Basic Regulations for Personal Information Protection
Chapter 1: General provisions
These regulations outline basic provisions for protecting the rights and interests of individuals by ensuring that the personal information and personal data (hereinafter, Information) retained by the Yokohama International Performing Arts Meeting Secretariat (hereinafter, TPAM) is handled in accordance with the Personal Information Protection Act, the EU General Data Protection Regulation (GDPR), and other relevant laws and regulations.
Furthermore, these regulations assume application of Japan’s Personal Information Protection Act while also aiming to define provisions for standard contracts for personal data protection as required by the EU Commission.
The terminology used in these regulations are defined as follows.
- I. Personal information
Information related to an individual that can be used to identify a specific person by referencing the name, date of birth, or other descriptions contained in said information, including information that can easily be cross-referenced with other information to identify an individual.
Furthermore, this includes codes converted to provide for the electronic computation of physical characteristics (facial recognition data, fingerprint recognition data) and codes that differ for each person that are used for government services, product purchases, or on documents (passport number, driver’s license number, individual number).
- II. Sensitive personal information
Personal information designated by government ordinance as requiring particularly special handling due to the possibility of use towards discrimination based on race, religious beliefs, social status, medical history, criminal history, history as a victim of a crime, or otherwise result in other unjust disadvantages or discrimination.
- III. Anonymous information
Personal information that has been processed to prevent the identification of a specific individual and that cannot be restored to original personal information.
- IV. Personal information database
A collection of information containing personal information identified as follows.
a. A structured system that enables the use of computation to search for specific personal information.
b. Systems described in (a.) above that organize personal information in accordance with specific standards to enable easy searches of specific personal information that also contain a table of contents, index, and other characteristics that enable easy searches.
- V. Personal data
Personal data applicable to GDPR protections and personal information in personal information databases described under the Personal Information Protection Act.
- VI. Stored personal data
Personal data for which TPAM has the authority to disclose, edit, add or delete, suspend use, erase, or suspend provision to a third party.
- VII. Individual
A specific person identifiable by personal information or personal data.
TPAM works to ensure appropriate handling based on the understanding that personal information and personal data must be handled carefully under the principles of the respect for individual human rights.
(Scope of Application)
These regulations outline the handling of all personal information, personal data, and stored personal data (hereinafter, Personal Information) processed by TPAM, regardless of whether processed by a computer or indicated in writing, and shall apply to all executives and employees involved in TPAM operations (including full-time employees as well as short-term employees, part-time employees, contract employees, etc.).
Chapter 2: Handling of personal information
Section 1: About the handling of personal information
(Indication of purpose of use)
1. TPAM shall indicate the purpose of use as explicitly as possible when handling personal information or personal data.
2. If TPAM will revise the purpose of use, we will not exceed a scope deemed practical for maintaining correlation to the purpose of use prior to said revisions.
(Limits on purpose of use)
1. TPAM shall not handle personal information beyond the scope required to achieve the purpose of use without receiving prior concent from the individual.
2. In cases where TPAM acquires Personal Information as the result of the transfer of business from a business operator that handles Personal Information, TPAM shall not handle personal information beyond the scope required to achieve the purpose of use indicated prior to business transfer without receiving prior concent from the individual.
TPAM shall not acquire Personal Information through fraud or other inappropriate means.
(Notification of purpose of use upon acquisition)
1. TPAM shall notify the individual directly or publish the purpose of use immediately upon acquisition Personal Information excluding cases where the purpose of use has already been published or cases where the purpose of use is clear based on the conditions at time of acquisition.
2. Notwithstanding the provisions of the previous paragraph, TPAM shall indicate the purpose of use and receive consent when gathering an individual’s Personal Information as a result of having exchanged an agreement or other document (including electronic documents, magnetic documents, and other records created using methods that not reccognizable to others via human senses) with the individual in question, or when acquiring the Personal Information of an individual indicated on documents received directly from the individual.
