Chief Privacy Officer
Senior Corporate Managing Directors
Nomura Research Institute, Ltd.
This Notice on Handling of Personal Information sets forth the basic guidelines relating to personal information of NRI Group (defined below), applicable to personal information obtained and used by Nomura Research Institute, Ltd. and its group companies (collectively, “NRI Group”).
As a business operator handling personal information (including information relating to an individual that can be used to identify that specific individual using the name, date of birth, or other descriptor contained therein) , NRI Group complies with the Personal Information Protection Policy, the Act on the Protection of Personal Information and related laws and regulations, and this Notice on Handling of Personal Information.
Purposes of Use
NRI group process personal information based on consent in accordance with legal requirements in principle.
The personal information handled in the businesses carried out by NRI Group is used for the following purposes.
Personal information marked with an asterisk (“*”), as retained personal data, is eligible for requests to NRI Group for notice of purposes of use, disclosure, correction, addition or removal, withdrawal of consent for the processing of personal information, specifically including suspension of use, deletion, and suspension of provision to third parties (“Disclosure etc.”)
|Personal Information Categories||Purposes of Use|
|Information obtained from transaction counterparty|
|Information entrusted by transaction counterparties through entrusted services||
|Information obtained in conjunction with contracts for purchase and use etc. of NRI Group services and products||
|Information obtained from an individual|
|Information obtained through conclusion of a contract for provision of a service, purchase & use of a product etc.||
|Information entrusted by transaction counterparties through entrusted services||
|Information on persons participating in or visiting events or seminars etc.*||
|Information received through answers to surveys and questionnaires etc.*||
|Information relating to assorted inquiries*||
|Information relating to NRI Group visitors*||
|Information relating to persons requesting to be sent NRI Group publications*||
|Recruitment candidate information*||
|NRI Group employee information*||
If it becomes necessary to use personal information for any purpose other than the foregoing, NRI Group shall obtain the consent of the data subject in advance, except where handling as an exception is permitted in accordance with the Act on the Protection of Personal Information and other laws and regulations.
Service providers may be in foreign countries, and in such cases, please also check Provision to Third Parties in Foreign Countries.
Transfer to Third Parties
NRI Group does not transfer or disclose personal data that it acquires to any third parties including other service providers, except in the following cases.
- If requested by the data subject
- If pursuant to laws and regulations etc.
- If provision or disclosure is necessary to protect an individual’s life, body, or property, and it is difficult to obtain the consent of the data subject
- If provision or disclosure is specifically necessary for the improvement of public health or the promotion of sound development of children, and it is difficult to obtain the consent of the data subject
- If it is necessary to cooperate with the execution of administrative work as specified in laws and regulations by a national agency or a local government, or a person engaged thereby, and obtaining the consent of the data subject could impede the performance of such administrative work.
Transfer to Third Parties in Foreign Countries
NRI Group may outsource some of its operations relating to the handling of personal information to third parties in foreign countries as follows, and in connection with such outsourcing, personal data will be provided in order to attain the purposes set forth in Purposes of Use.
United States, China, United Kingdom, Australia, India, Germany, Singapore, Philippines, Vietnam, British Virgin Islands, Indonesia, Austria, Canada, Thailand, Denmark, Nepal, France, Luxembourg, Taiwan, Republic of Korea, Ireland
(2)Systems relating to personal information protection in the relevant foreign countries
Please check the survey results from the Personal Information Protection Commission regarding the systems for personal information protection in the relevant foreign countries. (https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/#gaikoku)
When NRI Group provides personal data to a third party in a foreign country, NRI Group shall supervise the third party as necessary and appropriate for personal information protection.
When providing personal data to a third party in a foreign country (of the above (1), excluding foreign countries that have a system for personal information protection at the same level as Japan), NRI Group will obtain the consent of the data subject after indicating the measures taken by the third party for personal information protection. However, if such third party has taken measures equivalent to the Act on the Protection of Personal Information, we will provide information on the measures at the request of the data subject in lieu of the data subject’s consent.
In relation to systems for protecting personal information in foreign countries and measures for protecting personal information taken by third parties to which it is provided, there are stipulated the obligations of business operators and the rights of individuals corresponding to the Eight Principles of the OECD Privacy Guidelines (*), for example.
