Basic Policy on Information Security


As part of its corporate mission to enrich the world through visual communication, and in order to achieve further growth and development of its business, amana group (“Amana Group”) is moving forward proactively with the digitalization of its information assets. In today’s digital society, where the Internet has become an essential and indispensable part of our lives, Amana Group recognizes that appropriate handling of information assets to protect them against threats such as information leaks, destruction, or manipulation is a social responsibility. To fulfill that responsibility, Amana Group has established this Basic Policy on Information Security, and pledges to ensure that all Amana Group officers and employees (including all permanent, contract and part-time employees and resident external contractors; hereinafter the same applies) will understand and act in accordance with it.

  1. The Purpose of Information Security
    By implementing appropriate information security management and seeking to prevent the occurrence of information security incidents, Amana Group aims to be a company that maintains the constant trust and confidence of its customers and all other stakeholders.
    In the unlikely event that an information security incident should occur, Amana Group will endeavor to minimize the extent of any damage incurred, and to prevent reoccurrences by carrying out prompt restoration and recovery work.
  2. Scope of Applicability
    This policy applies to all corporate officers and employees and any important information assets managed by the Amana Group.
  3. Amana Group Initiatives
    1. Protection of Information Assets
      Amana Group will take all necessary management steps and measures, from the standpoints of confidentiality, integrity and availability, to protect all important information assets (including specific personal information and personal information) in its possession from all manner of threats.
    2. Observance of Laws and Legal Statutes
      Amana Group will comply with all laws, regulations and all separately stipulated rules, regulations and contractual agreements, etc., relating to information security.
    3. Promotion of Information Security Activities
      To promote its information security activities, Amana Group will create and operate an information security management system. Amana Group will also establish an information security committee and appoint a chief information security management supervisor. The information security management supervisors and committee members from each department shall actively spearhead information security activities, review them periodically and make continuous improvements.
    4. Implementation of Drills and Educational Training
      To implement organized and continuous information security-related activities, Amana Group will carry out educational training for all of its corporate officers and employees.
    5. Response to Information Security-related Events and Incidents
      Amana Group will constantly anticipate the occurrence of information security-related accidents, and, in addition to working to prevent such incidents, make a prompt response and take appropriate management steps and measures in the occurrence of such information security events and/or incidents, in consideration of rectifying such occurrences.
      NB: An information security incident is an information security-related accident or incident of the kind that could interfere with business operations.
Established: December 1, 2007
Last Updated: December 22, 2016
amana inc.
Representative Director
Hironobu Shindo

Policy on the Protection of Personal Information

Amana Group pledges to comply with laws and norms relating to the protection of personal information, to pay care and attention to international developments in the field and establish voluntary rules and frameworks, to establish the following Policy on the Protection of Personal Information and to implement and maintain this Policy with regard to the personal information of all customers and other transaction-related companies that Amana Group may use in the course of its business.

