Handling of Personal Information

Except when exceptions are made by law，We will acquire personal information of customers only to the extent necessary for our business in a lawful and fair manner. We will acquire personal information, through such means as follows:

(Examples of how we will acquire personal information)

• Personal information will be acquired through documents completed and submitted by customers, such as applications for insurance policies and insurance claims forms, and through information entered by customers at our website, etc.　
• Personal information will be acquired in cases where a telephone conversation is transcribed or recorded in order to respond to inquiries received at stores or call centers, etc.
• Personal information we acquire will be retained for the period necessary for purposes of insurance policy management and the periods required or permitted by law.

We will use personal information in a lawful and fair manner only to the extent necessary to accomplish the purposes stated in (1)-(9) and 5.below（the same applies to the purposes of use of retained personal data). We will not use personal information for any other purposes except in cases provided for by law, unless required to do so under laws or ordinances.
Furthermore, we will define the purposes of use specifically so that customers understand them clearly. We will also endeavor to limit the purposes of use according to the specific setting where personal information is collected.
If we make any changes to the purpose of use, we will notify the customer of the changes, or make a public announcement of such changes on our official website or through other channels to the extent reasonably deemed relevant to the purpose of use before the change.

(1) Property and Casualty (P&C) insurance operations

• To examine whether to offer P&C insurance policies, and for underwriting, performance and management of insurance
• To investigate insured events related to insurance claims (including inquiries, etc., into related parties)
• To make decisions and perform procedures for insurance claims, etc.
• To explain or provide various types of incidental services
• To execute reinsurance policies, receive reinsurance claims, joint insurance claims and other payments, and provide personal information to the underwriting insurers for those purposes (including the provision of information from underwriting insurers, etc. to other such insurers).

(2) Life insurance agency operations

• To act as an agent or a broker for life insurance policies and provide services incidental thereto

(3) Lending operations

• To screen loan applications, and for the conclusion, execution and administration of loan agreements

(4) Sale of investment trusts and other financial instruments

• To execute and manage the trading of derivative financial instruments such as weather and earthquake derivatives
• To open accounts for investment trusts and other financial instruments, execute various transactions, and manage and report account balances
• To broker, intermediate and provide other services with respect to purchasing (distributions, etc.) and selling investment trusts and other financial instruments

(5) Defined-contribution pension operations

• To execute defined-contribution pension management and administration operations
• To provide consulting on defined-contribution pension plans

(6) Common to all operations

• To explain, and act as agent, broker, intermediate, and manage the products we offer (P&C insurance, life insurance, investment trusts, defined-benefit pensions, etc.) and provide various services
• To explain, provide and manage products, services and other offerings of Sompo Holdings Group companies, corporate alliance partners and others
• To explain events, campaigns and seminars, and provide information
• To perform questionnaires, market research, data analyses, and other related tasks, and conduct insurance/financial product and service R&D based on these tasks
• To verify the personal identity of a customer
• To respond to inquiries, opinions and suchlike
• To collect our receivables
• To provide personal information to business outsourcing partners and others, including insurance agencies, to the extent necessary to conduct our business
• To recruit employees, and establish, operate and maintain sales bases (agencies, etc.) for the above products and services
• To properly process personal information (data) under contract for other companies, for example, when such processing is entrusted to us in whole or in part

(7) Sustainability promotion initiatives

• To send sustainability reports and explanations of workshops, seminars and other events, and provide various types of other information

(8) Telephone service—recording of telephone calls

• To confirm factual information related to inquiries, and consultation and policy details, etc.
• To confirm contact information for accurately providing services such as sending explanations and materials
• To train employees and to conduct data analysis aimed at improving operational quality, including telephone-based customer service
  The foregoing recorded data will not be held, in principle, for more than 6 months from the time of recording, except for data recorded at the call centers for investment trusts.

(9) Others

• To perform other operations needed to properly and efficiently manage our business operations, and to conduct transactions with customers, along with tasks incidental to operations set forth in items (1) to (8) above.

