Compliance

IIJ Group Global Privacy Policy

Personal data collected in EEA and transferred from EEA established on May 25, 2018

As a provider of the Internet, which is an important social infrastructure directly linked to our daily lives, Internet Initiative Japan Inc. (“IIJ”) and its subsidiaries and group entities (“IIJ Group”) contribute to society by providing services that our customers feel at ease using, forging a new networked society together with them.

Considering that personally identifiable information and any data related to it (“personal data”) should be treated carefully based on the principle of respect for individuals to fulfill this role in society, the IIJ Group is committed to processing personal data properly.  The IIJ Group recognizes its responsibility to protect your personal data strictly as a corporation that processes its customers’ important information in the course of its telecommunications business and other operations. Therefore, IIJ established the following Global Privacy Policy, applicable to collect personal data in European Economic Area (EEA) and the transfer of personal data from EEA, which it will notify to its personnel and publicize, and make efforts to collect, use, and provide personal data properly.

 

Person in Charge

1. The IIJ Group assigns a person in charge of managing your personal data at each of its divisions that handle personal data and ensures that such persons manage personal data properly.

 

Collection of Personal Data

2. We process this personal data from our customers and users when we provide them with Internet connectivity and network-related services, network systems construction, operation and maintenance, development and sales of tele communication equipment, ATM operation business. We process this personal data in the interest of our customers and users, and in order to execute their service requests.

We also process personal data of our website visitors who access our webpages and online interfaces in their own interest, and in order to be able to provide them with their requested services.

When the IIJ Group collects your personal data, it makes efforts to specify the purpose of use, and notifies you in advance of the contact point at the IIJ Group for personal data, as well as the purpose and methods of using personal data. The scope of such collection is limited to the extent necessary. The IIJ Group does not collect personal data without your consent or in an unfair manner.

Each time personal data is collected from you directly in written form, the purpose shall be specified and your consent obtained (excluding cases where it is not deemed necessary to apply consent regulations based on the  General Data Protection Regulation and other applicable regulations, in which case you will informed of the legal basis).  When we rely on consent, you may withdraw your consent at any time, without this having an impact on the processing of personal data carried out until such withdrawal.

 

Use of Personal Data

3. The IIJ Group uses and provides your personal data within the scope of the purpose notified in accordance with the previous section, and obtains your prior approval in cases where the IIJ Group will use or provide your personal data outside the scope of such purpose. The IIJ Group stores personal data in accordance with the applicable regulations on storage of data for fiscal or commercial purposes and, furthermore, it only retains personal data for as long as it is necessary to fulfil the purpose pursued.

 

Non-Disclosure of Personal Data

4. The IIJ Group does not disclose your personal data to any third party unless as provided in the previous section or required by law or otherwise.

 

Security of Personal Data

5. The IIJ Group takes sufficient measures to protect your personal data from risks such as unauthorized access, information leaks, destruction, tampering, disclosure or otherwise.

 

Personal Data Complaints, Inquiries and Exercise of Rights

6. When you wish to complain or inquire about the handling of personal data or correct your personal data, you may contact the contact point at the IIJ Group. You may also exercise your rights of access, rectification, erasure, restriction or objection of the processing of your personal data, by contacting us at the following contact form.

The IIJ Group will respond to such requests within a reasonable amount of time and, in any event, earlier than one month after the complaint, enquiry or request has been addressed.  You may also lodge a complaint with the national supervisory authorities on matters of protection of personal data.

 

Provision or Entrustment of Personal Data

7. We may share your personal data with Company Group entities and with third-parties in accordance with the GDPR.

7.1 The IIJ Group may provide your personal data or entrust collection or processing of your personal data to third parties other than the IIJ Group for the purpose of use provided in section 2.

a) Strategic Partners: Subject to your prior consent, your personal data may be transferred to, stored, and further processed by strategic partners that work with us to provide our products and services or help us market to customers.

b) Service Providers: We share your personal data with companies which provide services on our behalf, such as hosting, maintenance, support services, email services, marketing, auditing, fulfilling your orders, processing payments, data analytics, providing customer service, and conducting customer research and satisfaction surveys.