  1. Personal Information Protection Policy
    1. To fulfill this pledge, Amana Group shall establish a set of Management Rules for the Protection of Personal Information, and shall endeavor to make these rules known to all officers, employees and other affiliates of the Amana Group, and to ensure thorough observance of said rules.
    2. To prevent the loss, destruction, manipulation or leakage of personal information or other similar incidents, Amana Group shall establish an information security system and implement appropriate information security countermeasures, including measures to combat unauthorized accesses to information and intrusions by computer viruses.
    3. To manage personal information appropriately, Amana Group shall carry out regular checks and other such activities as the company sees fit, and shall endeavor to take appropriate steps promptly in the event of the discovery of issues that should be rectified, and to work towards continuous improvement.
    4. When obtaining personal information, Amana Group shall do so by fair and legal means, and, in addition to not obtaining such information by illicit means, shall either obtain the consent of the relevant individual to whom the personal information belongs with regard to the purpose of use, etc., or shall give notice of the necessary items on the Amana Group’s website.
    5. In cases where personal information is being obtained indirectly, Amana Group shall confirm whether or not the personal information obtained has been obtained by the provider from the individual in question in an appropriate manner, pay any contractually obligated consideration for such provision(s), and shall give notice of the necessary items regarding the purpose of use, etc., of such personal information on the Amana Group’s website.
    6. Amana Group confirms that the individual in question to whom the relevant personal information belongs owns the right to demand disclosure, correction, discontinuation of use and deletion, etc., of his or her own personal information, and shall respond sincerely and promptly to any such demands from the individual in question. Amana Group shall also establish a Personal Information Inquiries Desk to receive and handle inquiries regarding matters concerning personal information.
    7. In cases where Amana Group makes shared use of personal information with a third party, or deposits personal information to a third party for the purpose of subcontracting work, Amana Group shall conduct appropriate research on and enter into such contractual agreements as necessary with said third party, and take other such legal steps as deemed necessary.
    8. Amana Group sets forth the following general rules for the specific gathering and handling of personal information.
  2. General rules regarding the use of personal information:
    The use of personal information shall be limited to within the scope of the purpose for which it was collected, only by persons granted the necessary authority in accordance with the specific work being carried out, and within the scope of that which is necessary in order to carry out the relevant work.
  3. Prohibited Items
    As a general rule, provision of personal information to a third party is prohibited.
    We do not allow the content of personal information obtained in the process of carrying out work to be known to third parties without good reason, or use such personal information for wrongful purposes.
    We do not gather, use or provide personal information containing any of the following content:
    1. Items concerning thoughts, beliefs or religious matters
    2. Race, ethnicity, lineage, domicile of origin (excluding information regarding the prefecture of its location), physical or mental disabilities, criminal records or other items that may be the cause of social discrimination
    3. Items concerning the right to organize groups of workers, engage in collective bargaining or other acts of collective action
    4. Items concerning participation in collective industrial action, the exercise of the right to petition or other matters concerning the exercise of political rights
    5. Items concerning health, medical treatment or sexual orientation

Purpose of Use of Personal Information

Amana Group (Amana Inc. and its subsidiaries; hereinafter the same applies) uses customers’ personal information received through its business activities, only within the scope of that which is necessary for carrying out the following work and fulfilling the following purposes of use:

  1. 1.Purpose of Use
    1. To receive applications and consultations concerning Amana Group’s business and services
    2. To make various proposals and introductions/presentations concerning Amana Group’s business and services (including the sending of direct mail and e-mail newsletters)
    3. To confirm the identity of the individual or the individual’s representative, etc.
    4. To subcontract work within the scope necessary to carry out work appropriately when providing Amana Group’s work and services
    5. To carry out commissioned work appropriately, when commissioned by another company or service provider, etc., to process all or part of its personal information
    6. To exercise rights and fulfill obligations pursuant to laws and contractual agreements with customers, etc.
    7. To develop new Amana Group businesses and services and improve or enhance existing businesses and services through the carrying out of market research, data analysis, questionnaire surveys and other such means
    8. To provide the goods and services of partner companies, etc., and to offer various proposals relating to such goods and services
    9. To terminate or cancel various transactions and registered subscriptions to e-mail newsletters, etc., and to carry out necessary processing after such terminations or cancellations
    10. To identify and manage various risks as necessary to run its business
    11. To appropriately and smoothly fulfill other transactional and contractual obligations to customers in the course of Amana Group’s work

    Provided, however, that in addition to the aforesaid purposes, in the cases set forth below, Amana Group may provide personal information within a minimum necessary scope without obtaining a principal’s consent.

