Handling of Personal Information

We will acquire personal information of customers only to the extent necessary for our business in a lawful and fair manner. We will acquire personal information, through such means as follows:

(Examples of how we will acquire personal information)

• Personal information will be acquired through documents completed and submitted by customers, such as applications for insurance policies and insurance claims forms, and through information entered by customers at our website, etc.　
• Personal information will be acquired in cases where a telephone conversation is transcribed or recorded in order to respond to inquiries received at stores or call centers, etc.
• Personal information we acquire will be retained for the period necessary for purposes of insurance policy management and the periods required or permitted by law.

We will use personal information in a lawful and fair manner only to the extent necessary to accomplish the purposes stated in (1)-(9) and 5. below. We will not use personal information for any other purposes, unless required to do so under laws or ordinances.
Furthermore, we will define the purposes of use specifically so that customers understand them clearly. We will also endeavor to limit the purposes of use according to the specific setting where personal information is collected.
If we make any changes to the purpose of use, we will notify the customer of the changes, or make a public announcement of such changes on our official website or through other channels to the extent reasonably deemed relevant to the purpose of use before the change.

• (1)Property and Casualty (P&C) insurance operations
  
  • To examine whether to offer P&C insurance policies, and for underwriting, performance and management of insurance
  • To investigate insured events related to insurance claims (including inquiries, etc., into related parties)
  • To make decisions and perform procedures for insurance claims, etc.
  • To explain or provide various types of incidental services
  • To execute reinsurance policies, receive reinsurance claims, joint insurance claims and other payments, and provide personal information to the underwriting insurers for those purposes (including the provision of information from underwriting insurers, etc. to other such insurers).
• (2)Life insurance agency operations
  
  • To act as an agent or a broker for life insurance policies and provide services incidental thereto
• (3)Lending operations
  
  • To screen loan applications, and for the conclusion, execution and administration of loan agreements
• (4)Sale of investment trusts and other financial instruments
  
  • To execute and manage the trading of derivative financial instruments such as weather and earthquake derivatives
  • To open accounts for investment trusts and other financial instruments, execute various transactions, and manage and report account balances
  • To broker, intermediate and provide other services with respect to purchasing (distributions, etc.) and selling investment trusts and other financial instruments
• (5)Defined-contribution pension operations
  
  • To execute defined-contribution pension management and administration operations
  • To provide consulting on defined-contribution pension plans
• (6)Common to all operations
  
  • To explain, and act as agent, broker, intermediate, and manage the products we offer (P&C insurance, life insurance, investment trusts, defined-benefit pensions, etc.) and provide various services
  • To explain, provide and manage products, services and other offerings of Sompo Holdings Group companies, corporate alliance partners and others
  • To explain events, campaigns and seminars, and provide information
  • To perform questionnaires, market research, data analyses, and other related tasks, and conduct insurance/financial product and service R&D based on these tasks
  • To verify the personal identity of a customer
  • To respond to inquiries, opinions and suchlike
  • To collect our receivables
  • To provide personal information to business outsourcing partners and others, including insurance agencies, to the extent necessary to conduct our business
  • To recruit employees, and establish, operate and maintain sales bases (agencies, etc.)
  • To properly process personal information (data) under contract for other companies, for example, when such processing is entrusted to us in whole or in part
• (7)Sustainability promotion initiatives
  
  • To send sustainability reports and explanations of workshops, seminars and other events, and provide various types of other information
• (8)Telephone service—recording of telephone calls
  
  • To confirm factual information related to inquiries, and consultation and policy details, etc.
  • To confirm contact information for accurately providing services such as sending explanations and materials
  • To train employees and to conduct data analysis aimed at improving operational quality, including telephone-based customer service
    The foregoing recorded data will not be held, in principle, for more than 6 months from the time of recording, except for data recorded at the call centers for investment trusts.
• (9)Others
  
  • To perform other operations needed to properly and efficiently manage our business operations, and to conduct transactions with customers, along with tasks incidental to operations set forth in items (1) to (8) above.

