Personal Information Protection Basic Policy

As one of the leading institutions for general and continuing education in Japan, ECC strives to make our value to society ever greater. In this capacity, ECC group (hereinafter “ECC”) shall observe all relevant laws and regulations regarding the protection of personal information and shall comply with the personal information protection guidelines of all related ministries. ECC’s policies regarding the acquisition, use of, and provision of personal information by ECC are stipulated below. Furthermore, this basic policy applies to the processing of personal information concerning data subjects in the European Economic Area (“EEA”) in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter ”GDPR” ).

【General Terms and Conditions】

1.	ECC shall acquire personal information of customers solely through the use of legitimate and fair measures.
2.	ECC shall either publicly announce or notify customers of the purpose of use of acquired personal information. Said personal information shall be used solely within the bounds of what is necessary for achieving the purpose of use.
3.	ECC shall not provide acquired personal information to third parties without prior consent from customers. In the case that personal information is provided to a third party, customer consent shall be obtained either when the personal information is acquired or before providing said information to the third party.
4.	Personal information acquired by ECC shall be kept safe and managed as per company policy. Any and all necessary technical and organizational preventative measures against unauthorized access and leakage risks shall be taken. Personal information found to be unnecessary shall be discarded and/or deleted in an appropriate way.
5.	ECC shall appoint personnel to be in charge of and responsible for the management of personal information and the maintenance and development of a management system for personal information within the company.
6.	In the case that an incident regarding personal information arises, ECC shall promptly notify the customer and other related parties, and take all necessary measures to minimize any damage that occurs as a result of the incident.
7.	In the case that a customer requests the disclosure, correction, or deletion of their personal information, ECC shall take all reasonable steps to comply with the request, unless such compliance is precluded by laws and regulations.
8.	ECC shall continually review and improve company policies regarding personal information; taking into account relevant legal amendments, societal changes, and changes in the business environment.
9.	ECC shall educate company executives and employees who handle personal information regarding the roles and responsibilities in relation to the observation of laws, regulations, and company rules regarding personal information, and measures to take when said laws, regulations, and rules are violated.

【Cross-Border Transfer】

Personal information may be transferred to entities in countries or jurisdictions outside the EEA, such as Japan, if required for the purposes described above. Please note that such countries or jurisdictions may not have the same data protection laws as the EEA and may not afford many of the rights conferred upon data subjects in the EEA. ECC will ensure that any such international transfers are made using appropriate and safeguards as required by the GDPR or other relevant laws. When making such a transfer, ECC will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of personal information.

【Retention of Personal Information】

ECC will retain personal information for the period required to fulfill the purposes outlined in this Basic Policy, unless a longer retention period is required or permitted by law.

Basic Policy on the Appropriate Handling of Specific Personal Information

ECC’s basic policy for the appropriate handling of Individual Number (My Number) and Specific Personal Information (herein after “Specific Personal Information”) is stipulated below.

1.	Complying with relevant laws and regulations ECC shall comply with the Act of the Use of Numbers to Identify a Specific Individual in Administrative Procedures, the guidelines set forth by the Personal Information Protection Commission, and all other relevant laws and regulations. ECC shall ensure that company executives and employees understand the significance of the protection and appropriate handling of personal information.
2.	Security Management Measures 【Organizational Security Control Measures】 ECC shall establish policies to prevent Specific Personal Information from being leaked, lost, or damaged; and shall take all necessary and appropriate organizational security control measures. 【Human Security Control Measures】 In the case that company executives and employees handle Specific Personal Information, necessary and appropriate supervision shall be exercised to ensure all appropriate security control measures are taken. 【Physical Security Control Measures】 Along with establishing a controlled facility for the handling of Specific Personal Information, appropriate measures shall be taken to protect devices, digital media, and documents from being stolen. Also, necessary and appropriate security measures, such as secure password protection, shall be taken when acquiring, moving, or discarding digital media and documents. 【Technical Security Control Measures】 Access to PCs and servers processing Specific Personal Information shall be limited and all necessary measures for preventing unauthorized access shall be taken.
3.	Contact Center For questions and inquiries regarding ECC policies on the use of Specific Personal Information, please refer to Inquiries and Complaints regarding Personal Information.

Katsumi Yamaguchi
Chairman
ECC Co., Ltd.
June 1, 2020