Personal Information Management Regulations

Chapter 1 General Provisions

Article 1 (Purpose)
 These Regulations set forth the system and basic rules for handling personal information within Kowa Co., Ltd. (hereinafter referred to as "the Company") to prevent the loss, leakage, or falsification of information held by the Company and to fulfill our social responsibility for information management.

Article 2 (Definition of terms)
 The terms used herein shall be as follows:
(1)Personal Information
 Information that can identify a specific individual by describing the name, date of birth, etc. including one that can easily be collated with other information and thereby identify a specific individual.
 An individual identified by personal information held by the Company.
(3)Officersand employees
 This refers to our executives, regular employees, contract employees, part-time employees, and temporary employees.
 "Supervisor" means the superior of the department to which officersand employees belong.

Article 3 (Covered Information)
 The information covered by theseregulations is all personal information stored by the Company, regardless of whether electronic or printed data.

Article 4 (Scope of these regulations)
 These regulations shall apply to officers and employees of the Company. Staffs who do not belong to the Company, such as contractors, volunteers, and trainees, shall also be required to treat these regulations appropriately in accordance with the purpose of them. In addition, in the event the business of handling personal information is outsourced to an outside party, the Company shall exercise necessary and appropriate supervision and ensure the appropriate protection of personal information in accordance with theseregulations.

Article 5 (Purpose of Use of Information)
 Purpose of use of personal information is as follows.
・To provide services to customers and fulfill contracts with them
・To engage in personnel management, labor management, salary, and social insurance of employees
・To provide benefits services to employees
・To enable our employees to use services of business partners of the Company
・For hiring applicants

Chapter 2 Personal Information Management System

Article 6 (Personal Information Manager)
 The Personal Information Manager shall be the president of the Company.
2 Personal Information Manager shall be responsible for the promotion of measures related to the management of personal information.
3 The Personal Information Manager shall have the authority to make decisions on matters necessary to fulfill the above responsibilities.

Article 7 (Personal Information Management Departments)
 Compliance Office of the Company shall be in charge of the management of formulating, changing, and educating regulations.
2 The manager of each department and the head of each branch shall be thesupervisor of the information, and the supervisor shall be responsible for the promotion of measures concerning personal information in each area in accordance with these Regulations.

Chapter 3 Outline of Safety Measures Pertaining to the Management of Personal Information

Article 8 (Basic Policy on the Protection of Personal Information)
 The Company formulate and publicize our basic policy.

Article 9 (Handling of Personal Information of Employees)
 Officers and employees shall comply with the Working Regulations and these Regulations. Even after retirement, personal information obtained during employment shall not be leaked.

Article 10 (Collection of Personal Information)
 Thoroughly inform employees of the purpose of use of personal information.
2 Personal information shall be collected to the minimum necessary to achieve the Purpose of Use. In addition, they shall not be collected by illegal means.
3 In the event of a change in the Purpose of Use of the collected personal information, the applicable articles of theseregulations shall be updated.
4 Notwithstanding the preceding paragraph, in the event personal information is directly acquired from theindividual, such as the results of the entry of a contract or other document or website, the purpose of use shall be clearly indicated to the individual.

Article 11 (Storage of Personal Information)
  The Companyshall implement necessary and reasonable safety management measures for personal information, such as storage lock control, access control.
2 Officers and employees shall not take personal information out of the Company or provide it to a third party without the approval of supervisor.
3 When disclosing or providing personal information to a business partner, outsourcee, etc., the approval of the supervisor must be obtained in advance. Confidentiality agreements will be exchanged when necessary.

Article 12 (Use of Personal Information)
 Personal information shall be used within the scope of the purpose of use disclosed in advance and shall not be used beyond such scope. However, excluding cases based on the provisions of laws and regulations.
2 In the event the handling of personal information is outsourced for the purpose of data entry etc., the Company will confirm whether the outsourcing contractor handles personal information appropriately. In addition, the contract shall include clauses such as prohibition of use for purposes other than the execution of commissioned work, return or destruction of information after the end of work, compensation for damages in the event of breach of confidentiality, etc.
When outsourcing work continues for a long period, the Company will confirm the handling of personal information by the outsourcing contractor, and provide guidance and review the contract as necessary.