(1) We will not provide personal data to any third parties without the consent of the customer, except for the circumstances mentioned below:

• When required to do so by law or ordinance.
• Outsourcing the handling of personal data to the extent necessary for achieving the purpose of its use.
• Sharing with Sompo Holdings Group Companies.
• Sharing with P&C insurance companies (including foreign P&C insurance companies and the Non-life Insurance Policy-holders Protection Corporation of Japan) and mutual aid associations and federations (hereinafter referred to as " P&C insurance companies, etc.").
• Sharing with the Ministry of Land, Infrastructure, Transport and Tourism.

(2) Except in cases where exceptions are made by law, when we have provided personal data to a third party, we record matters related to such provision (e.g., when, and to whom, the personal data were provided, and the type of data provided), and when we have acquired personal data from a third party (including cases where information relevant to an individual is acquired as personal data), we confirm and record matters related to such acquisition of data (e.g., when and from whom the personal data were acquired, the type of data acquired and how the third-party provider acquired the data).

Except in cases where exceptions are made by law, when a third party is expected to acquire information relevant to an individual as personal data (limited to information constituting that of a database containing information relevant to individuals; the same shall apply hereinafter), we will not provide such information without confirming that the third party has obtained consent from the person associated with such information to allow for the acquisition of such information.
Except in cases where exceptions are made by law, if we provide information relevant to an individual to a third party based on the confirmation in the preceding paragraph, we will confirm and record matters related to the provision of such information (such as when, to which party and what kind of information relevant to an individual is provided, and how the third party obtains consent of the such person).

We may outsource the handling of personal data to the extent necessary for achieving the purpose of its use. Whenever we outsource the handling of personal data, we will exercise the necessary and appropriate oversight of contractors, such as checking in advance their information management systems after setting criteria for their selection.
For instance, we outsource the handling of personal data in the following cases:

(Example of operations we outsource)

• Operations related to the sale of insurance policies
• Operations related to the development and operation of information systems
• Operations related to the preparation and sending of insurance certificates

(1) Information Exchange System, etc.

[1] General Insurance Association of Japan, non-life insurance companies etc.
We participate in a system whereby personal data is shared among P&C insurance companies and other entities in order to eliminate misconducts and frauds that could occur upon finalizing insurance policies or filing insurance claims.
For details, please refer to the website of the General Insurance Association of Japan.
General Insurance Association of Japan
https://www.sonpo.or.jp/en/

[2] General Insurance Rating Organization of Japan
We will share personal data with the General Insurance Rating Organization of Japan in order to appropriately pay insurance benefits for compulsory automobile liability insurance.
For details, please refer to the website of the General Insurance Rating Organization of Japan.
General Insurance Rating Organization of Japan
https://www.giroj.or.jp/english/

[3] Providing data to the Ministry of Land, Infrastructure, Transport and Tourism to prevent uninsured cars related to motorized bicycle and light motorcycles.
In order to check on scooters or small motorcycles without compulsory automobile liability insurance, the Ministry of Land, Infrastructure and Transport sends postcards to confirm if a policyholder owning a scooter or small motorcycles has compulsory automobile liability insurance in which the contract term is deemed to have expired. We provide to the Ministry personal data regarding compulsory automobile liability insurance for the above types of vehicles, and share such personal data with the Ministry at their discretion.
The types of personal data we share are as follows:

• Name and address of policyholder
• Certificate number and policy period
• Type of vehicle
• Frame number, identification number or vehicle number

For details, please refer to the website of the Ministry of Land, Infrastructure and Transport.
Ministry of Land, Infrastructure and Transport
https://www.mlit.go.jp/jidosha/anzen/04relief/index.html(Japanese only)

[4] Confirmation of personal data concerning insurance agencies, etc.
We share personal data of employees of P&C insurance agencies and other entities with other P&C insurance companies for the appropriate supervision of P&C insurance agencies and for recruitment of staff. We also use personal data including information about persons who have passed Non-Life Insurance Solicitors Examinations or other examinations undertaken by the General Insurance Association of Japan for commissioning as our insurance agents, or for other purposes.
For details, please refer to the website of the General Insurance Association of Japan >General Insurance Association of Japan
https://www.sonpo.or.jp/en/

(2) Sharing with Group Companies

[1] Sompo Holdings Group companies may share the following personal data to facilitate the management and common/overlapping operations of Group companies by Sompo Holdings:

