Japan Direct Marketing Association

REGULATIONS

GUIDELINES FOR PERSONAL DATA PROTECTION IN THE DIRECT MARKETING BUSINESS


[1] Purpose

The following are the guidelines for the appropriate protection of personal data. These guidelines were drawn up for the purpose of encouraging and supporting the members of the Japan Direct Marketing Association(hereinafter referred to as member companies) to make their own compliance programmes for personal data protection.


[2] Definitio

Definition of terms used here are as follows:
(1) Personal data: Information on individual that can identify a particular individual including name, birth date, personal numbers (telephone numbers, bank account numbers, insurance numbers, etc.), signs, image and voice. Collateral information that can easily be checked with other information and can be used to identify a particular individual is also included. However, publicly released information on the board members of publicly registered organisations is excluded.
(2) Personal data manager: An employee of a JADMA member company who is entrusted by the representative of the company with the data administration including the purpose and method of collection, usage and offer of personal data.
(3) Receiver: A person who will receive the offer of personal data.
(4) Consent from the subject: The data subject gives consent to a third party in handling data on him/herself. The subject can give consent in writing or verbally. Also, in the direct marketing business, if the subject makes no objections, it will be regarded that the subject gave consent.


[3] Application of the Guidelines

These guidelines are applicable to all or partial personal data managed by auto-processing systems including computers and optical information processors. Manually managed data for the purpose of auto-processing input or output, etc. is also covered by these guidelines.


[4] Flexibility of the Guidelines

Member companies may add clauses or modify the guidelines when necessary, in making their compliance programmes for the purpose of personal data protection.


[5] Limitation of Data Collection

Collection of personal data should be done within the limits of the legitimate business of the member companies, and the purpose of the data collection should be clearly set so that the data collection will be appropriately controlled.


[6] Principle of Data Collection

Collection of personal data should be conducted in a fair manner and in accordance with all relevant laws and regulations.


[7] Prohibition from Collection of Delicate Personal Data

Personal data including the following kinds should not be collected, used nor offered:
(1) Race
(2) Family lineage, detailed permanent domicile (information on domiciled prefecture is excluded)
(3) Religious belief (religion, thoughts, creed), political views and commitment to a trade union.
(4) Health record and sexual habits
However, if the individual concerned give consent explicitly to the collection, usage and offer of his/her personal data including the above information, or if there are special provisions in ordinances, or if it is necessary for legal transactions, it may not be prohibited to collect, use or offer the above information.


[8] Direct Collection

Member companies should obtain consent from data subjects when they collect personal data directly by furnishing a written notice including the following information:
(1) name, title, division and contact of the personal data manager or his/her representative
(2) purpose of the data collection and usage
(3) purpose of the data transfer to a third party, if it is planned, and the nature and attributes of the third party
(4) options for personal data collection
(5) the right and mechanism to know, amend or delete data regarding the individual him/herself.
However, if it is clear that the individual concerned had already been furnished with the information contained in clauses (1) through (4) in article [8] , or the data is open to the public by the individual, consent will not be necessary.


[9] Indirect Collection

When member companies collect personal data indirectly, they should obtain consent from the data subject by providing the written notice including the information contained in clauses (1), (2), (3) and (5) set out article [8]. However, the following cases are exceptional:
(1) When the data provider already obtained informed consent from the subject for clause (3) of article [8].
(2) When the data collector made an agreement with the data provider to take responsibility for the protection of privacy, and not to offer the data to a third party.
(3) When the data is open to the public by the subject individual.
(4) When collection of personal data should be done within the limits of the legitimate business of the member companies, and it is clear that it will not violate the subject's best interests.


[10] Limit of Data Use

Personal data should only be used for the purposes for which it was collected in principle.


[11] Conditions for Data Use

It is allowed to use the collected personal data only when it is:
(1) consented to by the subject, or
(2) crucial for the preparation or fulfillment of an agreement with the subject, or
(3) crucial for the legal obligations of member companies, or
(4) crucial for the protection of the subject's best interests including life, health and properties, or
(5) crucial for the public interest or implementation of the lawful right of any third parties, to whom the data is disclosed, or
(6) crucial for the lawful interest of member companies and the third parties, for whom the data is disclosed, as far as it will not violate the best interests.


