Customer Information Handling Guidelines

In light of the importance of protecting personal information, the Company (Click here<Corporate Data><Directors, Executive Officers and Auditors> for company address and name of representative) will endeavor to increase public faith in the general insurance industry by handling personal information appropriately and in accordance with the "Act on the Protection of Personal Information" (hereinafter "Personal Information Protection Act"), "Act on the Use of Numbers to Identify a Specific Individuals in Administrative Procedures" (hereinafter "Numbers Act"), other relevant laws, ordinances and guidelines, and the "Personal Information Protection Guidelines for General Insurance Companies" (hereinafter "Guidelines for General Insurance Companies") published by the General Insurance Association of Japan. It will also take appropriate security measures in accordance with practical guidelines issued by the Financial Services Agency and General Insurance Association of Japan.
The Company will provide rigorous education and guidance to all personnel involved in its operations to ensure that personal information is handled appropriately. The Company will also conduct timely reviews and make improvements to its personal information handling and security measures.

1. Acquisition/Use of personal information

The Company acquires and use personal information by legal and fair means within the scope necessary for its operations. The Company acquires personal information primarily from applications, policy documents, claims forms, transaction documents, and surveys, etc. It also makes audio recordings of inquiries and consultations, etc. to preserve accurate records of their content, and may acquire personal information from these records (excluding individual numbers and specific personal information as set forth in "9. Handling of specific personal information, etc.").

2. Purposes of Use of personal information

The Company will not use the personal information that it acquires (excluding individual numbers and specific personal information; see "9. Handling of specific personal information, etc.") beyond the scope necessary for the following purposes and for the purposes set forth in "6. Sharing of personal data" (hereinafter "Purposes of Use"). Purposes of Use will also be published on the company website as stated below in order to provide customers with greater clarity and specificity. The Company will in addition endeavor to limit Purposes of Use according to the circumstances of the information's acquisition and note them on applications and pamphlets, etc. Finally, any changes in the Purposes of Use will be notified to relevant individuals and also published on the company website.

  • (1)Underwriting, underwriting decision and execution related to an insurance policy application
  • (2)Smooth and appropriate payment of benefits after an insured event
  • (3)Maintenance and management of insurance policies
  • (4)Execution of reinsurance contracts, notifications pursuant to reinsurance contracts, claims for benefits of reinsurance, and provision of personal information to underwriting insurance companies, etc. (including entities in other countries) (including provision by an underwriting insurance company, etc. to another underwriting insurance company, etc.) to facilitate the said purposes
  • (5)Provision of services ancillary to insurance policies
  • (6)Consulting and operations management services associated with the acceptance in trust of defined-contribution pensions
  • (7)Execution and management of weather and earthquake derivatives and other derivatives transactions
  • (8)Opening of transaction accounts at investment trusts etc., execution of transactions, management and reporting of balances
  • (9)Screening of loans, execution, performance and management of loan contracts
  • (10)Provision of information on products (non-life insurance, life insurance, investment trusts, defined-contribution pensions, etc.) handled by the Company, provision of products, agency services, intermediary services, referral services, management services and other services by the Company, and provision of information on other products and services from companies in the MS&AD Insurance Group, as well as provision and management of said products and services and planning, development, surveying and analyzing of new products and services.

    Products and services promoted or provided by the Company and group companies

    • Non-life insurance
    • Life insurance
    • Defined-contribution pensions
    • Loans
    • Investment trusts
    • Weather and earthquake derivatives
    • Health and nursing care services
    • Risk management services
    • Asset appraisal services
    • Other services related to financial instruments and risks
    • Other services ancillary or related to the products and services above
  • (11)Promotion and provision of products and services from partner companies and outsourcing companies
  • (12)Provision of information on events, campaigns and seminars
  • (13)Collection of credits held by the Company
  • (14)Development and research of products and services related to insurance and finance through the implementation of market research, data analyses and surveys
  • (15)Appropriate performance of entrusted operations when all or a part of the processing of personal information (personal data) is entrusted from another operator
  • (16)Explanations of products/services based on analyses of data such as contract information, insured event information, complaints information, records of inquiries/consultations, etc.(*)
  • (17)Other use for the appropriate and smooth performance of transactions, etc. with the customer
    "Purpose of use" marked with (*) includes use through analyzing such information as policyholders' contract particulars, transaction records, and browsing records.
  • *See "6. Sharing of personal data (1) Sharing with group companies" for the companies in the MS&AD Insurance Group. The Company will obtain the consent of the individual when handling personal information beyond the range necessary to achieve the Purposes of Use, except in the circumstances set forth in the subparagraphs to Article 18 (3) of the Personal Information Protection Act.