A.Items of personal data:
Personal data of the shareholders of Sompo Holdings Group companies: information such as name, address, number of shares
Personal data held by Sompo Group companies:
Information regarding transactions with Sompo Group companies, such as name, address, telephone number, e-mail address, gender, date of birth, and other details of the contract and insured accidents stated on contract applications, etc.
Information obtained by Sompo Group companies, regardless of transactions, including name, address, telephone number, e-mail address, gender, date of birth, and details of inquiries, when customers make estimates on the website or contact the call center, whether in person, by telephone, online, e-mail, app, or provided to a third party

B.Scope of Group companies permitted to share personal data
Sompo Holdings and Group companies
For details on the scope of Group companies permitted to share personal information, please refer to the Sompo Holdings website.

C.Entity responsible for personal data management
Each Sompo Holdings Group company who handles the personal data

For our address and names of representatives, please refer to the links, as follows.
https://www.sompo-hd.com/en/company/summary/
For the addresses and representative names of each Sompo Holdings Group company, please refer to the website of the relevant company.

[2] Sompo Holdings Group companies may share personal data for the purpose of planning, developing, researching, and analyzing the products and services of the Sompo Holdings Group and for Group companies to explain and provide products, services and other offerings to customers and make related decisions to analyze data, and to improve the quality of its operations, as follows:

A.Items of personal data
Personal data retained by Sompo Holdings Group companies:
Information regarding transactions with Sompo Group companies, such as name, address, telephone number, e-mail address, gender, date of birth, inquiry details, usage details of apps and other services, location information, business card information (information that can be read from business cards, including company name, department name, title, etc.), and other contract details and insured accident details written on contract applications, etc.
Information obtained by Sompo Group companies, regardless of transactions, including name, address, telephone number, e-mail address, gender, date of birth, and details of inquiries, when customers make estimates on the website or contact the call center, whether in person, by telephone, online, e-mail, app, or provided to a third party

B.Scope of Group companies permitted to share personal data
Sompo Holdings and Group companies
For details on the scope of Group companies permitted to share personal information, please refer to the Sompo Holdings website.

C.Entity responsible for personal data management
Each Sompo Holdings Group company who handles the personal data

For our address and names of representatives, please refer to the links, as follows.
https://www.sompo-hd.com/en/company/summary/
For the addresses and representative names of each Sompo Holdings Group company, please refer to the website of the relevant company.

[3] Sompo Holdings Group companies may share personal data related to P&C insurance agency owners, their employees and trainees among Sompo Holdings and each domestic insurance company of Sompo Holdings Group for the purpose of supervising, managing, instructing and training the P&C insurance agencies(including trainees) and other entities and their employees, as follows:

A.Items of personal data
Items such as names, addresse, date of birth, registration applications and notification, and other information needed to manage P&C insurance agencies, etc. and their employees owned by each domestic insurance company of Sompo Holdings Group.

B.Scope of Group companies permitted to share personal data
Sompo Holdings and Group companies and domestic insurance companies of Sompo Holdings Group
For details on the scope of domestic insurance companies of Sompo Holdings Group permitted to share personal information, please refer to the Sompo Holdings website.

C.Entity responsible for personal data management
Each Sompo Holdings Group company who handles the personal data

For our address and names of representatives, please refer to the links, as follows.
https://www.sompo-japan.co.jp/english/company/profile/
For the addresses and representative names of each Sompo Holdings Group company, please refer to the website of the relevant company.

(3) Sharing information with affiliated companies established as joint ventures by Sompo Holdings and Sompo Holdings Group companies

[1] Sharing information with joint ventures established by Sompo Holdings, Inc. and DeNA Co., Ltd.
We may share personal data for the following companies to explain and provide products, services and other offerings to customers and make related decisions, as follows:

A.Items of personal data
Business information such as name, address, telephone number, e-mail address, sex, date of birth and any other details described in the application forms of the P&C insurance policies of the Company

B.Scope of companies permitted to share personal data
Sompo Japan Insurance Inc.,DeNA SOMPO Mobility Co.,Ltd,DeNA SOMPO Carlife Co.,Ltd

C.Entity responsible for personal data management
Sompo Japan Insurance Inc.

