Handling of Personal Information

In accordance with the Act on the Protection of Personal Information (hereinafter the “Act”) and the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (hereinafter the “My Number Act”; unless otherwise specified, terms used hereinafter are as defined in the Act and the My Number Act) and other related laws and regulations and code of conduct, we shall publicly announce the following matters and obtain customer consent where necessary with respect to the handling of personal information, individual number and specified personal information (hereinafter, individual number and specified personal information are referred to as “specified personal information, etc.”). For our Privacy Policy, please see here.

1. Matters regarding public announcement of purposes of use of personal information

When we obtain the personal information of customers directly or indirectly or when we obtain personal related information of customers as personal information through partners, we shall use the personal information of customers to the extent necessary for achievement of the following business operations and purposes of use.
However, when we obtain personal information in writing directly from customers, we shall clearly indicate the purposes of use to them in advance.
We shall stipulate the purpose of use specifically for customers’ clear understanding of the purposes of use and shall also endeavor to limit the purposes of use according to the situation, for instance, when we ask customers to answer questionnaires, we shall use personal information only to aggregate questionnaire scores.

Business operations

Deposits, domestic exchange, money exchange, loans, foreign exchange, and incidental operations thereto
Investment trust sales, insurance sales, securities brokerage, trusts, corporate bonds, comprehensive credit purchase intermediation and other operations that banks are permitted to operate under the laws, and incidental operations thereto
Other operations that banks are permitted to operate, and incidental operations thereto (including those that will be permitted to be handled in the future)

Purposes of use

Concerning our own finance instruments and services and those of our affiliates and partners, we shall use personal information for the following purposes of use.

Receiving applications for financial instruments and services (e.g., application for opening an account for various financial instruments);
Conducting identity verification based on the Act on Prevention of Transfer of Criminal Proceeds and confirming eligibility for using financial instruments and services;
Conducting management for continuous transactions (e.g., due date control in deposit, loan, and other transactions);
Making judgments on loan applications and continuous use, etc.;
Making judgments on the appropriateness of providing financial instruments and services (e.g., judgment against the principle of appropriateness);
When providing personal information to a (member) personal credit information agency in the credit business, providing personal information to the extent necessary to accomplish the operation properly;
When all or part of processing of personal information is entrusted by other businesses, accomplishing this entrusted operation appropriately;
Exercising rights or fulfilling obligations in accordance with contracts between customers and ourselves and the relevant laws and regulations;
Studying and developing financial instruments and services through market research, data analyses, and surveys;
Providing customers with various proposals on financial instruments and services by sending direct mail or other means (includes proposing financial instruments and services to meet customer needs based on analysis of website viewing history, behavior history and customer interests inferred from such information);
Providing customers with various proposals on the products and services of our affiliates and partners.
This includes the following purposes, for example:
(A)Proposing or providing information about our own products and services or those of third parties on our own website or third party websites;

(B)Proposing or providing information on our own website or third party websites about content or information which has been personalized for customers based on an analysis of their interests and attributes using collected personal information; and

(C)Providing the personal information of customers to platforms (for advertising and content distribution) to identify our own customers on these platforms and to make proposals and provide information on third party websites.
Cancelling various transactions and conducting management after cancellation of transactions; and
Facilitating appropriate transactions with customers.

When specific purposes of use are limited in accordance with laws and regulations, we shall not use personal information beyond such purposes of use.
Specific examples are as follows.

In accordance with Article 13-6-6 of the Ordinance for Enforcement of the Banking Act and other relevant provisions, we shall not use, or provide to any third party, any information provided by the personal credit information agencies concerning the abilities of persons seeking funds to repay their borrowings for any purpose other than investigating the solvency of such persons.
In accordance with Article 13-6-7 of the Ordinance for Enforcement of the Banking Act and other relevant provisions, we shall not use, or provide to any third party, customers’ special nonpublic information, such as information on race, creed, family origin, registered domicile, health and medical, or criminal records concerning customers, for any purposes other than appropriate management of the business and other necessary purposes.