3. Provision of personal data to third parties and acquisition of personal data from third parties

  • (1)The Company will not provide personal data (excluding individual numbers and specific personal information; see "9. Handling of specific personal information, etc.") to third parties without the consent of the individual except in the following circumstances.
    • a.When provided under applicable laws and ordinances
    • b.When provided to outsourcees (including entities in other countries), including insurance agencies, within the scope necessary for the performance of the operations of the Company to achieve the purpose of use and operate our business;
    • c.When provided to third parties under an "opt out" structure in accordance with procedures set forth in Article 27 (2) of the Personal Information Protection Act
    • d.When provided as a part of sharing with group companies, general insurance companies, the Ministry of Land, Infrastructure and Transport and Tourism and other parties (see "6. Sharing of personal data")
  • (2)Except in circumstances set forth in applicable laws and ordinances, when providing personal data to third parties, the Company will record matters related to provision (what kind of personal data provided when and to whom, etc.), and when obtaining personal data from third parties(including when we obtain information relating to an individual specified in "4." below as personal data"), the Company will confirm and record matters related to acquisition (what kind of personal data obtained from which source and when, or how such third-party obtained the data, etc.).
  • (3)With consent from the relevant individuals, we may provide their personal data to reinsurance underwriters, etc. (including those located overseas, and including provision of such data by those underwriters, etc. to other underwriters, etc.).

4. Handling of Information Relating to An Individual

  • (1)Where a third party is likely to obtain information relating to an individual (i.e., information relating to a living individual, and not corresponding to any of personal information, pseudonymously processed information, or anonymously processed information) as personal data, except in the case where such third party is required to do so by laws and regulations, we will provide the information concerned only after confirming that such third party has gained the consent of the relevant individual to the third party's obtaining such information.
  • (2)Where we expect that we will obtain information relating to an individual as personal data, except in the case where we are required to do so by any law and/or regulation, we will gain the consent of the individual concerned to our obtaining such information.

5. Outsourcing of handling of personal data

  • (1)The Company may outsource (including entities in other countries) the handling of personal data (including individual numbers and specific personal information as set forth in "9. Handling of specific personal information, etc.") within the scope necessary to achieve the Purposes of Use. When outsourcing the handling of personal data, the Company will establish selection standards for outsources, will confirm the information management system of the outsource in advance, and will perform other necessary and appropriate supervision of the outsource.
    The Company may outsource the handling of personal data in the following circumstances (examples, not meant to be comprehensive).
    • a.Solicitation of insurance policies, operations related to loss adjustments
    • b.Clerical processing of insurance operations, printing and mailing operations
    • c.Operations related to the development, maintenance and administration of information systems
  • (2)When we consign handling of personal data to an overseas external third party, we ensure that we not only carry out the following secure management procedures but also conclude a consignment agreement with said third party which obligates it to implement procedures equivalent to the secure management procedures for personal data required under the Personal Information Protection Act (hereinafter "equivalent procedures").
    • a.The following items are checked in writing on an annual basis:
      • (a)Status of implementation of equivalent procedures by the consigned third party; and
      • (b)Existence or otherwise of any system in the country where said consigned third party is located which may impact on implementation of equivalent procedures.
    • b.In the event of any hindrance to implementation of equivalent procedures, we will request that the situation be remedied. If it becomes difficult to ensure ongoing implementation of such equivalent procedures, we will discontinue provision of the personal data in question.
    • c.The consignment agreement provides for such matters as that personal data is to be handled only within the scope of the agreement, that necessary and appropriate secure management procedures are to be implemented, that necessary and appropriate supervision is to be exercised over employees, need for prior approval before subcontracting consigned work, and prohibition of provision of personal data to any third party.
    • d.Please contact the information desk below for queries regarding consignment of personal data handling to overseas external third parties.

6. Sharing of personal data

  • (1)Sharing with group companies
    • a.MS&AD Insurance Group Holdings, Inc. (hereinafter "Holding Company") performs business management for group companies, and MS&AD Insurance Group may share personal data (excluding individual numbers and specific personal information; see "9. Handling of specific personal information, etc.") with the Holding Company and group companies under the following terms and conditions.