For our address and names of our representatives, please refer to the corporate overview, as follows.
https://www.sompo-japan.co.jp/english/company/profile/

[2] Sharing information with akippa Inc.
We may share personal data with the companies listed below for the purposes of informing customers regarding products, services and other offerings, providing the aforementioned, and enabling them to make related decisions, as follows:

A.Items of personal data
Business information such as name, address, telephone number, e-mail address, sex, date of birth and any other details described in the application forms of the P&C insurance policies of the Company, as well as information regarding insured events

B.Scope of companies permitted to share personal data
Sompo Japan Insurance Inc., akippa Inc.

C.Entity responsible for personal data management
Sompo Japan Insurance Inc.

For our address and names of our representatives, please refer to the corporate overview, as follows.
https://www.sompo-japan.co.jp/english/company/profile/

(4) Sharing with corporate alliance partners
The Company and its corporate alliance partners may share personal data for the purpose of explaining and providing customers with products and other offerings handled by the Company and its corporate alliance partners.
○Corporate alliance partner
At present, we do not have any corporate alliance partners with which we share personal data.

We will not acquire, use, or provide to a third party sensitive information such as race, creed, social status, medical history, criminal history, or criminal victimhood status, or personal information related to labor union membership, family lineage, legal domicile, health or medical treatment, or sex life, of customers (not including information disclosed by the individual concerned, a national agency, a local public body, an academic research organization, etc., or a party as stipulated in any of the subparagraphs to Article 57, Paragraph 1 of the Act on the Protection of Personal Information or in any of the paragraphs to Article 6 of the Enforcement Regulations thereof) (“sensitive information” hereinafter) except for the circumstances mentioned below:

• When sensitive information is obtained, used, or provided to a third party to the extent necessary to ensure proper operation of insurance business and with the consent of the customer;
• When the sensitive information is obtained, used, or provided to a third party to the extent necessary to pay insurance claims involving inheritance procedures;
• When sensitive information of employees, etc. concerning affiliation to, or membership of, political, religious, or other groups or labor unions, is obtained, used, or provided to a third party to the extent necessary to collect insurance premiums, etc.;
• When required to do so by law or ordinance;
• When required to do so to protect a person’s life, body, or property;
• When especially required to do so to improve public health or promote the sound development of children;
• When required to do so to cooperate with any central government institutions, local public organizations or parties commissioned by such organizations in performing operations required by law or ordinance;
• When required for the purpose of academic research (when sensitive information is obtained acquiring sensitive information as stipulated in subparagraph 6 of Article 20, Paragraph 2 of the Act on the Protection of Personal Information, when sensitive information is used as stipulated in subparagraph 6 of Article 18, Paragraph 3 of the Act on the Protection of Personal Information, or when sensitive information is provided to a third party as stipulated in subparagraph 7 of Article 27, Paragraph 1 of the Act on the Protection of Personal Information).

Personal information concerning debt repayment ability of individual borrowers provided by any credit information organization (which means any organization that collects information regarding the debt repayment ability of borrowers and provides such information to us; hereinafter, “Personal Credit Information Organizations”) will be used only for the purpose of our investigation of the ability of borrowers to meet their payments in accordance with Article 53-9 of the Ordinance for Enforcement of the Insurance Business Act.
Moreover, after obtaining the consent of borrowers, we will register personal information based on objective transaction evidence related to borrowers’ agreements with the Personal Credit Information Organizations with which we are affiliated. We, the Personal Credit Information Organizations we are affiliated with, and the affiliated members that have partnered with those Personal Credit Information Organizations will be provided with this personal information, which will be used only for the purpose of investigating the ability of borrowers to meet payments.

(1) Preparation of pseudonymously processed information
In the case where the Company creates pseudonymously processed information (individual information obtained by processing personal information so that the individual cannot be identified unless the information is cross-checked with other information by taking measures prescribed by law), it will take the following actions:

• Appropriate processing in accordance with the standards set forth in laws and regulations
• Take security measures to prevent leakage of the deleted information or information regarding the method of processing, in accordance with the standards set forth in laws and regulations.

(2) Purpose of use of pseudonymously processed information
In the event that the Company establishes or changes the purpose of use of the pseudonymously processed information, it shall specify the purpose of use after the change as much as possible, clarify that it is related to such processed Information, and make a public announcement.