• (1)We will not provide personal data to any third parties without the consent of the customer, except for the circumstances mentioned below:
  
  • When required to do so by law or ordinance.
  • Outsourcing the handling of personal data to the extent necessary for achieving the purpose of its use.
  • Sharing with Sompo Holdings Group Companies.
  • Sharing with non-life insurance companies etc.
  • Sharing with the Ministry of Land, Infrastructure, Transport and Tourism.
• (2)Except as provided for under laws and regulations, when we have provided personal data to a third party, we record matters related to such provision (e.g., when, and to whom, the personal data were provided, and the type of data provided), and when we have acquired personal data from a third party (including cases where information relevant to an individual is acquired as personal data), we confirm and record matters related to such acquisition of data (e.g., when and from whom the personal data were acquired, the type of data acquired and how the third-party provider acquired the data).

Except as provided for under laws and regulations, when a third party is expected to acquire information relevant to an individual as personal data (limited to information constituting that of a database containing information relevant to individuals; the same shall apply hereinafter), we will not provide such information without confirming that the third party has obtained consent from the person associated with such information to allow for the acquisition of such information.
Except as provided for under laws and regulations, if we provide information relevant to an individual to a third party based on the confirmation in the preceding paragraph, we will confirm and record matters related to the provision of such information (such as when, to which party and what kind of information relevant to an individual is provided, and how the third party obtains consent of the such person).

We may outsource the handling of personal data to the extent necessary for achieving the purpose of its use. Whenever we outsource the handling of personal data, we will exercise the necessary and appropriate oversight of contractors, such as checking in advance their information management systems after setting criteria for their selection.
For instance, we outsource the handling of personal data in the following cases:

(Example of operations we outsource)

• Operations related to the sale of insurance policies
• Operations related to the development and operation of information systems
• Operations related to the preparation and sending of insurance certificates

• (1)Information Exchange System, etc.
  
  • [1]General Insurance Association of Japan, non-life insurance companies etc.
    We participate in a system whereby personal data is shared among P&C insurance companies and other entities in order to eliminate misconducts and frauds that could occur upon finalizing insurance policies or filing insurance claims.
    For details, please refer to the website of the General Insurance Association of Japan.
    
    • General Insurance Association of Japan
      https://www.sonpo.or.jp/en/
  • [2]General Insurance Rating Organization of Japan
    We will share personal data with the General Insurance Rating Organization of Japan in order to appropriately pay insurance benefits for compulsory automobile liability insurance.
    For details, please refer to the website of the General Insurance Rating Organization of Japan.
    
    • General Insurance Rating Organization of Japan
      https://www.giroj.or.jp/english/
  • [3]Providing data to the Ministry of Land, Infrastructure, Transport and Tourism to prevent uninsured cars related to motorized bicycle and light motorcycles.
    In order to check on scooters or small motorcycles without compulsory automobile liability insurance, the Ministry of Land, Infrastructure and Transport sends postcards to confirm if a policyholder owning a scooter or small motorcycles has compulsory automobile liability insurance in which the contract term is deemed to have expired. We provide to the Ministry personal data regarding compulsory automobile liability insurance for the above types of vehicles, and share such personal data with the Ministry at their discretion.
    The types of personal data we share are as follows:
    
    • Name and address of policyholder
    • Certificate number and policy period
    • Type of vehicle
    • Frame number, identification number or vehicle number
    For details, please refer to the website of the Ministry of Land, Infrastructure and Transport.
    
    • Ministry of Land, Infrastructure and Transport
      https://www.mlit.go.jp/jidosha/anzen/04relief/index.html(Japanese only)
  • [4]Confirmation of personal data concerning insurance agencies, etc.
    We share personal data of employees of P&C insurance agencies and other entities with other P&C insurance companies for the appropriate supervision of P&C insurance agencies and for recruitment of staff. We also use personal data including information about persons who have passed Non-Life Insurance Solicitors Examinations or other examinations undertaken by the General Insurance Association of Japan for commissioning as our insurance agents, or for other purposes.
    For details, please refer to the website of the General Insurance Association of Japan
    
    • General Insurance Association of Japan
      https://www.sonpo.or.jp/en/
• (2)Sharing with Group Companies
  
  • [1]Group companies may share the following personal data to facilitate the management of Group companies by Sompo Holdings:
    
    • A.Items of personal data:
      Personal data of the shareholders of Sompo Holdings Group companies: information such as name, address, number of shares
    • B.Scope of Group companies permitted to share personal data
      Sompo Holdings and Group companies
      For details on the scope of Group companies permitted to share personal information, please refer to the Sompo Holdings website.
    • C.Entity responsible for personal data management
      Sompo Holdings, Inc.
      