      Personal data items

      • (a)Shareholder information (name, address, number of shares, etc.)
      • (b)Customer information (name, address, telephone number, email address, gender, date of birth, policy information noted on applications, descriptions of insured events, and other information on transactions with the customer) held by the Holding Company or the Company

      Scope of sharing and party responsible for management

      The scope of group companies sharing personal information is the domestic and international insurance companies, reinsurers and affiliated operating companies of the MS&AD Insurance Group. See "Sharing of Personal Information among Group Companies" on the Holding Company web site for a full list of group companies. The party responsible for management of sharing is the Holding Company.

    • b.The Company and group companies may share personal data for the promotion or provision of the products and services they handle, as well as planning, development and analyzing of new products and services under the following terms and conditions.

      Personal data items

      Name, address, telephone number, email address, gender, date of birth, policy information noted on applications, descriptions of insured events, and other information on transactions with the customer

      Scope of sharing and party responsible for management

      The scope of group companies sharing personal information is the domestic and international insurance companies, reinsurers and affiliated operating companies of the MS&AD Insurance Group. See "Sharing of Personal Information among Group Companies" on the Holding Company web site for a full list of group companies. The party responsible for management of sharing is the Holding Company.

    • c.The Company may share personal data on agency managers, salespeople and trainees, etc. for the purpose of outsourcing to, recruiting, managing and training agencies (including trainees).

      Personal data items

      Name, address, telephone number, gender, date of birth, salesperson qualification information, agency commission/hiring, matters related to notifications to government authorities, and other information on agency managers, salespeople and trainees, etc.

      Scope of sharing and party responsible for management

      The scope of group companies sharing personal information is the domestic insurance companies of the MS&AD Insurance Group. See "Sharing of Personal Information among Group Companies" on the Holding Company web site for a full list of domestic group insurance companies. The party responsible for management of sharing is the insurance company originally acquiring the personal data.

  • (2)General insurance industry information exchange system
    The Company shares personal data with other general insurance companies, etc. for the purpose of eliminating fraudulent actions in the execution of insurance policies and claims for benefit. It also shares personal data with the General Insurance Rating Organization of Japan for the purpose of appropriate payment of compulsory automobile liability insurance. For details see the web sites of the General Insurance Association of Japan and General Insurance Rating Organization of Japan.
  • (3)Provision of personal data to the Ministry of Land, Infrastructure and Transport and Tourism
    The Company shares personal information concerning compulsory automobile liability insurance policies for motorized bicycles and motorcycles for displacement between 125-250 cc with the Ministry of Land, Infrastructure and Transport and Tourism (MLIT), and the MLIT serves as the party responsible for management. This is done to enable the MLIT to send postcards confirming enrollment in policies to policyholders for these vehicles whose compulsory automobile liability insurance is thought to be expired, thereby preventing the operation of these vehicles without compulsory automobile liability insurance.
  • (4)Confirmation of agency, etc. information
    The Company shares personal data concerning the employees of general insurance agencies with other general insurance companies for the purposes of appropriate supervision of general insurance agencies and recruitment of employees by the Company, etc. In addition, the Company shares personal data on persons passing the General Insurance Agency Examination administered by the General Insurance Association of Japan for the purpose of consignments, etc. to general insurance agencies. See the web site of the General Insurance Association of Japan for details.

7. Handling of credit information

In accordance with Article 53-9 of the Enforcement Orders to the Insurance Industry Act, the Company does not use information received from a credit information institution (an institution that collects information on personal repayment capacity and provides it to the Company) concerning the repayment capacity of individuals for any purpose other than investigating individual repayment capacity.

8. Handling of Sensitive Information

The Company does not acquire, use or provide to third parties special-care-required personal information as set forth in Article 2 (3) of the Personal Information Protection Act or personal information on labor union affiliation, birth, registered domicile, health or sexuality (hereinafter "Sensitive Information") except in the following circumstances.

  • (1)Acquisition, use and provision to third parties of Sensitive Information when necessary for the appropriate administration of insurance services within the scope required for said administration and with the consent of the individual
  • (2)Acquisition, use and provision to third parties of Sensitive Information only as necessary for the administration of benefit payments in conjunction with inheritance procedures
  • (3)Acquisition, use and provision to third parties of Sensitive Information on employee affiliation with or membership in political and religious groups or labor unions within the scope required for the administration of premium receipts
  • (4)When required under applicable laws and ordinances, etc.
  • (5)When required for the protection of human life, body or property
  • (6)When particularly required for the improvement of public health or the promotion of the sound development of children
  • (7)When required to furnish cooperation for the performance of duties, as set forth in applicable laws and ordinances, by central government institutions, local governments, or parties commissioned by them

9. Handling of specific personal information, etc.

The Company does not acquire or use individual numbers or other specific personal information as set forth in the Numbers Act for any purpose other than the purposes explicitly and restrictively enumerated in the Numbers Act. The Company does not provide individual numbers or specific personal information to third parties except in circumstances explicitly and restrictively enumerated in applicable laws and ordinances. The Company does not engage in sharing of said information as set forth in "6. Sharing of personal data."