(1) Preparation of anonymized information
We employ the following handling procedures when preparing anonymized information (i.e., personal information on individuals that has been processed, through means stipulated in laws and regulations, so that it is not possible to identify the individuals concerned or to restore such personal information):

• We process such information properly in accordance with standards stipulated in laws and regulations
• We implement security measures to prevent leakage of information concerning the information that has been deleted and methods of processing used, in accordance with standards stipulated in laws and regulations
• We disclose the items of information contained in such anonymized information
• We do not act in ways that would identify the individuals concerned by the personal information on which such anonymized information is based

(2) Providing of anonymized information
When providing anonymized information to third parties, Sompo Holdings discloses the items of information concerning individuals contained in such anonymized information to be provided and the methods of provision, and it clearly informs the third party of the fact that the information to be provided has been anonymized.

A customer may ask us to disclose, revise, delete, cease using, or disclose records of provision to third parties with respect to personal data in our possession concerning him or her.

Please direct requests for any notification, disclosure, revision, or suspension of use of retained personal data under the Act on the Protection of Personal Information to the contact point listed in the section on “Procedures for Disclosure.”
After confirming that you are the requesting party or the proxy thereof, we will ask that you complete our prescribed request form, and we will then process the request. In principle, we will reply at a later date enlisting the method requested by the person concerned among the methods specified by us. Replies to requests for disclosure are subject to fees designated by Sompo Japan Insurance.
If we find that information about the claimant is incorrect, we will correct the information based on the results of our investigation as required.

• *For details on procedures for disclosing and revising personal information, etc., please refer to the section on “Procedures for Disclosure.”

We may enter into reinsurance policies with reinsurance companies and other such entities abroad for the purpose of continuously ensuring that customers are provided with high-quality and secure insurance services in a consistent manner. In some cases, we may provide personal information to reinsurance companies and other such entities abroad in accordance with reinsurance policies.

When personal data is to be provided to “a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission” under Article 28, Paragraph 1 of the Act on the Protection of Personal Information in cases such as those where handling of personal data is to be outsourced to a third party overseas, we implement the following security measures and enter into agreements with recipients of personal information obliging them to implement measures constituting personal data security measures of the recipient (the “Appropriate Measures”) as required under the Act on the Protection of Personal Information.

(1) We check the following items in writing and through other such means on a routine basis once per year.

[1] Status of the Appropriate Measures implemented by third parties to which personal information has been transferred

[2] The presence or absence of systems that conceivably may affect implementation of the Appropriate Measures abroad at locations of third parties to which personal information has been transferred

(2) We seek rectification in the event that impediments to implementing the Appropriate Measures arise and accordingly discontinue provision of such personal data when we encounter difficulties in ensuring continuous implementation of the Appropriate Measures

(3) Our outsourcing agreements stipulate matters that include: the notion that personal data is to be handled within the limits of the outsourcing agreements; the notion that necessary and appropriate security control measures are to be implemented; the notion that employees are to be subject to necessary and appropriate supervision; prior consent is to be required for subcontracting, and; personal data may not be provided to third parties.

(4) Please contact our contact point with respect to inquiries regarding outsourcing of the handling of personal data to third parties abroad.

We will make efforts to prevent leaks, loss, or damage of personal data (including personal data that we have obtained or are planning to obtain and that is scheduled to be treated as personal data). We will also ensure adequate information security measures such as maintenance of policies regarding usage as well as that of systems in place for secure management procedures. At the same time, we will take proper measures to ensure that we have the accurate, current personal data needed to fulfill the purposes of use.
We have established in-house rules stipulating specific matters regarding personal data security measures, primarily consisting of the following.
Please contact our contact point with respect to inquiries regarding our personal data security measures.

(1) Establishment of Basic Policy
We ensure proper handling of personal data by formulating basic policy and revising such policy as necessary, such that encompasses: matters of compliance with relevant laws and regulations and guidelines, matters regarding security measures, and contact points for inquiries and dealing with grievances.

(2) Establishment of rules for handling security management of personal data
We establish rules for handling personal data and revise them as necessary with respect to matters that include approaches to handling such data, entities and persons in charge of handling such data and duties thereof, at each stage of the data-handling process including data acquisition, use, storage, provision, deletion, and disposal.