      • For our address and names of representatives, please refer to the links, as follows.
        https://www.sompo-hd.com/en/company/summary/
  • [2]Group companies may share personal data for the purpose of managing the business of the Sompo Holdings Group and for Group companies to explain and provide products, services and other offerings to customers and make related decisions, as follows:
    
    • A.Items of personal data
      Personal data retained by Sompo Holdings Group companies:
      Business information such as name, address, telephone number, e-mail address, sex, date of birth and any other details described in the application forms of the P&C insurance policies of the Company, as well as information regarding insured events
    • B.Scope of Group companies permitted to share personal data
      Sompo Holdings and Group companies
      For details on the scope of Group companies permitted to share personal data, please refer to the Sompo Holdings website.
    • C.Entity responsible for personal data management
      Sompo Holdings, Inc.
      • For our address and names of representatives, please refer to the links, as follows.
        https://www.sompo-hd.com/en/company/summary/
  • [3]Group companies may share personal data for the purpose of managing the business of the Sompo Holdings Group and for Group companies to explain and provide products, services and other offerings to customers and make related decisions, to analyze data, and to provide various services that will contribute to increasing the value added provided to customers, as follows:
    
    • A.Items of personal data
      Personal data retained by us and Sompo Holdings Group companies:
      • Items such as names, addresses, telephone numbers, email addresses, sex, dates of birth, content of inquiries, content of apps and other services used, location information, business-card information (information read from business cards, including company name, section name, and title), and other information provided to Sompo Holdings Group companies other than transaction-related information, as well as information obtained by Sompo Holdings Group companies through other means such as in person, by telephone, by Web, by email, by apps, and provision by third parties
      • Information provided by customers to Sompo Holdings Group companies unrelated to transactions, such as names, addresses, telephone numbers, email addresses, sex, dates of birth, and content of inquiries provided through means such as website estimates or inquiries to call centers
    • B.Scope of Group companies permitted to share personal data
      Sompo Holdings and Group companies
      For details on the scope of Group companies, please refer to the Sompo Holdings website.
    • C.Entity responsible for personal data management
      Sompo Holdings Inc.
      • For our address and names of representatives, please refer to the links, as follows.
        https://www.sompo-hd.com/en/company/summary/
  • [4]We may share personal data related to P&C insurance agencies and their employees among Sompo Holdings and Sompo Holdings Group companies for the purpose of supervising, managing, instructing and training the P&C insurance agencies and other entities and their employees, as follows:
    
    • A.Items of personal data
      Items such as names, addresses, dates of birth, registration applications and notifications of P&C insurance agencies and other entities and their employees, and other information needed to manage P&C insurance agencies and their employees.
    • B.Scope of Group companies permitted to share personal data
      Sompo Holdings and Group companies
      For details on the scope of Group companies permitted to share personal information, please refer to the Sompo Holdings website.
    • C.Entity responsible for personal data management
      Sompo Holdings Inc.
      • For our address and names of our representatives, please refer to the corporate overview, as follows.
        https://www.sompo-japan.co.jp/english/company/profile/
  • (3)Sharing information with affiliated companies established as joint ventures by Sompo Holdings and Sompo Holdings Group companies
    
    • [1] Sharing information with joint ventures established by Sompo Holdings, Inc. and DeNA Co., Ltd.
      We may share personal data for the following companies to explain and provide products, services and other offerings to customers and make related decisions, as follows:
      • A.Items of personal data
        Business information such as name, address, telephone number, e-mail address, sex, date of birth and any other details described in the application forms of the P&C insurance policies of the Company
      • B.Scope of companies permitted to share personal data
        Sompo Japan Insurance Inc.,DeNA SOMPO Mobility Co.,Ltd,DeNA SOMPO Carlife Co.,Ltd
      • C.Entity responsible for personal data management
        Sompo Japan Insurance Inc.
        • For our address and names of our representatives, please refer to the corporate overview, as follows.
          https://www.sompo-japan.co.jp/english/company/profile/
    • [2] Sharing information with akippa Inc.
      We may share personal data with the companies listed below for the purposes of informing customers regarding products, services and other offerings, providing the aforementioned, and enabling them to make related decisions, as follows:
      