Article 13 (Destruction of Personal Information)
Personal information that has exceeded the retention period and personal information that has become unnecessary after achieving the original purposeshall be promptly discarded. If there is a business need to retain it for a longer period, approval of the supervisor shall be needed.
2 Personal information shall be destroyed by shredder processing for printing data and data deletion for electronic data in order to avoid external leakage. In addition, when the disposal is outsourced to an outside contractor, it shall be confirmed that the outside contractor has completely disposed of the waste.

Article 14 (Provision to a Third Party)
 When it is necessary to provide personal information to a third party, obtain the consent of the individual, report to the supervisor in advance, and take the necessary measures according to the instructions.

Article 15 (Response to Inquiries from the individual, etc.)
 Establish a contact point for receiving complaints and inquiries regarding personal information from the individual, such as inquiries from the person, disclosure of information, and requests for correction, suspension of use, etc.
2 The person in charge of the contact point explained in the preceding paragraph shall promptly take the necessary measures in accordance with the procedures for response.

Article 16 (Education)
 Provide education on personal information management to officers and employees at the time of employment and once a year thereafter. Supervisors shall provide on-site education on the management of personal information at the site as appropriate.
 Supervisors shall also instruct and supervise volunteers and trainees to warn them of the need to manage personal information and to handle it appropriately.

Article 17 (Response to Consultations and Complaints)
 In addition to responding to inquiries from the individualexplained in Article 15, establish a contact point for consultation and complaints regarding the handling of general personal information, and shall make effort to respond appropriately and promptly.

Article 18 (Response to Accidents)
 In the event of an accident involving personal information, such as a leak of personal information, the supervisor shall promptly take measures to prevent secondary damage and, while taking into account the protection of personal information, shall make public the facts as much as possible and report to the Compliance Office.

Article 19 (Audit)
 The Compliance Office shall conduct internal audits of the appropriateness of the management of personal information within the Company as appropriate.
2 If any improvement is deemed necessary as a result of the audit, report it to the president.
3 Based on the audit results, the supervisor shall promptly implement improvement measures and report the results to the Compliance Office.

Chapter 4 (Miscellaneous Provisions)

Article 20 (Violation of this provision)
 In the event that a violation of these Regulations has become evident, the Company shall impose punishment on the officers and employees who have committed the violation in accordance with the provisions of the Working Regulations.

Article 21(Regulations)
 The Compliance Office shall, where necessary, establish detailed regulations for the handling of these Regulations.

Article 22 (Enforcement)
 These regulations shall be effective as of September 1, 2020.

Revision history
November 16, 2022
Clarification of the purpose of use (in collaboration with Banco do Brasil)

Basic Policy on the Protection of Personal Information

1. Basic Policy

We, Kowa Co.,Ltd., recognize the importance of personal information and believe that it is our social responsibility to protect personal information.We will comply with laws, regulations, and internal regulations concerning personal information, and properly acquire, use, and manage personal information we handle.

2. Control of personal information

We will thoroughly implement the following measures with regard to the management of information provided.
 1). We will strive to ensure that the information provided to us is accurate and up-to-date at all times.
 2). We stipulate strict handling methods for the management of personal information and thoroughly handle it based on them.

3. Supply to third party or not

We will use the provided personal information only within the company andpartnercompanies, and will not provide it to any third party without the consent of the provider.

Detailed Regulations on the Protection of Personal Information

These detailed regulations stipulate the specific handling of personal information in accordance with the Personal Information Management Regulations.
1.Documents, storage locations, and handling personnel related to personal information of the Company are explained separately.
2.Documents related to personal information shall be basically stored in a locked storage place.
The items to be stored in the safe shall be explained separately.
3.In case a person other than the staff in charge of handling the information needs to access to the information, it is necessary to obtain the consent of the staff in charge.
4.Information shall be handled so as not to be seen by third parties other than staffs of the Company. The location of such items shall also be considered.
5.Personal information has to be disposed based on the document storage regulations.
Items not defined in the storage regulations shall be disposed of promptly after the purpose thereof has been achieved. Disposal shall be done after shredding.
6.The scope of the exchange of information related to personal information within the Company shall be within the scope necessary for business operations.
7.Regarding inquiries from the outside about staff, residents, users, etc., basically do not answer unless it has been approved in advance. In the event of an emergency, the supervisor will makea decision on a case-by-case basis.