Daiwa Institute of Research Ltd. Privacy Policy

Established March 3, 2003
Revised April 1, 2024

Daiwa Institute of Research Ltd.
Atsushi Mochizuki
President

Daiwa Institute of Research Ltd. (hereinafter, “DIR”) has established the following privacy policy in accordance with the Act on the Protection of Personal Information, etc., and shall appropriately handle personal information and Individual Numbers (hereinafter, “Personal Information, etc.”) in accordance therewith.

1. DIR considers Personal Information, etc., to be important property belonging to individuals and recognizes that appropriate protection of the same is a serious responsibility, and accordingly DIR shall comply with the Act on the Protection of Personal Information, relevant laws and regulations, guidelines issued by the Personal Information Protection Commission and relevant ministries/agencies, DIR’s own rules and other norms.
2. DIR shall specify the purposes of use of Personal Information, etc., and shall not use Personal Information, etc., beyond the scope necessary to achieve the purposes of use of Personal Information, etc., except with prior consent from the individual(s) concerned or when permitted by law, regulation, etc.
3. DIR shall acquire Personal Information, etc., by appropriate and legal means only to the extent necessary to achieve the purposes of use.
4. DIR shall take necessary security control measures and properly manage Personal Information, etc., to ensure no leaks or losses thereof.
5. If DIR outsources the handling of Personal Information, etc., DIR shall supervise the contractor(s) as necessary and appropriate.
6. DIR shall review this privacy policy as necessary and continuously improve its personal information protection management system.
7. DIR shall endeavor to respond appropriately and promptly to all requests for disclosure, correction, deletion, suspension of use, etc., of personal data in its possession.
8. DIR shall endeavor to respond sincerely and promptly to questions, comments, complaints, etc., regarding the handling of Personal Information, etc.

Handling of Personal Information, etc.

Nobuhiko Ohkita
Chief Privacy Officer
Executive Managing Director

1. Purpose of Use of Personal Information, etc.

DIR shall use Personal Information, etc., within the scope necessary to achieve the following purposes of use (Individual Numbers shall be handled only within the extent stipulated by law/regulation):

1. To carry out financial/capital market research, policy analysis, recommendations, etc.
2. To introduce and provide consulting services pertaining to management, industry, financial strategy, systems, etc.
3. To carry out studies, consulting services, etc., commissioned by government agencies, international institutions, etc.
4. To introduce and provide solutions, services, etc. including system consulting and outsourcing services.
5. To carry out entrusted system development/operation
6. To introduce seminars, etc., held/sponsored by DIR and carry out administrative procedures therefor
7. To produce and ship DIR publications, etc., and to handle inquiries
8. To conduct customer satisfaction surveys and other questionnaire surveys
9. To manage contractual relationships with business partners
10. To carry out DIR recruiting activities and post-recruitment employment management
11. To fulfill other purposes for which the individual concerned has been notified in advance and has given consent

In addition, DIR shall obtain prior consent from the individual concerned when using Personal Information, etc., beyond the purposes of use specified at the time the Personal Information, etc., is acquired unless otherwise stipulated by law, regulation, etc.

2. Appropriate acquisition of Personal Information, etc.

DIR shall acquire Personal Information, etc., to the extent necessary for operations from the following sources:

1. Information directly entered by the individual concerned in questionnaires, etc., conducted
2. Information entered onscreen by the individual concerned when making online inquiries, etc.
3. Information contained in commercially available books and information published in newspapers or on the Internet
   
4. Information learned from customers in the course of providing products/services, responding to comments, complaints, etc.
   

DIR shall not acquire, use or provide sensitive information as defined in the guidelines of the Personal Information Protection Commission and relevant ministries/agencies (personal information requiring special care and information on membership in labor unions, family origin, registered domicile, medical treatment, etc.) unless permitted by law, regulation, etc.

3. Appropriate management of Personal Information, etc.

DIR shall endeavor to prevent leakage, loss, falsification, unauthorized access, etc., of Personal Information, etc., and shall take the following security control measures to properly manage personal data. Such security control measures include measures to prevent leakage, etc. of personal information that DIR has obtained or intends to obtain and which DIR plans to handle as personal data.