    1. Cases based on laws and regulations;
    2. Cases in which there is an urgent need to protect a human life, body, property, right, etc., and when it is difficult to obtain a principal’s consent;
    3. Cases in which there is a special need to protect public hygiene or children’s health, and when it is difficult to obtain a principal’s consent;
    4. Cases in which there is a need or an order to cooperate in regard to a central government organization, a local government, etc. performing affairs prescribed by laws and regulations
  2. 2.Regarding the Shared Use of Personal Information
    Amana Group will make use of personal information specified in the “Items of Information” below, jointly with partner companies of Amana Group, for the purpose specified in Item (8) of Paragraph 1 (Purpose of Use) set forth in these Rules.
  3. 3.Items of Personal Information
    The items of personal information that Amana Group makes shared use of consist of names, addresses, telephone numbers, e-mail addresses and other general personal information in the possession of Amana Group. Amana Group may sometimes record the content of a phone calls in order to accurately understand the opinions and requests of its customers.

For inquiries, consultations and complaints, etc., concerning the protection of personal information, please contact us at our Personal Information Inquiries Desk.

Personal Information Inquiries Desk:

Contact:
Information Security Committee, amana inc.
Address:
Higashishinagawa, Shinagawa-ku, Tokyo, Japan 140-0002
Email address:
privacy@amana.jp

amana group
GDPR Privacy Policy

The amana group endeavors to protect the privacy of users of its websites. Please read this Privacy Policy carefully and in full before using any amana group website.

1.DEFINITIONS

In this Privacy Policy, the following definitions apply.

Applicable Privacy Legislation
Applicable Privacy Legislation, including the EU General Data Protection Regulation (“GDPR”) and the relevant national implementation acts
Contract
The Contract between a Customer and any amana group company concerning products or services.
Personal Data
Any information concerning an identified or identifiable natural person, as described in article 3 of this Privacy Policy, that is processed by the amana group
Privacy Policy
The present Privacy Policy
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
amana group Websites
Any website operated by an amana group company listed on the website of amana inc.(https://amana.jp/)
amana group
amana inc. (2-2-43, Higashishinagawa, Shinagawa-ku, Tokyo, Japan) and its subsidiaries(https://amana.jp/company/groupcompanies/)

2.SCOPE OF APPLICATION OF PRIVACY POLICY

  • (1)This Privacy Policy applies to every use of amana group Websites by you and any Processing of Personal Data obtained by us via amana group Websites to which the Applicable Privacy Legislation applies. amana inc. is the Controller for this Processing.
  • (2)amana group Websites may include references of third parties (for example hyperlinks, banners or buttons). The amana group does not control these references and is not responsible for compliance with the Applicable Privacy Legislation by these third parties. We recommend you to carefully read the privacy policies of the third-party websites you are visiting.

3.PERSONAL DATA COLLECTED

  • (1)The amana group may collect the following Personal Data either directly from you or through another amana group company or contractor entrusted with operations such as payment or the acceptance of applications:
    • a)name and country, address details;
    • b)e-mail address;
    • c)username and password;
    • d)company name or name of organization to which you belong;
    • e)telephone number;
    • f)date of birth;
    • g)gender;
    • h)payment details such as credit card information;
    • i)IP address.
  • (2)The amana group does not collect sensitive Personal Data such as health data via amana group Websites (unless provided for in the Applicable Privacy Legislation).
  • (3)The amana group collects Personal Data when you:
    • a)register on amana group Websites;
    • b)subscribe to a newsletter, etc.;
    • c)place an order or request product delivery through amana group Websites; or
    • d)otherwise use amana group Websites.
  • (4)The amana group will only process the Personal Data in accordance with Applicable Privacy Legislation as described in this Privacy Policy.

