvement of business operations and/or website of the Company.
- For delivery of requested materials.
- For delivery of documented information, etc. relating to contract.
- For delivery of other required communications and/or greetings cards.
- For process or record requests from users.
If the Company intends to use the personal information for any other purposes not listed here, the Company will, as expediently as is practicable, inform the relevant individual directly of the purpose, or disclose the purpose to the public.
4. Security Control Measures
The Company has taken the following security measures for the handling of personal data.
(1)Maintenance of internal disciplines
- In order to ensure the proper handling of personal data, the Company has established basic policies that include compliance with relevant laws, regulations and guidelines, and the point of contact for questioning and complaint processing.
- The Company has formulated internal rules for the handling of personal information at each stage, including the acquisition, use, provision and disposal of personal information and regularly review them.
(2)Systematic security control measures
- The Company has appointed a person in charge of the handling of personal data, clarified the employees involved with handling personal data as well as the scope of the data, and established a system for reporting when a fact or sign of a violation of a law, regulation or internal rule concerning the handling of personal data is detected.
- The Company has conducted periodic self-inspections, internal audits and undergone external audits by third-party organizations regarding the handling of personal information.
(3)Human security control measures
In addition to providing employees with regular training on precautions regarding protection of personal information and information security, matters concerning the employees’ obligations of confidentiality have been stipulated in internal rules as well as disseminated throughout the Company.
(4)Physical security control measures
- In locations where personal data is handled, the Company has controlled entry to and exit from the locations and imposed restrictions on taking out equipment. The Company also has taken measures to prevent unauthorized persons from viewing personal data.
- The Company has taken measures to prevent the theft and loss of devices and electronic media for handling personal data, and to prevent personal data from being easily revealed when transporting such devices or electronic media.
(5)Technical security control measure
- The Company has implemented access control in order to limit the scope of personal data handled by employees, and a mechanism for protecting information systems that handle personal data from unauthorized outside access or unauthorized software.
5. Third Party Disclosure
The Company will not disclose or provide any personal information to third parties except in the following cases:
- When the Company has your consent to do so.
- If there is a request for disclosure based on laws or regulations.
- When necessary to protect the life, body or property of a person and attempts to obtain permission have either failed or are not practicable.
- When necessary to improve public health conditions and obtaining permission from the individual themselves is not practicable.
- When required to cooperate with national agencies or local governments to carry out their affairs as required by law, and where obtaining permission may be deemed to be hindering the execution of those affairs.
6.Management of Third-Party Service Providers
The Company may, from time to time, need to outsource services provided to business partners on a full or partial basis, as required by operational needs and the type of services contracted with the business partner. In these cases, the following shall apply:
- That the conclusion of appropriate contracts with service providers that oblige them to be compliant with the laws and regulations relating to the protection of personal information, and to ensure that they have made provisions to ensure adequate supervision to oversee the duty of protection, has been carried out.
- That the Company shall disclose personal information only to the extent necessary, and shall not disclose any personal information that is not required to provide those services.
7. Requests about Private Information or Record of Third Party Provision
The Company shall endeavor to maintain accurate and up to date records of private information to the extent necessary to achieve the Purpose of Use. If an individual would like to view, correct, delete, etc. (hereinafter referred to as Disclosure Request), their own personal information or have questions relating to personal information, you are politely requested to follow procedures available on request from the contact information listed below (there may be an administration fee applicable in some cases). After contacting the enquiry contact indicated below, please send or present documents or other materials that can be used to prove your identity to us (the Company may need to copy the documents or other materials that prove your identity).
However, please understand that the Company cannot act on such requests in the following circumstances:
- When no reason is provided for the Disclosure Request.
- If Disclosure Request could result in a risk to the life or limbs, assets, or other rights and interests of the individual or any third party.
- If Disclosure Request would in any way impede the proper implementation of the business of the Company.
- In cases where it is difficult or would cost significant expense in order to suspend usage or delete personal information, and where alternative measures can be implemented to rights and interests of the individual.
- If it is a violation of relevant laws or regulations.
- If you are unable to provide a recognized proof of identification.
8.Voluntary Provision of Data
The Company will not force provision of any personal information, however the Company asks for your understanding that when it is not supplied or withheld, the Company may not be able to provide some or all services, conduct employment screening, or respond to requests for information.
9.Use of Identifiable and Unidentifiable Information
Whereas the Company shall not collect identifiable personal information (name, address, telephone number, e-mail address, etc.) from disclosed information without prior permission, there may be cases where unidentifiable or incomplete personal information will be collected without permission, including, but not limited to website cookies, and online surveys. The purpose of collecting this information includes research into improving our website or other operational matters, and the information is collected on the condition that it shall never be combined with personally identifiable information, and shall remain anonymous.
The Company will construct and maintain its personal information management system, and continue its execution, while ensuring that if any new needs regarding the management of personal information protection are discovered, they will be addressed in a timely manner.
12.Contact for Enquiries Relating to Privacy, or to Speak to the Data Privacy Officer
5-6-36 Toyosu, Koto-ku, Tokyo
AT TOKYO Corporation General Affairs Division
Telephone: 03-6372-3000 (hours of reception: 9:00 to 17:30 on weekdays)
Data Privacy Officer: Director of Corporate Planning Division