IDC Frontier Inc. (Address: Hibiya Park Front 18F, 2-1-6 Uchisaiwaicho, Chiyoda-ku, Tokyo; Representative: Katsuhisa Suzuki, President & CEO; hereinafter referred to as "IDC Frontier") is a telecommunications company which has filed notification as a telecommunications carrier under the Telecommunications Business Act. In its handling of personal data, IDC Frontier is responsible for complying with the provisions defining confidentiality of communication as stipulated in the Telecommunications Business Act (Act No. 86 of 1984), the Act on the Protection of Personal Information (Act No. 57 of 2003), a variation on the guidelines of the Act on the Protection of Personal Information, provisions for the protection of personal information stipulated in the Guidelines on Personal Information in Telecommunication Business (Ministry of Internal Affairs and Communications Notification No. 152 of April 18, 2017), and other related laws and guidelines.
- Definition of personal data
- Purpose of use of personal data
- Shared use
- Means of collecting personal data and procedures
- Third party provision
- Sales promotion activities targeted at customers
- Protection of personal data
- Customers' rights to personal data maintained by IDC Frontier
- Safety management measures
- Policy on the protection of personal data subject to GDPR
- Contact for personal data
- Disclosure, etc. of personal data
- Supplementary Provisions
1. Definition of personal data
"Personal data" refers to any information handled by IDC Frontier with which an individual customer can be directly or indirectly identified. It may include "personal information" and "special-care-required personal information".
"Personal information" refers to information relating to a living individual which falls under any of the following:
(i) That information which contains a name, date of birth, or other descriptions (meaning any and all matters stated or recorded in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (electronic, magnetic or other forms that cannot be recognized through human senses)) or otherwise expressed using voice, movement or other methods (excluding individual identification codes); the same shall apply hereinafter) whereby a specific individual can be identified (including that information which can be readily collated with other information to identify a specific individual); or
(ii) That information which contains an individual identification code.
"Individual identification codes" refer to any letters, numbers, symbols, or other codes which fall under any of the following and are prescribed by the Order for Enforcement of the Act on the Protection of Personal Information:
(i) Letters, numbers, symbols, or other codes into which the identifying features of a body part of a specific individual are converted for use by a computer, with which that specific individual can be identified, or
(ii) Letters, numbers, symbols, or other codes which are assigned to the use of services provided to individuals or to the purchase of goods sold to individuals, or which are stated or electromagnetically recorded on cards or other documents issued to individuals so as to be able to identify a specific user or purchaser, or recipient of issuance by assigning to, or stating or recording for, each user, purchaser or recipient, a unique set of letters, numbers, symbols or other codes.
"Special-care-required personal information" refers to that personal information containing a customer's race, creed, social status, medical history, criminal record, whether he/she has suffered damage by a crime, or other descriptions, etc. designated by cabinet orders such that the handling of which requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the customer.
The personal data to be collected by IDC Frontier includes, but is not limited to, customers' names, addresses, telephone numbers, e-mail addresses, fax numbers, dates of birth, identification numbers, videos, images, and biometric data.
2. Purpose of use of personal data
IDC Frontier will use, share with, and provide to, third parties the personal information to the extent necessary to achieve the purpose of use set forth below in providing customers with datacenter services, cloud services, hosting services and telecommunications services (including sales, provision and rental of related services and products; hereinafter collectively referred to as the "services, etc."). IDC Frontier shall not acquire personal data through fraudulent or other unlawful means.
In this context, customers include those using the services, etc. as well as those who are considering using them, have made reservations for them, and have cancelled them.
In addition, the services, etc. include campaigns, events, seminars, questionnaires, etc.
(1) Procedures and customer support
IDC Frontier will use the personal data of its customers to follow procedures and deliver customer support, etc., in ways such as follows:
- Follow procedures for processing applications for its services, etc. or services, etc. handled by it or to respond to inquiries about its services, etc. or services, etc. handled by it;
- Check if the conditions for the application are fulfilled;
- Follow procedures for processing applications (use of, change regarding, cancellation of, and other handling of, the services, etc.);
- Offer guidance when contacted about the services, etc. that the customer uses, and;
- Respond to opinions, requests, and inquiries from its customers.