4.PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

  • (1)The amana group collects and processes your Personal Data (3. (1) a ~ i) solely for the purposes specified below:
    • a)Performance of a Contract: If you decide to place an order via amana group Websites, your Personal Data may be processed by the amana group to the extent necessary for the performance of a Contract.
    • b)Communication: Your Personal Data may be used to communicate with you about the amana group’s products and services and to inform you of matters that are important for your account and/or use of amana group Websites and the handling of any complaints. If you create an account on amana group Websites, the amana group will keep the Personal Data so that you do not have to enter it every time. This Processing of Personal Data is necessary for the performance of a Contract and/or for purposes of a legitimate interest pursued by the amana group, namely to conducts its normal business.
    • c)Marketing purposes: To approach you via e-mail for marketing purposes, the amana group always requests your prior consent, unless it concerns offers about similar products that you have ordered. You always have the right and option to unsubscribe from mailings. This Processing of Personal Data is necessary for purposes of a legitimate interest pursued by the amana group, namely to keep in touch with you and to offer you similar products and services or is based on prior consent.
    • d)Customer service: If you use customer service, the amana group will use your Personal Data to provide you with customer service. This Processing of Personal Data is necessary for the performance of a Contract and/or for purposes of a legitimate interest pursued by the amana group, namely to conduct its normal business.
  • (2)If we intend to further process the Personal Data for a purpose other than that for which the Personal Data were collected, we will provide you with information about that other purpose and all relevant further information before that further Processing.
  • (3)The amana group does not make decisions based solely on automated data processing that will have a legal or similarly significant effect on you.
  • (4)If the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, the amana group will notify you separately of whether you are obliged to provide the Personal Data and of the possible consequences of failure to provide such data.

5.TRANSFER OF PERSONAL DATA TO THIRD PARTIES

The amana group will share your Personal Data within the amana group in accordance with the Applicable Privacy Legislation for the purposes listed in this Privacy Policy.

    6.SECURITY

    • (1)The amana group takes appropriate technical and organizational security measures to protect your Personal Data and to prevent misuse, loss or alteration thereof. In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a need to have access. Also the aforementioned persons involved are bound by a confidentiality obligation, either in their employment agreements or data processing contracts.
    • (2)The amana group has an information security basic policy in place. In the event of a personal data breach, we will notify the relevant supervisory authority and the data subjects involved if required under Applicable Privacy Legislation.

    7.RETENTION PERIODS

    • (1)The amana group does not store your Personal Data any longer than strictly necessary for the purposes for which we collect and process the Personal Data. Actual retention periods are determined based on consideration of the purposes for which Personal Data is collected and processed, the nature of the Personal Data, and legal or business requirements for the retention of Personal Data.
    • (2)You may request the amana group to delete your Personal Data at any stage.

    8.COOKIES

    • (1)The amana group uses cookies to ensure that amana group Website function properly.
    • (2)Cookies are small pieces of information that are stored by the browser on your computer. The amana group uses different types of cookies for different purposes.
      • a)Functional cookies: Cookies that are necessary for amana group Websites to function properly, including cookies that are necessary to create an account;
      • b)Analytical cookies: Cookies that ensure that insight can be gained into how you use (parts of) amana group Websites, so that the amana group can improve amana group Websites and that they fit as well as possible with what you find interesting and important. The amana group uses the data obtained with these cookies only to study the use of amana group Websites.
    • (3)The amana group only uses third party cookies to improve the quality and effectiveness of amana group Websites. For example, it uses Google Analytics, which is set up in a privacy-friendly manner. Google Analytics processes the IP addresses for the amana group.
    • (4)Most browsers are set to accept cookies by default. You can set the browser to disable cookies or indicate when a cookie is being sent. However, it is possible that some functions and services of both the amana group and other websites do not function properly if cookies are disabled.