10. Request for Disclosure or Amendment or Discontinuation of Use, etc.

  • (1)Inquiries concerning policy content and events
    Address inquiries concerning policy content and events to your agency, the contact point listed on the insurance policy document, or your local sales office. Inquiries concerning events may also be addressed to the event consultation contact listed on the insurance policy document. The inquiring party will be required to prove their identity before a response is issued.
  • (2)Notification, disclosure, correction, and suspension of use, etc. of matters related to retained personal data pursuant to the Personal Information Protection Act
    Submit requests for notification, disclosure, correction or suspension of use of matters related to retained personal data (including individual numbers and specific personal information as set forth in "9. Handling of specific personal information, etc.") pursuant to the Personal Information Protection Act according to the "Procedures for the Disclosure, etc. of Matters Related to Retained Personal Data Pursuant to the Personal Information Protection Act" found on the company website. After confirming the identity of the person making the request, the Company will request that you fill in the standard form and comply with other standard procedures. Request will be answered at a later date using a method selected in accordance with the claimant's preference, such as in writing, mailing of external storage media, including CD-ROMs, or electronic mailing.
    Responses to disclosure requests are subject to the standard fees of the Company. If, as a result of required investigations, the Company determines that information concerning the individual is inaccurate, records will be updated to reflect accurate information as warranted by findings.

11. Overview of personal data security measures

The Company prepares handling rules, security measure implementation structures, and other security measures as necessary to prevent the unauthorized disclosure, loss or damage of the personal data that it handles (including individual numbers and specific personal information as set forth in "9. Handling of specific personal information, etc.") and manage the security of other personal data.

Main details of secure management procedures are as follows:

  • (1)Preparation of declaration of personal information protection
    In order to ensure appropriate handling of personal data, we publish such details as "compliance with relevant laws and regulations, guidelines, etc." and "information desk for complaints and consultations" in the declaration of personal information protection (Privacy Policy), and we review such details as necessary.
  • (2)Development of rules, etc. for personal data handling
    We stipulate such details as handling methods, supervisors/persons-in-charge and their roles for each stage of acquisition, use, storage, provision, deletion/disposal, etc. in various company rules, including "Customer Information Management Regulations."
  • (3)Organization-based secure management procedures
    • Installation of management supervisors, etc. for personal data;
    • Establishment of secure management procedures in the Working Regulations, etc.
    • Business operations in compliance with handling rules concerning secure management of personal data
    • Development of means for confirming the status of personal data handling
    • Development and implementation of a framework for checking and auditing the status of personal data handling
    • Development of a framework for dealing with cases such as information leakage
  • (4)Personnel-based secure management procedures
    • Conclusion of non-disclosure agreements, etc. for personal data with employees
    • Clarification of roles, responsibilities, etc. of employees
    • Ensuring of thorough understanding of secure management procedures among, and provision of relevant education and training to, employees.
    • Confirmation of status of employees' compliance with secure management procedures
  • (5)Physical secure management procedures
    • Management of areas, etc. where personal data is handled
    • Prevention of theft, etc. of equipment, electronic media, etc.
    • Prevention of information leakage, etc. during personal conveyance/transportation of electronic media, etc.
    • Deletion of personal data and disposal of equipment, electronic media, etc.
  • (6)Technological secure management procedures
    • Identification and validation of personal data users
    • Establishment of personal data management classification and access control
    • Administration of personal data access authorizations
    • Measures for preventing issues such as leakage of and/or damage to personal data
    • Recording and analyzing of attempts to access personal data
    • Recording and analyzing of operational status of information systems which handle personal data
    • Monitoring and auditing of information systems which handle personal data
  • (7)Supervision of consigned parties
    When consigning the handling of personal data externally, we ensure that parties which properly handle such data are selected. We have developed handling rules for external consignment and review them on a regular basis in order to ensure proper implementation of secure management procedures by consigned parties.
  • (8)Understanding of external environment
    We have been carrying out secure management procedures based on good understanding of systems concerning personal information protection which are operated in countries where personal data is handled.