2. Matters regarding public announcement of purposes of use of specific personal information, etc.

In accordance with the My Number Act, we shall not use, or provide to any third party, the specific personal information, etc. of customers for purposes others than those provided for by law, including the following business operations:

Preparation of statutory documents pertaining to financial instrument transactions;
Application for and report of the opening of accounts for financial instruments transactions;
Preparation of statutory documents pertaining to life insurance contracts and so forth;
Preparation of statutory documents pertaining to non-life insurance contracts and so forth;
Preparation of statutory documents pertaining to trust transactions;
Preparation of statutory documents pertaining to transactions of gold bullion and so forth;
Application of the tax-free savings system and so forth;
Preparation of statutory documents pertaining to overseas remittances and other transactions;
Preparation of statutory documents pertaining to stock transfer agency business;
Deposit and savings account numbering;
Registration of public money receiving account, changes to registration, and deregistration;
Provision of deposit and savings account information in the event of disaster or inheritance; and
Ensuring the accuracy of customer identification data and individual number.

3. Appropriate collection and use of personal information and specific personal information, etc.

We shall collect and use the personal information and specific personal information, etc. of customers in an appropriate manner.
We may collect personal information and specific personal information, etc. from information sources such as the following:

(Examples of sources of personal information)

When personal information is provided directly through data input on our website by customers or through documents, etc. that are filled in or provided by customers such as application forms for a new deposit account.
When personal information is provided by joint users such as clearinghouses and from third parties such as personal credit information agencies.
When personal related information such as website browsing histories collected through cookies and other terminal identifiers saved on customers’ web browsers is provided by partners and obtained as personal information.

(Examples of sources of specific personal information, etc.)

When personal information is provided directly through data input on our website by customers or through documents, etc. that are filled in or provided by customers.

4. Collection of personal related information

We may obtain personal related information of customers from third parties and use it in conjunction with personal information already in our possession. In this case, we shall handle such information appropriately as personal information within the scope of the purposes of use described in 1. Matters regarding public announcement of purposes of use of personal information.

Personal related information that might be obtained: Information such as website browsing histories, behavior histories and interests of customers inferred from such information

5. Provision of personal information and specific personal information, etc. to third parties

We may provide personal information in our possession to third parties. We shall not, however, provide personal information to third parties without customer consent, except when provided in an outsourcing transaction and in connection with succession of business due to a merger or other reasons, and except in the case of joint use and the following cases. Specific personal information, etc. shall not be provided to any third party, whether with or without the data subject’s consent, except where permitted under the My Number Act.

When required by laws and regulations;
When it is necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the data subject;
When it is especially necessary to improve public health or to promote the sound growth of children and it is difficult to obtain the consent of the data subject;
When it is necessary to cooperate with a national agency, a local government, or an individual or entity entrusted by either a national agency or local government to execute affairs prescribed by laws and regulations, and obtaining the consent of the data subject is likely to impede the execution of such affairs; and
When a third party to which personal data is provided is an academic research institution, etc., and the third party needs to handle the personal information for academic research purposes (including cases in which part of the purpose of handling the personal information is for academic research purposes, but excluding cases in which there is a risk of unjustified infringement of the rights and interests of individuals).

We may, for example, outsource the handling of personal information for administrative operations such as the following.
When outsourcing the handling of personal information, we shall sign agreements with outsources to ensure they handle personal information and specific personal information, etc. as carefully as we do, and we shall ensure adequate security control measures.

(Examples of outsourced administrative operations)

Administrative operations for dispatching cash cards and other procedural documents
Printing and dispatching payment reports to tax offices, etc.
Administrative procedures pertaining to financial instruments transactions, etc.
Administrative operations for dispatching direct mail
Operations pertaining to system operation and maintenance

In the event of administrative operations in accordance with the Act on Management of Deposit and Savings Accounts by Use of Individual Numbers Based on the Will of Depositors and the Act on Registration of Deposit or Savings Accounts for Swift and Secure Payment of Public Benefits, we shall provide the personal information and specific personal information, etc. of customers to the following parties upon obtaining customer consent in advance.