    9.YOUR RIGHTS

    • (1)You have the right to withdraw the consent given in relation to your Personal Data at any time. Provided, however, that the withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.
    • (2)You have the right to request access to your Personal Data. This enables you to receive a copy of the Personal Data the amana group holds about you.
    • (3)You have the right to request rectification of the Personal Data that the amana group holds about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
    • (4)You have the right to request erasure of your Personal Data. This enables you to ask the amana group to delete or remove Personal Data where there is no good reason for us continuing to process it.
    • (5)You have the right to object to Processing of your Personal Data where the amana group is relying on a legitimate interest. Insofar as the Processing of your Personal Data takes place for direct marketing purposes, the amana group will always honor your request. For Processing for other purposes, we will also cease and desist Processing, unless we have compelling legitimate grounds for the Processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.
    • (6)You have the right to request restriction of Processing of your Personal Data under certain conditions.
    • (7)You have the right to request to transfer of your Personal Data to you or to a third party (right to data portability). The amana group will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for the amana group to use or where the amana group used the information to perform a Contract with you.
    • (8)The exercise of the abovementioned rights is free of charge. The amana group will provide you with information about the follow-up to the request immediately and in any case within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request.
    • (9)If your requests are manifestly unfounded or excessive, in particular because of the repetitive character, the amana group will either charge you a reasonable fee or refuse to comply with the request.
    • (10)In addition to the above-mentioned rights you have the right to lodge a complaint about the amana group’s Processing of your Personal Data with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement of the GDPR at all times. However, the amana group would appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us beforehand.

    10.CONTACT DETAILS

    For any questions, complaints or in the event that you wish to make use of one of the rights mentioned in 9. of this Privacy Policy, you may contact us at the contact details below:

    Contact:
    Information Security Committee, amana inc.
    Address:
    Higashishinagawa, Shinagawa-ku, Tokyo, Japan 140-0002
    Email address:
    privacy@amana.jp

    11.MISCELLANEOUS

    • (1)The amana group is entitled at all times to delete your account without notice. In such a case, the amana group owes no compensation to you as a result of the termination of the account.
    • (2)The amana group reserves the right to change this Privacy Policy on a regular basis. It is your responsibility to regularly review the applicable conditions. This Privacy Policy is last amended and revised on May 15, 2020.
    • (3)If a provision from this Privacy Policy is in conflict with the law, it will be replaced by a provision of the same purport that reflects the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain applicable unchanged.

    Basic Policy on Protection of Specific Personal Information

    1. Name of Business Operator
      Amana Inc.
    2. Compliance with Related Laws, Guidelines, Etc.
      Amana Inc. (hereinafter referred to as the “Company”) will comply with the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (“Identification Number Act”) and other laws and regulations of Japan related to specific personal information protection, and the guidelines and other related codes stipulated by the State (hereinafter referred to as “Guidelines”).
    3. Matters Related to Measures for Security Management
      The Company will establish internal rules and take reasonable and appropriate measures to prevent the leakage, loss or damage of specific personal information, etc.
    4. Appropriate Management of Specific Personal Information
      The Company will appoint a person in charge of specific personal information, and will conduct regular inspections of the status of management of specific personal information and endeavor to appropriately manage specific personal information.
    5. Contact Information on Complaint and Consultation
      For complaints, etc. related to the handling of specific personal information by the Company, please contact:
      Contact:
      Information Security Committee, amana inc.
      Address:
      Higashishinagawa, Shinagawa-ku, Tokyo, Japan 140-0002
      Email address:
      privacy@amana.jp

    Established: February 1, 2016
    Last Updated: January 14, 2021

    ISO/IEC27001:2013 Certification

    amana inc. has obtained the ISO/IEC27001:2013 international information security management standard certification.

    Certification standard

    JIS Q 27001:2014(ISO/IEC 27001:2013)

    Accreditation body

    ISMS-AC (ISMS Accreditation Center)

    Certifying body

    Perry Johnson Holding, Inc.Perry Johnson Registrars, Inc.

    Certificate registration number

    C2020-03065

    Date of initial registration

    November 24, 2008

    Date of issue

    November 24, 2020

    Expiry date

    November 23, 2023

    Scope of registration

    Visual Communication (Sales of Creative Materials; Production of Advertising Visuals; Planning and Production of Content; Planning and Management of Education Programs; Planning and Editing of Books) –Statement of Applicability, Revision 6 -

    Organization/ department name

    amana inc. / amanaimages inc. / amana photography inc. / MISSILE COMPANY inc.
    / needsplus Inc. / un inc. / XICO inc.