• (Formulation of basic policies)
  DIR shall formulate basic policies on compliance with relevant laws, regulations, guidelines, etc., contact points for questions and complaints, etc., to ensure the proper handling of personal data.
• (Maintenance of discipline in handling personal data)
  DIR shall formulate rules for handling personal data that cover handling methods, handling managers/personnel and their duties at each stage of handling (acquisition, use, storage, provision, deletion/disposal, etc.).
• (Organizational security control measures)
  DIR shall appoint managers to oversee the handling of personal data, identify the employees authorized to handle personal data and the scope of personal data they are to handle, and establish a system for reporting to managers actual or suspected violations of laws and handling regulations.
• (Personal security control measures)
  DIR shall provide employees with education and suitable supervision on the handling of personal data.
• (Physical security control measures)
  DIR shall control employee access to/from areas where personal data is handled, restrict the equipment employees can bring into these areas, and implement measures to prevent unauthorized persons from viewing personal data.
• (Technical security control measures)
  DIR shall introduce mechanisms to protect systems that handle personal data from unauthorized access or software from outside.
• (Assessment of overseas environments)
  When storing personal data in a foreign country, DIR shall implement security control measures after ascertaining the systems in place in that country for protecting personal information.

4. Consignment of Personal Information, etc.

DIR may outsource some or all of the handling of Personal Information, etc., to ensure that the operations required to achieve the purposes of use in the following cases are carried out smoothly (when outsourcing, DIR shall provide the contractor(s) with necessary and appropriate supervision, to include supervision of subcontractors):

1. When printing or shipping documents to be sent to customers
   
2. When operating or maintaining information systems
3. When providing legal, accounting or other professional advice, etc.

5. Disclosure or provision of Personal Information to third parties

DIR shall not disclose or provide Personal Information to third parties without prior consent from the individual concerned, except when in accordance with laws and regulations or when permitted by law, regulation, etc., such as when entrusting Personal Information to the extent necessary to achieve the purposes of use. DIR shall also not disclose or provide Individual Numbers to third parties except when permitted by law, regulation, etc.

6. Disclosure and provision of Personal Information to third parties in foreign countries

DIR shall not disclose or provide Personal Information, etc., to a third party in a foreign country without prior consent from the individual concerned, except when permitted by law, regulation, etc. In seeking consent from the individual concerned, DIR shall provide the name of the foreign country, information on systems for protecting Personal Information in that country and on measures for protecting Personal Information to be taken by the third party, and other useful information.

If the third party cannot be identified when seeking consent, DIR shall notify the individual concerned to that effect and provide a specific reason as well as other useful information. If the third party can be identified after consent has been granted, the individual concerned may request that DIR provide the name of the foreign country, information on systems for protecting Personal Information in that country and on measures for protecting Personal Information to be taken by the third party, and other useful information.

If DIR provides Personal Information, etc., to a party who has in place a system that conforms to the standards stipulated by the rules of the Personal Information Protection Commission, DIR shall take the steps necessary to ensure the continual implementation of measures equivalent to those that business operators handling Personal Information should take when handling Personal Information, etc. The customer may request that DIR provide information on these necessary measures.

7. Shared use of Personal Information

DIR may share customers’ Personal Information as described below:
*This does not include Personal Information, etc., received from outsourcers for outsourced operations.

1. Items of Personal Information to be shared
   Information about customers such as name, address, date of birth, telephone number, email address and other contact information, occupation and transaction needs as well as information on transactions with customers such as transaction details, deposit balances, etc.
2. Parties with whom Personal Information is to be shared
   The head office of DIR’s parent company Daiwa Securities Group Inc., and the parent company’s consolidated subsidiaries
3. Purposes of use by parties using shared Personal Information

   1. To comprehensively propose, introduce, research and develop the best and most suitable products or services that meet the needs of customers
   2. To provide various products and services
   3. To undertake corporate management and internal management for the Daiwa Securities Group
4. Person responsible for managing Personal Information
   Daiwa Institute of Research Ltd.

   Refer to Corporate Profile on DIR’s website for the head office address and the name of President.
5. Acquisition methods
   Information shall be acquired through service applications, transactions, etc.

8. Disclosure, correction, deletion, suspension of use, etc., of personal data in DIR’s possession

If DIR receives a request regarding personal data in DIR’s possession from the individual concerned or his/her agent asking for a notification of the purposes of use of this personal data or for disclosure, correction, addition or deletion, suspension/termination of use, or suspension of provision to third parties (hereinafter, “disclosure, etc.”) of this personal data and confirms that the request has indeed been submitted by or behalf of the individual concerned, then DIR shall respond within a reasonable period and within suitable bounds, except when such disclosure, etc., is not required by law, regulation, etc. The matters subject to disclosure shall include records of data provision to third parties. Prescribed fees may be charged in all of these instances.

9. Questions, comments, complaints, etc., pertaining to the handling of Personal Information, etc.

DIR shall endeavor to respond sincerely and promptly to questions, comments, complaints, etc., pertaining to the handling of Personal Information. Please contact the reception desk below with any questions regarding the handling of Personal Information.

Reception desk for questions, etc.

Privacy Office, Daiwa Institute of Research Ltd.

• Inquiries