In case we provide the Data to a third party in a foreign country and we can identify such third party afterward, customers may request us to offer the information about the Data protection system of the country where the third party is located, and the measures taken by the said country to protect the Data.
As we mention in this announcement later under “5. Provision of the Data to Third Parties in Foreign Countries” in the attachment, we cannot deny completely the possibility that we provide the Data to a third party in a foreign country even before we identify fully who and where the third party is. In such a case, however, if we can identify the said third party afterward, customers, upon their requests, may receive information about the Data protection system of the country where the third party is located, and the measures taken by the said party to protect the Data.
It is not mandatory to obtain consent from customers beforehand if the Data requesting party has a system in place that always helps such a party to take measures considered equivalent to what the Data handling entity needs to take. (“the Equivalent Measures” hereafter) A customer may nevertheless request us to offer the information regarding the matters listed below.

• (1) How the third party in question has developed its system
• (2) The outline of the Equivalent Measures the third party in question implements
• (3) The method and the frequency we confirm regarding; the status of implementation of the Equivalent Measures by the third party in question, whether the system exists in the country in question that may potentially affect the implementation of the Equivalent Measures by the third party in question, and the outline of such a system if there should be any
• (4) The name of the foreign country concerned
• (5) Whether the system exists in a foreign country in question that may potentially affect the implementation of the Equivalent Measures by the third party in question, and the outline of such system if there should be any
• (6) Whether there is any obstacle that impedes the implementation of the Equivalent Measures by the third party in question and an outline thereof.
• (7) The outline of the measures we will take if the impediment arises as stated in (6) above should there be any.

If you have any inquiries, opinions, or complaints regarding the matter related to personal information, please contact the office listed below.

5-1, Nihonbashi 2-chome, Chuo-ku, Tokyo

※Total Risk Control & Compliance Department, Tokai Tokyo Financial Holdings, Inc.

Tel: 03-3517-8403

We, Tokai Tokyo Financial Holdings, Inc., use the personal information of customers (“the Information” hereafter) within the scope considered necessary to achieve the following purposes in accordance with the Act on the Protection of Personal Information (Law No. 57, May 30, 2003).

• (1) To exercise rights and fulfill obligations under the Companies Act
• (2) To provide our shareholders with information and services such as sending reports of the Tokai Tokyo Financial Group
• (3) To collect the statistical data necessary for us to conduct PR and IR activities
• (4) To conduct our business administration and internal control of Tokai Tokyo Financial Holdings group.

We may share the Information as described below:

• (1) Items of the Information to be shared

  ・Information on customers, such as their names, addresses, dates of birth, telephone numbers, occupations, and transaction needs

  ・Information on transactions with customers, such as transaction details and the account balances of assets under custody

• (2) Companies that may jointly share the information
  We, Tokai Tokyo Financial Holdings, Inc., and our consolidated subsidiaries specified in the securities report, etc.
• (3) Purpose of use
  To conduct business administration and internal control, such as integrated compliance and risk management of the Tokai Tokyo Financial Group
• (4) Party Responsible for Managing the Personal Information
  Tokai Tokyo Financial Holdings, Inc.

While we keep carefully protecting customer’s privacy, we use the Information within the scope considered necessary to conduct our business and achieve the following purposes in accordance with the Act on the Protection of Personal Information

• (1) We will not obtain customers' personal information by false or other wrongful means.
• (2) We will not infringe on customers' interests when we obtain the Information from a third party.
  We will not obtain personal information if we know that the information has been leaked from a third party who has committed wrongdoing including the fraudulent acquisition of personal information.
• (3) We may obtain the Information by the following methods:

  ・Through third parties including database service providers.

  ・Through audio recording, image recording, e-mails reception, and other electronic methods

  ・Through information in official gazettes, newspapers, magazines, the Internet, and other electronic sources.

• (1) We will take the necessary and appropriate measures to exercise security control of personal data, such as preventing unauthorized disclosure, loss, or damage. In addition, we will conduct necessary and appropriate supervision of employees and the outsourcing companies we entrust with security control of personal data (including the companies outsourcing companies further entrust with the same). The measures to exercise security control of personal data are specifically defined in our internal rule, and the main part of its related part is mentioned below.
• (2) Establishment of Personal Information Protection Policy
  To ensure the proper handling of personal data, we have established a personal information protection policy that refers to “compliance with relevant laws, regulations, guidelines, etc.” and a “Contact Office for Inquiries and Complaints.”
• (3) Establishment of Discipline for Personal Data Handling
  Concerning each handling stage of the personal data that ranges from acquisition, use, custody, disclosure, and to deletion or disposal, we have laid out the discipline in the form of “the Rules for Personal Information Handling” specifying handling methods, responsible persons or representatives, and their respective duties.
• (4) Security Control by the Organizational Structure

  (ⅰ) We have established a management system for Personal Data Handling and the system is led by the General Manager of Personal Information Protection.

  (ⅱ) We periodically conduct self-inspections regarding the status of the Data Handling and the Audit Department performs audits.

• (5) Security Control by the Employees and Officers

  (ⅰ) We give employees regular training to remind them of the points to remember in handling personal data.

  (ⅱ) We describe the matters related to the confidentiality of personal data in the Employment Rules

• (6) Security Control by Physical Access Limitation

  (ⅰ) We implement measures to prevent unauthorized individuals from having access to personal data.

  (ⅱ) We take measures to prevent the theft or loss of devices, electronic media, documents, etc. that deal with personal data, and to prevent personal data from being easily read when the said devices, electronic media, etc. are moved.

• (7) Technical Security Control

  (ⅰ) We exercise control by specifying the accessible ranges of personal data allowed to the respective staff specifically assigned to handle personal information databases.