(2) Service Provision
IDC Frontier will use the personal data of its customers to provide services and achieve similar objectives, in ways such as follows:
- Provide the services, etc. based on the applications as well as ancillary services, etc.;
- Perform routines necessary to provide the services, etc. based on the applications as well as ancillary services, etc.;
- Manage transactions carried out based on the applications;
- Perform construction work for, and maintenance of, its services, etc. or services, etc. handled by it;
- Prevent the occurrence of damage and accidents to, and malfunctioning of, its services, etc. and facilities or services, etc. and facilities handled by it and detect and respond to such an occurrence;
- Calculate the usage fees and the expenses necessary for the provision of the services, etc. and charge said fees and expenses (including those we are commissioned to collect and those transferred to us);
- Hold lotteries for campaigns and send prizes;
- Transfer money for the purpose of points return, etc.;
- Check the customer's subscription to its services, etc. or services, etc. handled by it;
- Check whether the customer is entitled to the privilege offered by it;
- Perform verification and authentication of the customer; and
- Prevent unlawful transactions and unauthorized uses, and respond to, and inform the customer of, such an unlawful transaction or unauthorized use when it has occurred.
(3) Improvement of service quality and development
IDC Frontier will utilize the personal data of its customers to improve the services, etc., develop new services, etc. and achieve similar objectives, in ways such as follows:
- Perform tasks and undertake research and analysis activities to improve the convenience and quality of its services, etc.;
- Perform tasks and undertake research and analysis activities to arrange and develop new services, etc. and the services, etc. suitable for its customers;
- Undertake research and marketing analysis activities to determine whether its customers are satisfied with its services, etc.; and
- Analyze the information, etc. regarding the use by its customers and customize the contents of the services, etc. in use.
IDC Frontier will use the personal data of its customers to make announcements about the services, etc., distribute recommended content and achieve similar objectives, in ways such as follows:
- Make announcements about its services, etc., affiliated services, etc. and services, etc. offered by other companies (by e-mail, DM, phone, Internet, or ad distribution/display);
- Provide information recommended to its customers (by e-mail, DM, phone, Internet, or ad distribution/display);
- Analyze information, etc. regarding the use by its customers and provide information about its services, etc., affiliated services, etc. and services, etc. offered by other companies which are recommended to them (by e-mail, DM, phone, Internet, or ad distribution/display); and
- Analyze information, etc. regarding the use by its customers and provide information recommended to them (by e-mail, DM, phone, Internet, or ad distribution/display).
To achieve the abovementioned purposes of use, IDC Frontier may provide the personal data of its customers to Softbank Corp., Yahoo Japan Corp., and other companies which it commissions to perform work. In addition, IDC Frontier will provide the personal data to partner business operators such as Nippon Telegraph and Telephone East Corporation (NTT East Japan) and Nippon Telegraph and Telephone West Corporation (NTT West Japan), for the purpose of undertaking the activities required to establish interconnection with them to provide telecommunications services, and to perform related activities. Furthermore, if a customer has concluded a contract with another telecommunications carrier while he/she is under a communication service contract with IDC Frontier, it may provide his/her personal data related to the contracted service to said telecommunications carrier under its contract terms and conditions.
3. Shared use
IDC Frontier may use personal information in a shared manner, as follows, for the purpose of the sales, provision, etc. of cloud services:
(1) Parties sharing information with IDC Frontier
(2) Personal information used in a shared manner
Names, entity names, telephone numbers, addresses, e-mail addresses, user numbers, billing addresses, age, gender, selected rate types, discounts, payment status, etc., and all other personal information obtained by IDC Frontier with respect to its customers at the time of the application and service provision, and all the personal information necessary for the activities listed in the "Purpose of shared use"
(3) Purpose of shared use
To provide customer support, including, but not limited to, responses to inquiries from customers, provision of guidance on, and information about, the use of products or services provided by the shared users
(a) Computation of charges
(c) Marketing research and analysis
(d) Recommendation, etc. of IDC Frontier's or other company's products, services, and campaigns
(e) Notification of the provision of information contributing to the development of the industry providing the services, etc. and the improvement of customer service
(f) Registration, management, provision, construction and maintenance of the services, etc., and activities to deal with malfunctions including the repair of defects in facilities and software update
(g) Disclosure to discussion forums, etc.
(h) Determination of whether to provide products and services related to IDC Frontier and shared users, as well as their provision
(4) Manager of protection of personal information subject to the shared use
IDC Frontier Inc.