3. If TPAM revises the purpose of use, we shall notify the individual directly or publish the purpose of use.
(Duty of confirmation and records management related to third party provision)
When receiving the provision of personal data from a third party, TPAM shall confirm the name of the provider and confirm the background related to the acquisition of personal data, create a record of said details, and require that said record be stored for a specified period of time. When providing personal data to a third party, TPAM shall create a record of the date of provision and name of the party to which data was provided, and store said record for a specified period of time.
Section 2: About the registration, storage, and disposal of personal information
(Ensuring accuracy of data content)
TPAM works to ensure that acquired personal information is accurate and up to date within the scope necessary to achieve the purpose of use.
(Security management measures)
TPAM implements necessary and appropriate measures to ensure security maangement for personal data, including measures to prevent leaks, loss, or damage to handled personal data.
(Creation of document management regulations)
TPAM shall draft separate regulations concerning document registration, storage, and disposal that are in line with the intent of Article 2 and outline necessary provisions. Furthermore, TPAM shall implement measures in line with said regulations.
Section 3: Supervision of operators and subcontractors
(Employee guidance and supervision)
1. TPAM shall draft separate regulations to ensure the implemention of matters related to the provisions of Section 1 and Section 2, and shall ensure that all employees comply with said regulations.
2. TPAM shall conduct appropriate supervision of employees handling Personal Information.
1. When TPAM will outsource all or a portion of the handling of personal data, TPAM shall evaluate the appropriateness of said subcontracting based on consideration of the status of personal information protection measures implemented at said third party. Furthermore, provision shall be preceded by the conclusion of a confidentiality agreement with said third party and TPAM must conduct appropriate supervision of said subcontractor.
2. The aforementioned evaluation of appropriateness shall be made based on standards outlined in TPAM employment regulations.
Section 4: Response to requests for disclosure, etc. from the individual
(Responding to requests from the individual)
TPAM shall respond immediately to requests for the disclosure of retained personal data with the understanding that said disclosure is within the rights of the individual related to the Personal Information.
(Establishment of regulations)
TPAM shall draft separate regulations to ensure the appropriate implementation of the duties outlined in the preceding paragraph, and implement measures in line with said regulations.
Section 5: Response to claims against TPAM
(Handling claims against TPAM)
1. TPAM shall appropriately and quickly handle claims related to the handling of Personal Information.
2. TPAM shall establish a claim processing desk and establish a necessary structure to achieve the goals outlined in the preceding paragraph.
Chapter 3: Personal information protection structure
(Personal Information Protection Officer)
1. TPAM shall designate a Personal Information Protection Officer.
2. The Personal Information Protection Officer shall organize internal regulations and security measures as well as promote education and training concerning Personal Information protection. Furthermore, the Personal Information Protection Officer is responsible for reinforcing awareness related to the protection of Personal Information.
3. The Personal Information Protection Officer shall comply with the provisions outlined in these regulations and ensure that all executives and employees understand and comply with regulations concerning Personal Information gathering, use, provision, and contracted handling.
The Personal Information Protection Officer shall ensure that all exeuctives and employees involved in TPAM operations understand the importance of protecting the rights of individuals as it relates to Personal Information. To ensure the appropriate implementation of personal information protection measures, the Personal Information Protection Officer shall designate education staff to conduct continuous and regular education and training.
1. The Personal Information Protection Officer shall designate an audit supervisor and conduct annual audits of the status of Personal Information management within TPAM.
2. The designation of audit supersivors must ensure independence from the department being audited.
3. The audit supervisor must create and implement an audit plan.
4. Audit supervisors must create an audit rerport and report audit results to the Personal Information Protection Officer.
5. If based on the abovementioned audit report the Personal Information Protection Officer deems the need for improvements to Personal Information management, the Personal Information Protection Officer must provide necessary instruction to relevant executives or employees regarding improvements.
6. Persons who receive the aforementioned instructions must implement necessary improvement measures and issue a report on said details to the Personal Information Protection Officer.
Created November 15, 2018
Operator: Yokohama International Performing Arts Meeting Secretariat