[12] Data Use for Other Purposes

If the marketer wishes to use the collected data for purposes other than those stated at collection, the marketer has to obtain prior consent from the data subject by furnishing written notice, including the following information:
(1) name, title, division and contact of the personal data manager or his/her representative
(2) purpose of the data collection and usage
(3) purpose of the data transfer to a third party, if it is planned, and the nature and attribute of the third party
(4) the right and mechanism to know, amend or delete the data regarding the individual him/herself.
At the same time, the marketer has to provide the individual subject with the opportunity of opting out.


[13] Limit of Data Offer

Collected data should be offered within the limits of the purpose of the collection in principle.


[14] Conditions for the Data Offer Within the Limits of the Collection Purpose

When member companies offer personal data to a third party within the limits of the collection purpose, they should obtain prior consent from the data subject by providing written notice including the information contained in clauses (1), (2), (3) and (5) set out article [9]. At the same time, member companies should provide the data subject with the opportunity of opting out. However, the following cases are exceptional:
(1) When the data subject already gave informed consent to the offer of the data to the receiver in accordance with article [8] clause (3).
(2) When the data receiver made an agreement with the data provider to guarantee the equivalent responsibility with the data collector for the protection of privacy, and promised not to offer it to a third party.
(3) When it is explicit that the receiver will re-obtain consent from data subjects by furnishing written notice including the information set out article [8].
(4) When the offer of personal data is made within the limits of the legitimate business of the member companies, and it is clear that it will not violate the subject's best interests.


[15] Conditions for the Data Offer Over the Limits of the Purpose of Collection

When member companies offer personal data to a third party over the limits of the purpose of collection, or that offer is not covered by any of clauses (1) through (4) of article [14], they should obtain prior consent from the data subject by providing written notice including the information contained in clauses (1), (2), (3) and (5) set out article [9]. At the same time, member companies should provide the data subject with the opportunity of opting out unless it is clear that the data subject has already given informed consent to the data offer.


[16] Maintaining Data Accuracy

Member companies should maintain and update the collected data's accuracy within the limits of the purpose of collection.


[17] Maintaining Data Security

Member companies should take reasonable precautions to safeguard the security of the personal data files against risks such as undue access, deletion, falsification, and leakage.


[18] Responsibility of Employees to Deal in Personal Data

Employees in member companies should follow the directions and rules set by the personal data manager of the member companies in collecting, using and offering the personal data in order to protect the personal data to the full extent.


[19] Entrustment of Personal Data Processing

Member companies should exercise responsibility and care when they entrust data processing to a third party. Member companies are responsible for securing the implementation of directions by the personal data manager, protection of the personal data and prohibition of the re-offering of the data. The agreement should be kept for the agreed lifetime of the data.


[20] Rights of Data Subjects to Their Own Personal Data

When a data subject requests disclosure of his/her personal data, such request should be accepted and executed as promptly as possible. If a data subject requests correction or deletion of the data as a result of the disclosure, such a request should be executed as promptly as possible and, where possible, confirmed to the data subject.


[21] Opt-out

When data subjects refuse the use or offer to a third party of their own data which is in retention by a member company, the member company is not allowed to use or offer such personal data except insofar as it is crucial for the public interest or implementation of the lawful rights of any third parties.


[22] Appointment of the Personal Data Manager

A representative of a member company should appoint an employee with the capability of understanding and fulfilling these guidelines as a personal data manager.


[23] Responsibilities of the Personal Data Manager

The personal data manager should understand and comply with these guidelines. Also, the personal data manager is responsible for employee education in these guidelines as well as making company rules and compliance programmes concerning these guidelines.


[24] Online Notice of the Personal Data

Member companies are allowed to provide online notice instead of written notices set in articles [8], [9], [12] and [14] where they communicate with data subjects online and collect data on them online.




The above guidelines were drawn up by the Japan Direct Marketing

Association on 10th March, 1998.