Deposit and savings account numbering;

Deposit Insurance Corporation of Japan: Name, address, date of birth, sex, personal number managed by us or Japan Agency for Local Authority Information Systems (hereinafter “J-LIS”), branch and account numbers managed by us, branch and account numbers managed by confirmed financial institution (*)
J-LIS: Name, address, date of birth, sex, whether Japanese national or not, personal number
Confirmed financial institution (*): Name, address, date of birth, personal number

* “Confirmed financial institution” in the context of administrative operations pertaining to account numbering refers to another financial institution that manages a deposit or savings account for which a deposit and savings account numbering application has been submitted.

Registration of public money receiving account, changes to registration, and deregistration;

Deposit Insurance Corporation of Japan: Name, address, date of birth, sex, personal number managed by us or J-LIS, branch and account numbers managed by us
J-LIS: Name, address, date of birth, sex, whether Japanese national or not, personal number
Digital Agency: Name, address, date of birth, sex, personal number, branch and account numbers managed by us

Provision of deposit and savings account information in the event of disaster or inheritance; and

[Account inquiries in the event of disasters]

Deposit Insurance Corporation of Japan: Name, address, date of birth, personal number, branch and account numbers managed by confirmed financial institution (*)
Confirmed financial institution (*): Name, address, date of birth, personal number

* “Confirmed financial institution” in the context of administrative operations pertaining to inquiries in the event of disaster refers to another financial institution that manages a deposit or savings account to which a customer’s personal number is attached.

[Inquiries in the event of inheritance]

Deposit Insurance Corporation of Japan: Name, address, date of birth, name, address, date of birth and sex of decedent

Ensuring the accuracy of customer identification data and individual number.

Deposit Insurance Corporation of Japan: Name, address, personal number
J-LIS: Name, address, personal number

We shall obtain the consent of customers before providing their personal information to a third party in a foreign country.
In this event, we shall provide customers with the information in (i) to (iii) below by providing electromagnetic records, by delivering documents, or by other appropriate means.

(i) Name of the foreign country

(ii) Information about systems relating to the protection of personal information in that foreign country obtained by appropriate and reasonable methods

(iii) Information about measures to protect personal information implemented by the third party

When we are unable to identify the third party to which we are providing personal data at the time of obtaining consent but are subsequently able to identify the foreign country in which the recipient third party is located, we will provide (i) and (ii) above according to a request from a customer. When we are subsequently able to provide information about measures taken to protect personal information by the recipient third party, we shall provide (iii) above according to a request from a customer.

Information about third party recipients in foreign countries that we are currently able to identify is as follows.

Name of the country
United States (California)
Information about the systems to protect personal information in that country obtained by appropriate and reasonable methods
Please refer to the following information provided by the Personal information Protection Commission.
United States (Federal Government) https://www.ppc.go.jp/files/pdf/USA_report.pdf
United States (California)https://www.ppc.go.jp/files/pdf/california_report.pdf
Information about measures to protect personal information implemented by the third party
(A) Meta Platforms, Inc. (Facebook): Data Policy
(https://www.facebook.com/policy.php)

(B) Google LLC: Google Privacy Policy
(https://policies.google.com/privacy?hl=ja)
Privacy & Terms for Users in Japan
(https://policies.google.com/privacy/additional?hl=ja&gl=jp)

(C) X Corp.: Rules and Policies
(https://help.x.com/ja/rules-and-policies)

6. Joint use of personal information

We may allow users stipulated in advance to jointly use the following personal information. However, we shall never conduct any joint use of specific personal information, etc. (Details are made public separately.)
(A) Information posted in official gazettes (e.g., names, addresses, and the fact of bankruptcy and its date)