  (ⅱ) We have introduced systems to protect information systems that handle personal data from being accessed from outside by unauthorized parties or software.

• (8) Outsourcing Personal Information Handling Services to Third Partys in Foreign Countries
  We do not currently outsource all or part of the said information handling to any third party in any foreign country.

• (1) We may provide the Data to a third party in a foreign country in any of the following cases

  (ⅰ) A customer agrees in advance to allow us to provide personal data to a third party in a foreign country

  (ⅱ) A third party in a foreign country implements measures in accordance with the purpose of the provisions of Section 1, Chapter 4 of the Act on the Protection of Personal Information in an appropriate and reasonable manner, and assures us of its implementation of the said measures. In this case, the recipient of personal data shall be our outsourcing companies in foreign countries (outsourcing companies include the companies that our outsourcing companies further subcontract their services in foreign countries).

  (ⅲ) A customer’s identity is masked.

  (ⅳ) If any of the following is the case

  • The provision is required to protect human life, body, or property, but obtaining timely consent from the customer is difficult.
  • The provision is particularly required to improve public health or promote children's sound upbringing, but obtaining timely consent from the customer is difficult.
  • The provision is required because a third party must cooperate with a national organization, local government, or an agent of either a national organization or local government, for the execution of such organization’s affairs prescribed by laws and regulations, but obtaining consent from the customer may hinder such execution of affairs.
  • The applicable laws and regulations so require.

• (2) In case where a change in laws and regulations requires us to provide personal data to a third party in a foreign country (*) and we attempt to obtain consent to such a provision of the personal data from a customer, we will follow our rule to offer the information in advance concerning the system for the protection of personal information in the foreign country concerned, the measures the third party in the said country take for the protection of personal information, and other information that should serve as a reference for a customer.

  *Countries excluded from “foreign country”
  Please be reminded here about the term “foreign country.” Foreign countries that have a personal information protection system in place that is considered equivalent to the one adopted in Japan in terms of protecting the rights and interests of individuals as stipulated in Article 28 of the Act on the Protection of Personal Information (specified by the Personal Information Protection Commission) are excluded from the category of “foreign country” in the context of “third party in a foreign country” here.

  https://www.ppc.go.jp/files/pdf/210101_h31iinkaikokuji01.pdf

  *Foreign countries as recipients
  The following foreign countries are qualifying candidates for the recipient of personal information.
  The United States, Singapore, and Hong Kong

  *The investigation of systems adopted by foreign countries for the protection of personal information
  The Personal Information Protection Commission investigates and publicizes its result about the systems deployed by certain countries and regions for the protection of personal information, with a view to helping customers to grasp essential differences between Japan's Act on the Protection of Personal Information and the corresponding laws in the countries in question. So, please refer to the underneath.

  https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/#gaikoku

• (1) We will respond without delay when you request us to notify you about the following; the purpose, disclosure, correction, addition, and suspension (including deletion) of personal information, disclosure of records provided to third parties, etc. (hereinafter referred to as "disclosure, etc.") in the manner specified by the customer. (In the event that disclosure in the specified manner entails large costs and no other alternative method is available for the requested notification, we send you the reply in written form.)

• (2) We charge you a certain fee for our service to answer your request concerning the disclosure of retained personal data. However, when we notify you of purposes of use other than those mentioned above, correction, etc., and when we respond to your requests for suspension of use, etc., we will not charge you fees.

  • (ⅰ) Service Fee

    The Notification Covers;	The Fee (tax included)
    name, address, date of birth, telephone number, fax number, e-mail address, contact information, and work information all inclusive	1,100 yen
    Each item of notification other than those stated above	1,100 yen (*)

    *The minimum fee is 1,100 yen per item, and depending on the content of the request, additional fees may be charged separately in consideration of postage, and others.

  • (ⅱ) Payment Method
    In principle, payment should be made in cash (or by wire transfer to our bank account).
• (3) Purpose of Use of the Personal Information Acquired in the Process of Responding to the Disclosure Request from Customers
  The personal information obtained in the process of responding to the request for disclosure from customers will be used for conducting the investigation necessary beforehand to prepare for such disclosure, identifying the customer himself/herself or his/her proxy, collecting fees, and responding to the said request for disclosure, etc.

• (4) Cases in which Disclosure Cannot Be Made
  Please note that disclosure is not possible in the following cases;
  When we decide against disclosure, we will notify the customer accordingly, mentioning the reason why we do not. However, even if the disclosure is not carried out, we will charge the customer the prescribed fee.

  (ⅰ) If the identity of the customer cannot be confirmed

  (ⅱ) If the authority of the proxy cannot be confirmed when the request is made by a proxy

  (ⅲ) If there is any inadequacy in the prescribed application form or other necessary documents, etc.

  (ⅳ) If the fee is not paid within the prescribed period

  (ⅴ) If the information item requested is not included in the retained personal data

  (ⅵ) If there is a risk of harming the life, body, property or other rights and interests of the customer or a third party

  (ⅶ) If there is a risk of causing significant hindrance to the proper execution of our operations.

  (ⅷ) If there is a violation of other laws or regulations

For our address and representative, etc., please refer to the website of Tokai Tokyo Financial Holdings, Inc.
If you have opinions, requests, and inquiries concerning public announcements concerning retained personal data, disclosure of retained personal data, etc., handling of personal data to be shared with others, and other matters related to our handling of personal information. please contact us at the address below.

Inquiries, comments, etc. about the personal information
5-1, Nihonbashi 2-chome, Chuo-ku, Tokyo

Total Risk Control & Compliance Department, Tokai Tokyo Financial Holdings, Inc.

Tel: 03-3517-8403