Address questions regarding security measures to the relevant contact point found in "12. Contact points."

12. Handling of Pseudonymously Processed Information

  • (1)Creation of pseudonymously processed information
    When creating pseudonymously processed information (information relating to an individual that can be created from processing personal information, by taking action stipulated in laws and regulations so as to make it impossible either to identify a specific individual or to restore the original personal information), we will observe the following requirements:
    • a.Information shall be processed appropriately in accordance with standards stipulated in laws and regulations.
    • b.Security control action shall be taken in accordance with standards stipulated in laws and regulations so as to prevent leakage of deleted information and information relating to processing methods.
    • c.No checking against other information shall be carried out to identify the first person relating to personal information used for creation.
  • (2)Purpose of use of pseudonymously processed information
    If we have made a change to the purpose of use of pseudonymously processed information, we will define, to the extent possible, the purpose of use after such change and publish same while specifying that it relates to the pseudonymously processed information concerned.

13. Handling of anonymized information

  • (1)Creation of anonymized information
    The Company takes the following measures when creating anonymized information (information on individuals obtained by processing personal information using measures set forth in applicable laws and ordinances so that specific individuals cannot be identified and the original personal information cannot be restored).
    • a.Appropriate processing under standards set forth in applicable laws and ordinances
    • b.Implementation of security measures to prevent the unauthorized disclosure of deleted information and information on processing methods in accordance with standards set forth in applicable laws and ordinances
    • c.Publication of information items included in the anonymized information created
    • d.Prohibition of actions for the identification of individuals in the source personal information
  • (2)Provision of anonymized information
    When providing anonymized information to third parties, the Company publishes the information items included in the anonymized information and the method by which it will be provided, and explicitly states to the recipient third party that the information provided is anonymized information.

14. Contact points

The Company responds appropriately and swiftly to complaints and consultations regarding the handling of personal information (including individual numbers and specific personal information as set forth in "9. Handling of specific personal information, etc.") and anonymized information. Address inquiries and consultations regarding the handling of personal information and anonymized information and regarding retained personal data, and questions regarding security measures, etc. to the following contact points.
Notify the following contact point if you do not wish to receive information on new products and services from the Company by direct mail, etc. Note that contacts regarding policy maturity, maintenance and management of insurance policies, payments of benefits and other similar matters cannot be suspended.

Inquiries and consultations regarding the handling of personal information and the retained personal data, and questions regarding security measures, etc. Aioi Nissay Dowa Insurance Co.,Ltd Head Office
(We will guide you to the responsible department.)
Tel: 03-5424-0101
(open from 9:00 to 17:00 excluding Saturdays, Sundays, holidays and during the year-end and new-year period.)
If you do not wish to receive information on new products and services from the Company by direct mail, etc.
Note that notices related to insurance policy maintenance and management and payments of benefits, etc. cannot be suspended, and said notices may also include enclosures of information or information printed in excess space on notices.
Address consultations concerning the contract details to Aioi Nissay Dowa Insurance Customer Center
Tel: 0120-055-936 (toll free)
(open from 9:00 to 17:00 excluding Saturdays, Sundays, holidays and during the year-end and new-year period.)

The Company is subject to the General Insurance Association of Japan and Japan Consumer Credit Association as authorized personal information protection organizations. These associations receive complaints and consultations regarding the handling of personal information and anonymized information by the businesses they cover.

Address complaints and consultations concerning the handling of personal information to:

The General Insurance Association of Japan, Sonpo ADR Center Tokyo (General Insurance Counseling and ADR Center Tokyo)

General Insurance Association of Japan

Address: 2-105, 7F Waterasu Annex, Kanda Awajicho, Chiyoda-Ku, Tokyo 101-0063
Tel: 03-3255-1470
(open from 9:00 to 17:00 excluding Saturdays, Sundays, holidays and during the year-end and new-year period.)

Japan Consumer Credit Association Center for Personal Information Protection

Japan Consumer Credit Association

Address: 14-1, 6F Sumisei Nihonbashi Koami-cho Building, Koami-cho, Nihonbashi, Chuo-ku, Tokyo 103-0016
Tel: 03-5645-3360
(open from 10:00 to 12:00 and 13:00 to 16:00 excluding Saturdays, Sundays, holidays and during the year-end and new-year period.)