(B) Information about the drawer of a dishonored bill or check (for bills of exchange, the underwriter; the same applies hereinafter) and a customer who has requested the opening of a current account
We may allow the personal information of customers listed in (B) below in our possession to be jointly used by the parties listed in (A) below as joint users.
(A) Parties that use personal information jointly as joint users (hereinafter “our Group companies”)
SBI Sumishin Net Bank, Ltd.
SBI Sumishin Net Bank Card Co., Ltd.
THEMIX Data, Inc.
Our other consolidated subsidiaries and equity-method affiliates

(B) Items of the personal data to be used jointly
Name, address, date of birth, telephone number, e-mail address, information about family members, information about place of work, information about assets and liabilities, information about transaction needs, publicly available information, other items related to customer attributes
Credit decision result and materials and other items related to credit decision and credit management
Transaction history, types of products and services used, agreement dates, transaction amounts, balances, due dates and details and other items related to transactions with customers
Information needed to manage transactions such as customer number and transaction number

(C) Purposes of use of joint use
Identify and manage various risks as necessary to run business at our Group companies
Propose and provide information about products and services of our Group companies (including purposes of use listed in “Purposes of use” (10.) and (11.) in 1. Matters regarding public announcement of purposes of use of personal information)
Make decisions on the supply of credit to customers by our Group companies, control supplied credit, collect receivables and make other judgments related to transactions with customers
Plan and develop various products and services offered by our Group companies

(D) Name of party responsible for managing personal data
SBI Sumishin Net Bank, Ltd.
Sumitomo Fudosan Roppongi Grand Tower, 3-2-1 Roppongi, Minato-ku, Tokyo
Noriaki Maruyama, President and CEO
We may allow the personal information of customers listed in (B) below in our possession to be jointly used by the parties listed in (A) below as joint users.
(A) Parties that jointly use personal information as joint users
Sumitomo Mitsui Trust Group companies (refers to Sumitomo Mitsui Trust Holdings, Inc. and consolidated subsidiaries and equity-method affiliates listed in said company’s Annual Report. For a list of Sumitomo Mitsui Trust Group companies, please refer to the websites of Sumitomo Mitsui Trust Holdings, Inc.)

(B) Items of the personal data to be used jointly
Individual’s name, address, date of birth, sex, telephone number, attribute information, and other information about the individual necessary to achieve the purposes of use of joint use shown below

(C) Purposes of use of joint use
Manage antisocial forces and such like, and identify and manage various risks as necessary to run business at Sumitomo Mitsui Trust Group companies

(D) Name of party responsible for managing personal data
SBI Sumishin Net Bank, Ltd.
Sumitomo Fudosan Roppongi Grand Tower, 3-2-1 Roppongi, Minato-ku, Tokyo
Noriaki Maruyama, President and CEO

7. Procedure for stopping direct marketing

When a customer has asked us to stop direct marketing in accordance with the following, we shall take measures to stop the use and provision of direct marketing without delay from that time onwards. Notices of maturity sent not only to customers but also to others, as well as the enclosures of such notices, are not covered by procedures for stopping direct marketing.

Procedure for stopping direct marketing

Please contact the Customer Center below.

8. Procedure for requesting disclosure of stored personal information or records of provision to third party

With respect to personal data in our possession, we shall follow the guidelines below to respond to requests from data subjects or their proxies for notification of purpose of uses, requests for disclosure, correction, etc. (means correction, addition and deletion), suspension of use, etc. (means suspension of use, erasure, etc.) and suspension of provision to third parties, and requests for the disclosure of records of provision to third parties.
For details of procedure, please refer to Documents to be submitted when requesting disclosure, etc. (Japanese only)

Application method

For requests for the disclosure of personal data held and records of provision to third parties by data subjects and their proxies, please complete our prescribed application form and mail it to our Customer Center together with personal identification documents.

Disclosure fee

We will charge a prescribed fee for dealing with requests for the disclosure of personal data held and records of provision to third parties.
We may still charge a prescribed fee even if a request for disclosure is refused.

Response

After the procedure is completed, a response shall be sent either by mail or by our prescribed electromagnetic method.

9. Our contact for inquiries

Please do not hesitate to contact us by e-mail if you have any inquiries, complaints, etc. about this policy.