      • A.Items of personal data
        Business information such as name, address, telephone number, e-mail address, sex, date of birth and any other details described in the application forms of the P&C insurance policies of the Company, as well as information regarding insured events
      • B.Scope of companies permitted to share personal data
        Sompo Japan Insurance Inc., akippa Inc.
      • C.Entity responsible for personal data management
        Sompo Japan Insurance Inc.
        • For our address and names of our representatives, please refer to the corporate overview, as follows.
          https://www.sompo-japan.co.jp/english/company/profile/
  • (4)Sharing with corporate alliance partners
    The Company and its corporate alliance partners may share personal data for the purpose of explaining and providing customers with products and other offerings handled by the Company and its corporate alliance partners.
    ○Corporate alliance partner
    The Dai-ichi Life Insurance Company, Limited

We will not acquire, use, or provide to a third party sensitive information such as race, creed, social status, medical history, criminal history, or criminal victimhood status, or personal information related to labor union membership, family lineage, legal domicile, health or medical treatment, or sex life, of customers (not including information disclosed by the individual concerned, a national agency, a local public body, an academic research organization, etc., or a party as stipulated in any of the subparagraphs to Article 57, Paragraph 1 of the Act on the Protection of Personal Information or in any of the paragraphs to Article 6 of the Enforcement Regulations thereof) (“sensitive information” hereinafter) except for the circumstances mentioned below:

• When sensitive information is obtained, used, or provided to a third party to the extent necessary to ensure proper operation of insurance business and with the consent of the customer;
• When the sensitive information is obtained, used, or provided to a third party to the extent necessary to pay insurance claims involving inheritance procedures;
• When sensitive information of employees, etc. concerning affiliation to, or membership of, political, religious, or other groups or labor unions, is obtained, used, or provided to a third party to the extent necessary to collect insurance premiums, etc.;
• When required to do so by law or ordinance;
• When required to do so to protect a person’s life, body, or property;
• When especially required to do so to improve public health or promote the sound development of children;
• When required to do so to cooperate with any central government institutions, local public organizations or parties commissioned by such organizations in performing operations required by law or ordinance;
• When required for the purpose of academic research (when sensitive information is obtained acquiring sensitive information as stipulated in subparagraph 6 of Article 20, Paragraph 2 of the Act on the Protection of Personal Information, when sensitive information is used as stipulated in subparagraph 6 of Article 18, Paragraph 3 of the Act on the Protection of Personal Information, or when sensitive information is provided to a third party as stipulated in subparagraph 7 of Article 27, Paragraph 1 of the Act on the Protection of Personal Information).

Personal information concerning debt repayment ability of individual borrowers provided by any credit information organization (which means any organization that collects information regarding the debt repayment ability of borrowers and provides such information to us; hereinafter, “Personal Credit Information Organizations”) will be used only for the purpose of our investigation of the ability of borrowers to meet their payments in accordance with Article 53-9 of the Ordinance for Enforcement of the Insurance Business Act.
Moreover, after obtaining the consent of borrowers, we will register personal information based on objective transaction evidence related to borrowers’ agreements with the Personal Credit Information Organizations with which we are affiliated. We, the Personal Credit Information Organizations we are affiliated with, and the affiliated members that have partnered with those Personal Credit Information Organizations will be provided with this personal information, which will be used only for the purpose of investigating the ability of borrowers to meet payments.

• (1)Preparation of pseudonymously processed information
  In the case where the Company creates pseudonymously processed information (individual information obtained by processing personal information so that the individual cannot be identified unless the information is cross-checked with other information by taking measures prescribed by law), it will take the following actions:
  
  • Appropriate processing in accordance with the standards set forth in laws and regulations
  • Take security measures to prevent leakage of the deleted information or information regarding the method of processing, in accordance with the standards set forth in laws and regulations.
• (2)Purpose of use of pseudonymously processed information
  In the event that the Company establishes or changes the purpose of use of the pseudonymously processed information, it shall specify the purpose of use after the change as much as possible, clarify that it is related to such processed Information, and make a public announcement.