In all these cases, the IIJ Group will specifically inform you of the third parties or categories of third parties entrusted for the collection or processing of your personal data, and ensure that such third parties are sufficiently able to protect personal data.

7.2 Corporate Affiliates and Corporate Business Transactions: We may share your personal data with all Company’s affiliates. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.

7.3 Legal Compliance and Security: It may be necessary for us – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your personal data.  We may also disclose your personal data if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.  We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

We will not use your personal data for direct marketing purposes (such as email, fax, or automated calling system) unless you have expressly consented to such use of your personal data.

 

Transfers of Data Outside the EEA

8. The IIJ Group will inform you when your personal data is collected or processed from outside the EEA. Where we share your data with any entity outside the EEA, we will put appropriate legal frameworks in place the standard contractual clauses in order to cover such transfers.

 

Records of Data Processes

9. We handle records of all processing of personal data in accordance with the obligations established by the GDPR, both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required.

 

Security Measures

10. We process your personal data in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures to achieve this.

 

Notification of Data Breaches to the Competent Supervisory Authorities

11. In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, We have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you.

 

Processing Likely to Result in High Risk to Rights and Freedoms of Data Subjects

12. We have mechanisms and policies in place in order to identify data processing activities that may result in high risk to your rights and freedoms. If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational safeguards are in place in order to proceed with it.

In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations.

 

The Rights of Data Subjects

13. You have the following rights regarding personal data collected and processed by us.

  • Information regarding your data processing: You have the right to obtain from us all requisite information regarding our data processing activities that concern you (Articles 13 and 14 GDPR).
  • Access to personal data: You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain related information (Article 15 GDPR).
  • Rectification or erasure of personal data: You have the right to obtain from us the rectification of inaccurate personal data concerning you without undue delay, and to complete any incomplete personal data (Article 15 GDPR). You may also have the right to obtain from us the erasure of personal data concerning you without undue delay, when certain legal conditions apply (Article 17 GDPR).
  • Restriction on processing of personal data: You may have the right to obtain from us the restriction of processing of personal data, when certain legal conditions apply (Article 18 GDPR).
  • Object to processing of personal data: You may have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, when certain legal conditions apply (Article 21 GDPR).
  • Data portability of personal data: You may have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without our hindrance, when certain conditions apply (Article 20 GDPR).
  • Not to be subject to automated decision-making: You may have the right not to be subject to automated decision-making (including profiling) based on the processing of your personal data, insofar as this produces legal or similar effects on you, when certain conditions apply (Article 22 GDPR).
  • Access the binding corporate rules or the standard contractual clauses on the basis of which your data is being transferred abroad.

If you intend to exercise such rights, please refer to the contact section below.

If you are not satisfied with the way in which we have proceeded with any request, or if you have any complaint regarding the way in which we process your personal data, you may lodge a complaint with a Data Protection Supervisory Authority.

 

Children Data

14. Our products and services are intended to adult customers. Thus, we do not knowingly collect and process information of children under sixteen (16). If we discover that we have collected and processed the personal data of a child under sixteen (16), or the equivalent minimum age depending on the concerned jurisdiction, We will take steps to delete the information as soon as possible. If you become aware that a child under sixteen (16) has provided us with personal data, please contact us immediately by using the contact address specified under this Privacy Policy.

 

Updates to the IIJ Global Privacy Policy

15. We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy via the Services. If we make changes which we believe are significant, we will inform you through the Website to the extent possible and seek for your consent where applicable.

 

Compliance with Laws and Regulations and Improvement of this Policy

16. The IIJ Group abides by the laws and regulations applied with regard to personal data and makes continuous efforts to improve its personal data management system.

The contact details of the Data Protection Officer are as follows:

iijgroup-dpo-contact@iij.ad.jp