Katsuhisa Suzuki, President & CEO
Hibiya Park Front 18F, 2-1-6 Uchisaiwaicho, Chiyoda-ku, Tokyo
4. Means of collecting personal data and procedures
Personal data will be collected from customers through the use of application forms, direct communication with the customers (phone call, etc. *1), receipt of information through e-mail and the website, information provision by a third party which has obtained approval from the customer, or any other legitimate way. In addition, when a customer has concluded a contract with IDC Frontier while he/she is in a contract with another telecommunications carrier, IDC Frontier may acquire his/her personal data related to the service contracted with IDC Frontier from said telecommunications carrier under the contract terms and provisions of said telecommunications carrier.
The use of personal data by IDC Frontier will be limited to those cases where the data must be used for the purpose of billing, provision of customer service, network management and other transactions with the customer (i.e., those cases where IDC Frontier is requested by the customer to provide its product and/or service).
*1 Note that calls from customers made to the contact for inquiries may be recorded to accurately understand the content of the call and respond to it appropriately.
5. Third party provision
(1) To manage campaigns hosted by its sales agents and sales cooperative shops (hereinafter collectively referred to as "campaign hosts") and run the campaigns by granting and delivering privileges and undertaking other relevant activities, IDC Frontier may provide the personal information of the customers targeted by the campaigns (names, addresses, telephone numbers and other information with which the customers targeted by the campaigns can be identified) to the campaign hosts.
(2) To recommend or provide products, services or campaigns to the applicants or contracting persons, analyze or improve the products, services or campaigns, provide support for them, or implement other relevant activities, IDC Frontier may provide the personal information of the applicants or contracting persons (names, addresses, telephone numbers, etc.) to the business operators engaged in the recommendation, provision, analysis, improvement of, or support of, the relevant products, services and campaigns.
To ensure compliance, the personal information collected independently by the business operators engaged in the recommendation, provision, analysis, improvement of, or support of, the relevant products, services and campaigns will not be governed by the policy for handling personal information established by IDC Frontier.
(3) To provide a service co-arranged with another company, IDC Frontier may provide the personal information required for the registration for, and provision of, the co-arranged service (names, addresses, telephone numbers, e-mail addresses, dates of birth, gender, and other information, etc. necessary to identify the customer and undertake activities required for the co-arranged service) to said company.
IDC Frontier will not acquire special-care-required personal information without obtaining the prior approval of the customer unless:
- Laws and regulations require otherwise;
- It is required to protect the life, body, or property of an individual and it is difficult to obtain approval from the customer;
- It is required to improve public health or promote the sound growth of children and it is difficult to obtain approval from the customer;
- It is required to cooperate with a state organ, a local government, or an individual or business operator entrusted by either of the former two in handling the affairs prescribed by laws and regulations and the handling of said affairs may be prevented by obtaining approval from the customer;
- The relevant special-care-required personal information has already been disclosed by the customer, a state organ, a local government, any person stated in any Items of Article 76 (1) of the Act on the Protection of Personal Information, any other person prescribed by the Rules of the Personal Information Protection Commission; or
- Anything occurs which falls under a case treated by laws or ordinances as equivalent to any cases set forth in the preceding Items.
*1 Third parties located overseas
Name of the country to which the information is transferred: USA
Information about the program to protect personal information in place in the abovementioned country as confirmed by an appropriate and reasonable method: Research into programs, etc. to protect personal information in place overseas (Personal Information Protection Commission(JP))
6. Sales promotion activities targeted at customers
If IDC Frontier collects the personal data from its customer, he/she may be requested to select the means to receive promotional materials (mailing, e-mailing, phone calls, facsimile transmission, etc.) in the case that he/she agrees to receive promotional materials from it (and/or a third party). In this case, the promotional materials will be delivered by IDC Frontier using only the method selected by the customer. The customer is entitled to terminate the receipt of the promotional materials at any time if he/she disagrees to the way the personal data is used for the purpose of the provision thereof or to the way those materials are delivered. However, in the case that the customer has agreed to receive the promotional materials from a third party, he/she will be requested to directly contact said third party to terminate the receipt of the promotional materials.
8. Protection of personal data
IDC Frontier will implement appropriate technical and organizational security measures to prevent any unauthorized or illegal disclosure of, or unauthorized or illegal access to, the personal data, as well as leaks, loss, impairment of the personal data by accident or illegal means, or any other damage to the personal data. These measures will ensure the security level appropriate for risks inherent in the nature of the personal data to be protected and its processing process. The personal data of the customers will be securely maintained and can be accessed only by some employees of IDC Frontier with the authority to access it. If IDC Frontier commissions a third party to handle the personal data, it will conclude an agreement with said third party to appropriately control the work performed by said third party.