(3) Organization-wide security measures

• Appoint entities responsible for personal data management, etc.
• Establish security measures in work rules, etc.
• Implement operations in accordance with rules for handling security management of personal
• Establish means for confirming status of handling personal data
• Perform inspection regarding status of handling personal data, and establish and implement an audit framework
• Establish systems for addressing incidents of leakage and other such matters

(4) Personal security measures

• Conclude nondisclosure agreements on personal data, etc. with employees
• Articulate employee roles, responsibilities, etc.
• Fully familiarize employees with security measures, provide them with education and training on such matters
• Confirm status of compliance with personal data management procedures carried out by employees

(5) Physical security measures

• Perform management regarding domains of personal data handling, etc.
• Prevent theft and other such instances involving devices, electronic media, etc.
• Prevent leakage and other such instances that may occur when transporting electronic media, etc.
• Delete personal data and dispose of devices, electronic media, etc.

(6) Technical security measures

• Identify and authenticate uses of personal data
• Set administrative classifications of personal data and control access thereof
• Manage authorizations for access to personal data
• Implement measures to prevent leakage of personal data, damage to personal data, etc.
• Record and analyze access to personal data
• Record and analyze operational status of information systems for handling personal data
• Monitor and audit information systems for handling personal data

(7) Supervision of subcontractors
We select parties that appropriately handle personal data when outsourcing handling of personal data, and furthermore establish rules for handling outsourcing and review such rules on a routine basis in order to ensure that subcontractors implement security measures.

(8) Understanding the external environment
We implement security measures based on our understanding of systems for protecting personal information in countries where our personal data is handled.

In providing the products and services that we offer, such as P&C insurance, we need to ask our customers to provide personal information. In some cases, we may not be able to provide products or services if such information is not provided.

In addition, within the scope allowed by laws and regulations, if customer rescinds his or her consent to the handling of personal data we will suspend handling of the customer’s personal information, except as necessary for our business purposes such as insurance policy management. For details, please refer to the section on “Procedures for Disclosure.”

Personal information on EEA residents is handled in accordance with applicable European laws and regulations.

When transferring personal information on residents of the European Economic Area (EEA) from inside the EEA to outside the EEA, the Sompo Group employs strict information controls and thorough security measures. In some cases, data are transferred from us to third-party service providers, subcontractors, and partners in joint use of personal information, and then stored on servers in Japan or other countries outside the EEA. While such countries may be ones for which the European Commission has not determined that data security measures are adequate, personal data that we provide are managed appropriately under sufficient security management measures.

Chief Privacy Officer at our company is as follows.

Director or Officer in charge of Corporate Legal & Compliance Department
Sompo Japan Insurance Inc.

Please contact your insurance agency or a local sales office for questions and inquiries, etc., regarding the details of your insurance policy or an insured event.
Please contact the contact point below for questions, inquiries, and complaints, etc. regarding the handling of personal information and anonymously processed information.
If you are a resident of the European Economic Area, you can also file a complaint allegation on handling of personal data to the supervising body of the European Economic Area member.

If you do not wish to receive any information on our new products or services by direct mail, telephone, or in other ways, please contact our contact point as set forth below. Please note, however, that the cancellation does not apply to communications enclosed with maturity notices and material printed on the extra space on documents.

Sompo Japan Insurance Inc.
26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo, Japan 160-8338
Telephone: 0120-238-381 (Customer Center)
Operating hours: Monday to Friday from 9:00 to 20:00; Saturdays, Sundays, national holidays from 9:00 to 17:00 (Closed from Dec. 31 to Jan. 3)
URL: https://www.sompo-japan.co.jp/english/

We are a member of the General Insurance Association of Japan, which is an authorized
Private Information Handling Entity. The association handles complaints and consultations
regarding the handling of personal information by member companies.

Contact information
The General Insurance Association of Japan, Non-life Insurance ADR Center Tokyo (Consultation of Non-life Insurance and Support Center Tokyo for Alternative Resolution of Non-life Insurance Dispute)
2-105, 7F Waterasu Annex, Kanda Awajicho, Chiyoda-Ku, Tokyo 101-0063
Telephone:03-3255-1470
(open from 9:00 to 17:00 excluding Saturdays, Sundays, holidays and during the year-end and
new-year period.)
URL: https://www.sonpo.or.jp/en/