• (1)Preparation of anonymized information
  We employ the following handling procedures when preparing anonymized information (i.e., personal information on individuals that has been processed, through means stipulated in laws and regulations, so that it is not possible to identify the individuals concerned or to restore such personal information):
  • We process such information properly in accordance with standards stipulated in laws and regulations
  • We implement security measures to prevent leakage of information concerning the information that has been deleted and methods of processing used, in accordance with standards stipulated in laws and regulations
  • We disclose the items of information contained in such anonymized information
  • We do not act in ways that would identify the individuals concerned by the personal information on which such anonymized information is based
• (2)Providing of anonymized information
  When providing anonymized information to third parties, Sompo Holdings discloses the items of information concerning individuals contained in such anonymized information to be provided and the methods of provision, and it clearly informs the third party of the fact that the information to be provided has been anonymized.

A customer may ask us to disclose, revise, delete, cease using, or disclose records of provision to third parties with respect to personal data in our possession concerning him or her.

Please direct requests for any notification, disclosure, revision, or suspension of use of retained personal data under the Act on the Protection of Personal Information to the contact point listed in the section on “Procedures for Disclosure.”
After confirming that you are the requesting party or the proxy thereof, we will ask that you complete our prescribed request form, and we will then process the request. In principle, we will reply at a later date enlisting the method requested by the person concerned among the methods specified by us. Replies to requests for disclosure are subject to fees designated by Sompo Japan Insurance.
If we find that information about the claimant is incorrect, we will correct the information based on the results of our investigation as required.

• *For details on procedures for disclosing and revising personal information, etc., please refer to the section on “Procedures for Disclosure.”

We may enter into reinsurance policies with reinsurance companies and other such entities abroad for the purpose of continuously ensuring that customers are provided with high-quality and secure insurance services in a consistent manner. In some cases, we may provide personal information to reinsurance companies and other such entities abroad in accordance with reinsurance policies.

When personal data is to be provided to “a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission” under Article 28, Paragraph 1 of the Act on the Protection of Personal Information in cases such as those where handling of personal data is to be outsourced to a third party overseas, we implement the following security measures and enter into agreements with recipients of personal information obliging them to implement measures constituting personal data security measures of the recipient (the “Appropriate Measures”) as required under the Act on the Protection of Personal Information.

• (1)We check the following items in writing and through other such means on a routine basis once per year.
  
  • [1]Status of the Appropriate Measures implemented by third parties to which personal information has been transferred
  • [2]The presence or absence of systems that conceivably may affect implementation of the Appropriate Measures abroad at locations of third parties to which personal information has been transferred
• (2)We seek rectification in the event that impediments to implementing the Appropriate Measures arise and accordingly discontinue provision of such personal data when we encounter difficulties in ensuring continuous implementation of the Appropriate Measures.
• (3)Our outsourcing agreements stipulate matters that include: the notion that personal data is to be handled within the limits of the outsourcing agreements; the notion that necessary and appropriate security control measures are to be implemented; the notion that employees are to be subject to necessary and appropriate supervision; prior consent is to be required for subcontracting, and; personal data may not be provided to third parties.
• (4)Please contact our contact point with respect to inquiries regarding outsourcing of the handling of personal data to third parties abroad.

We will make efforts to prevent leaks, loss, or damage of personal data. We will also ensure adequate information security measures such as maintenance of policies regarding usage as well as that of systems in place for secure management procedures. At the same time, we will take proper measures to ensure that we have the accurate, current personal data needed to fulfill the purposes of use.
We have established in-house rules stipulating specific matters regarding personal data security measures, primarily consisting of the following.
Please contact our contact point with respect to inquiries regarding our personal data security measures.

• (1)Establishment of Basic Policy
  We ensure proper handling of personal data by formulating basic policy and revising such policy as necessary, such that encompasses: matters of compliance with relevant laws and regulations and guidelines, matters regarding security measures, and contact points for inquiries and dealing with grievances.
• (2)Establishment of rules for handling security management of personal data
  We establish rules for handling personal data and revise them as necessary with respect to matters that include approaches to handling such data, entities and persons in charge of handling such data and duties thereof, at each stage of the data-handling process including data acquisition, use, storage, provision, deletion, and disposal.
• (3)Organization-wide security measures
  