9. Customers' rights to personal data maintained by IDC Frontier
10. Safety management measures
IDC Frontier will take all necessary and appropriate safety management measures to manage the personal data, including those to prevent any leak or loss of, or damage to, said personal data. In addition, it will supervise persons engaged and contractors (including subcontractors) who/which will handle the personal data, in a required and appropriate manner.
(Establishment of basic policy)
- IDC Frontier has a basic policy in place to ensure that personal data is handled appropriately.
(Development of rules and regulations for handling of personal data)
- IDC Frontier defines the mode of handling, the manager and staff, their roles, etc. for each phase of acquisition, use, maintenance, provision, deletion/disposal, etc.
(Organizational safety management measures)
- IDC Frontier appoints a manager responsible for the handling of the personal data, clarifies the persons engaged in handling the personal data and the scope of the personal data handled by said persons, has a system in place to report any actual or threatened violations of the Act on the Protection of Personal Information or the Personal Information Handling Regulations to said manager.
- IDC Frontier regularly conducts self-inspections on the handling of the personal data and arranges its examination by other departments or external parties.
(Personal safety management measures)
- IDC Frontier regularly gives the persons engaged training in points to consider regarding the handling of personal data and lists particulars concerning the confidentiality of said personal data in its labor regulations.
(Physical safety management measures)
- In those locations where personal data is handled, IDC Frontier controls the entry and exit of the persons engaged, restricts the devices, etc. brought into said locations, and implements measures to prevent unauthorized persons from viewing personal data.
- IDC Frontier implements measures to prevent theft, loss, etc. of the devices, electronic media, and documents which handle the personal data and to ensure that the personal data will not be readily discovered when said devices, electronic media, etc. are transported including the case where those are moved within the office.
(Technical safety management measures)
- IDC Frontier implements access control to limit the persons in charge and the scope of personal information database, etc. to be handled.
- IDC Frontier has implemented a mechanism which protects the information system handling the personal data from unauthorized external access and unauthorized software.
(Understanding of external environment)
- IDC Frontier understands the personal information protection programs introduced overseas where it maintains personal data, and implements safety management measures in those countries based on said understanding.
- (ⅰ) if carried out in connection to activities of our establishment in the EEA,
- (ⅱ) if related to the offering of goods or services to the Data Subjects, or
- (ⅲ) if related to the monitoring of the Data Subject's behavior as far as their behavior takes place within the EEA.
(2) Collection and processing of personal data
IDC Frontier will always process the Data Subject's personal data based on one of the legal bases provided for in the GDPR (Articles 6 and 7). In addition, if processing personal data that requires special care, IDC Frontier will do so in accordance with the special rules provided for in the GDPR (Articles 9 and 10).
IDC Frontier may collect and process the Data Subject's personal Data in the following cases :(ⅰ) if required in order to provide the Data Subject with adequate services and products and IDC Frontier otherwise have a legitimate interest; (ⅱ) if required in order to perform an agreement with the Data Subject or carry out procedures before execution; or (ⅲ) if IDC Frontier has obtained the Data Subject's express prior consent. In that case, IDC Frontier will give notification of the purpose of that collection and processing to the Data Subject through notification when obtaining consent, agreement, or other appropriate means.
The Data Subject is entitled to withdraw his or her consent to the collection and processing of the personal data at any time, but this withdrawal will not affect the lawfulness of processing based on the consent before withdrawal thereof.
IDC Frontier will process the Data Subject's personal data for the above specified, explicit and legitimate purposes, and will not further process the personal data in a way that is incompatible with those purposes. If IDC Frontier intend to process personal data originally collected for one purpose in order to attain other objectives or purposes, IDC Frontier will ensure that the Data Subject is informed of this. IDC Frontier will keep personal data for as long as it is necessary for IDC Frontier to comply with our legal obligations, to ensure that IDC Frontier provides an adequate service, and to support our business activities (Articles 5 and 25(2) of the GDPR).
IDC Frontier ensure that the personal data processed shall be limited to what is adequate and necessary in relation to the purposes for which they are processed.
(3) Sharing personal data
IDC Frontier may share personal data with our group entities and with third-parties in accordance with the GDPR. Where IDC Frontier shares personal data with a data processor, IDC Frontier will put the appropriate legal framework in place in order to cover data transfer and processing (Articles 26, 28 and 29 of the GDPR). Furthermore, where IDC Frontier shares personal data with any entity outside the EEA, IDC Frontier will put appropriate legal frameworks in place, notably controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EU) Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Chapter 5 of the GDPR).