  • Appoint entities responsible for personal data management, etc.
  • Establish security measures in work rules, etc.
  • Implement operations in accordance with rules for handling security management of personal
  • Establish means for confirming status of handling personal data
  • Perform inspection regarding status of handling personal data, and establish and implement an audit framework
  • Establish systems for addressing incidents of leakage and other such matters
• (4)Personal security measures
  
  • Conclude nondisclosure agreements on personal data, etc. with employees
  • Articulate employee roles, responsibilities, etc.
  • Fully familiarize employees with security measures, provide them with education and training on such matters
  • Confirm status of compliance with personal data management procedures carried out by employees
• (5)Physical security measures
  
  • Perform management regarding domains of personal data handling, etc.
  • Prevent theft and other such instances involving devices, electronic media, etc.
  • Prevent leakage and other such instances that may occur when transporting electronic media, etc.
  • Delete personal data and dispose of devices, electronic media, etc.
• (6)Technical security measures
  
  • Identify and authenticate uses of personal data
  • Set administrative classifications of personal data and control access thereof
  • Manage authorizations for access to personal data
  • Implement measures to prevent leakage of personal data, damage to personal data, etc.
  • Record and analyze access to personal data
  • Record and analyze operational status of information systems for handling personal data
  • Monitor and audit information systems for handling personal data
• (7)Supervision of subcontractors
  We select parties that appropriately handle personal data when outsourcing handling of personal data, and furthermore establish rules for handling outsourcing and review such rules on a routine basis in order to ensure that subcontractors implement security measures.
• (8)Understanding the external environment
  We implement security measures based on our understanding of systems for protecting personal information in countries where our personal data is handled.

In providing the products and services that we offer, such as P&C insurance, we need to ask our customers to provide personal information. In some cases, we may not be able to provide products or services if such information is not provided.

In addition, within the scope allowed by laws and regulations, if customer rescinds his or her consent to the handling of personal data we will suspend handling of the customer’s personal information, except as necessary for our business purposes such as insurance policy management. For details, please refer to the section on “Procedures for Disclosure.”

Personal information on EEA residents is handled in accordance with applicable European laws and regulations.

When transferring personal information on residents of the European Economic Area (EEA) from inside the EEA to outside the EEA, the Sompo Group employs strict information controls and thorough security measures. In some cases, data are transferred from us to third-party service providers, subcontractors, and partners in joint use of personal information, and then stored on servers in Japan or other countries outside the EEA. While such countries may be ones for which the European Commission has not determined that data security measures are adequate, personal data that we provide are managed appropriately under sufficient security management measures.

Chief Privacy Officer at our company is as follows.

Director or Officer in charge of Corporate Legal & Compliance Department
Sompo Japan Insurance Inc.

Please contact your insurance agency or a local sales office for questions and inquiries, etc., regarding the details of your insurance policy or an insured event.
Please contact the contact point below for questions, inquiries, and complaints, etc. regarding the handling of personal information.
If you are a resident of the European Economic Area, you can also file a complaint allegation on handling of personal data to the supervising body of the European Economic Area member.

If you do not wish to receive any information on our new products or services by direct mail, telephone, or in other ways, please contact our contact point as set forth below. Please note, however, that the cancellation does not apply to communications enclosed with maturity notices and material printed on the extra space on documents.

Sompo Japan Insurance Inc.
26-1, Nishi-Shinjuku 1-chome, Shinjuku-ku, Tokyo, Japan 160-8338
Telephone: 0120-238-381 (Customer Center)
Operating hours: Monday to Friday from 9:00 to 20:00; Saturdays, Sundays, national holidays from 9:00 to 17:00 (Closed from Dec. 31 to Jan. 3)
URL: https://www.sompo-japan.co.jp/english/

We are a member of the General Insurance Association of Japan, which is an authorized
Private Information Handling Entity. The association handles complaints and consultations
regarding the handling of personal information by member companies.

Contact information
The General Insurance Association of Japan, Non-life Insurance ADR Center Tokyo (Consultation of Non-life Insurance and Support Center Tokyo for Alternative Resolution of Non-life Insurance Dispute)
2-105, 7F Waterasu Annex, Kanda Awajicho, Chiyoda-Ku, Tokyo 101-0063
Telephone:03-3255-1470
(open from 9:00 to 17:00 excluding Saturdays, Sundays, holidays and during the year-end and
new-year period.)
URL: https://www.sonpo.or.jp/en/