Subject to the Data Subject's prior consent, personal data may be transferred to, stored, and further processed by collaborative partners that work with IDC Frontier to provide our products and services or help IDC Frontier market to Data Subjects.
- IDC Frontier may outsource all or part of the personal data processing in sales services, enquiry response services, equipment maintenance services, fee related services, marketing services, and other services.
- When executing an outsourcing agreement, the eligibility of the counterparty as an outsourcee is sufficiently investigated. Safety management measures, confidentiality, conditions for the outsourcee to outsource to another party, and other matters regarding the appropriate processing of personal data are prescribed in the outsourcing agreement, and our outsourcees are appropriately supervised by implementing periodic monitoring, etc. of the outsourcing conditions.
- The personal data provided (deposited) by the outsourcer in the services outsourcing is utilized within the scope necessary to perform the agreement with the outsourcer.
Corporate Affiliates and Corporate Reorganisations
IDC Frontier may share the personal data with all corporate affiliates. In the event of a merger, corporate reorganisation, civil rehabilitation, acquisition, joint venture, assignment, transfer, sale or disposition of all or any portion of our business (including in connection with any bankruptcy or similar proceedings), etc., IDC Frontier may transfer any and all personal data to the relevant third party.
Legal Compliance and Security
It may be necessary for IDC Frontier – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside the Data Subject's country of residence – to disclose personal data. IDC Frontier may also disclose personal data if IDC Frontier determines that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
IDC Frontier may also disclose personal data if IDC Frontier determines in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our internal regulations, investigate fraud, or protect our operations or users.
Disclosures or sharing of personal data as described above may involve transferring personal data out of the EEA. For each of these transfers IDC Frontier make sure that IDC Frontier provide an adequate level of protection to the data transferred, in particular by entering into Standard Contract Clauses as defined by the European Commission decisions 2001/497/EC, 2002/16/EC, 2004/915/EC and 2010/87/EU.
(4) Our records of data processes
IDC Frontier handles records of processing of personal data in accordance with the obligations established by the GDPR (Article 30), where IDC Frontier might process personal data. In these records, IDC Frontier reflects all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities in accordance with the GDPR (Article 31).
(5) Security measures
IDC Frontier processes personal data in a manner that ensures such data appropriate security (including protection against unauthorized or unlawful processing and against accidental loss, destruction damage, etc.) using appropriate technical or organizational measures to achieve this (Articles 25(1) and 32 of the GDPR).
(6) Notification of data breaches to the competent supervisory authorities
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, IDC Frontier has the mechanisms and policies in place in order to identify it and assess the details of the breach promptly. Depending on the outcome of our assessment, IDC Frontier will make the necessary notifications to the supervisory authorities and communications to the affected data subjects (Articles 33 and 34 of the GDPR).
(7) Processing likely to result in high risk to the data subject's rights and freedoms
IDC Frontier has mechanisms and policies in place in order to identify data processing activities that may result in high risk to the data subject's rights and freedoms (Article 35 of the GDPR). If any such data processing activity is identified, IDC Frontier will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational protective measures are in place in order to proceed with it.
In case of doubt, IDC Frontier will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 of the GDPR).
(8) Data subject's rights
IDC Frontier will notify the Data Subject of the details of the rights granted to the Data Subject under the GDPR when notifying the Data Subject of the purpose of processing personal data.
If the Data Subject will exercise such rights, please contact IDC Frontier at the address set forth section 11 below.
If the Data Subject is not satisfied with the way in which IDC Frontier have proceeded with any request, or if the Data Subject has any complaint regarding the way in which IDC Frontier process personal data, the Data Subject may lodge a complaint with a Data Protection Supervisory Authority.
If IDC Frontier collects and processes personal data from a child who is under 16 years of age or who has not reached the age limits under the laws of a Member State, IDC Frontier will process that data appropriately (Article 8 of the GDPR).
12. Contact point
Any inquiries regarding your personal data will be accepted at the following contact point:
Privacy Help Desk
Available Hours: From 9:30am to 12:00pm and 1:00pm to 5:00pm (JST)
Monday through Friday (except for national holidays and during year-end and New Year)
* IDC Frontier may record the phone calls with users in order to accurately recognize and respond users' request and opinion.
13. Disclosure, etc. of personal data
You may request access to or correction of your personal data according to the following procedure:
Request for personal data access
Revised April 1, 2022