Eight Principles of the OECD Privacy Guidelines
“Purpose Specification Principle” (The collection purpose should be specified and use of the data should match those purposes.)
“Use Limitation Principle” (Data should not be used for other purposes except where the data subject has consented or where provided by law.)
“Collection Limitation Principle” (Data should be collected by lawful and fair means, and with the knowledge or consent of the data subjects.)
“Data Quality Principle” (Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and kept up-to-date.)
“Security Safeguards Principle” (Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification, and disclosure of data.)
“Openness Principle” (Data collection policies etc. should be published, and the existence, purposes of use, and controller of data should be clearly specified.)
“Individual Participation Principle” (A data subject should have the right to confirm or challenge the existence and content of data relating to him or her.)
“Accountability Principle” (A data controller should be accountable for complying with the principles.)
Disclosure, Correction, and Suspension of Use etc. of Registered Information
If there is a request for Disclosure etc. of retained personal data handled by NRI Group or records provided by third parties, the Disclosure etc. will be fulfilled after confirming that the person making the request is the data subject at any time. Please note that, pursuant to laws and regulations, we may not always be able to fulfill requests for Disclosure etc. but in that case we will inform you to that effect. In the case a counterparty outsources all or some of its operations relating to the handling of personal information, please contact the counterparty to request disclosure etc. of the relevant information.
The procedures for requesting Disclosure etc. of retained personal data are as follows.
Please complete the required fields in the following document yourself or through an agent, attach the identity verification document(s), and contact us by phone or email as set forth in Contact Information for Inquiries Relating to this Notice on Handling of Personal Information.. We will inform you about the procedures from the contact center or the department in charge.
Request form (download here)
Identity verification document(s) (one of the following)
＜Identity Verification Documents＞
■ For requests from a data subject
Driver’s license (copy), health insurance certificate (copy), passport (copy), resident’s card (copy)
■ For requests from an agent
If the legal agent of a minor
A document certifying the authority of legal representation (e.g., a copy or extract of the family register of the data subject) and identity verification documents for the data subject and the agent (“For requests from a data subject” above).
If the legal agent of an adult ward
A document certifying the authority of legal representation (e.g., a certificate of all registered matters) and identity verification documents for the data subject and the agent (“For requests from a data subject” above).
If an agent by delegation
A power of attorney from the data subject with respect to which the request is being made (with the registered seal of the data subject), the originals of certificates of registered seal for the data subject and the agent, and an identity verification document for the agent (“For requests from a data subject” above).
- You are responsible for all expenses relating to this matter.
- Personal information provided in making a request will be used only for responding to the request and managing its history.
- Please note that the documents submitted for confirming a request or confirming an agent will not be returned.
- Please note that we cannot accept requests by in-person visits.
Security Control Measures
NRI Group has taken strict security measures such as the following with respect to the management of obtained personal data in order to respect and protect the confidentiality of personal data and prevent unauthorized access to personal data. These measures include security control measures based on industry standards to prevent unauthorized access, disclosure, misuse, alteration, and destruction of personal data.
Enactment of basic guidelines
To ensure proper management and handling of personal data, NRI Group has enacted and published the Personal Information Protection Policy and the Declaration on Information Security Measures.
Establishment of rules for the handling of personal data
In addition to rules relating to personal information protection and information security established at the company-wide level, security rules are set for each project and are thoroughly enforced, especially for operations that involve information systems management.
Organizational security control measures
In relation to personal information protection and information security, NRI Group has put in place information security systems so that we can promptly take appropriate measures for day-to-day matters and in emergencies.
Human security control measures
Believing that employees need to tackle their work with an awareness of laws and regulations, the privacy mark (JIS Q 15001), and market trends from the viewpoint of personal information protection, NRI Group provides employees with multiple opportunities for education and other training to ensure improvement in information security levels.
Physical security control measures
When accessing system production environments, NRI Group uses secure rooms with dedicated access control, and takes measures to prevent access to personal data and other important information by unauthorized persons.
Technical security control measures
When accessing the system production environments, physical and logical access restrictions are put in place, and access is restricted by requiring the approval of the administrator. Further, NRI Group collects access logs to understand who accessed where and when.
Grasping of external environment
NRI Group may provide personal data (including outsourcing) to foreign countries as set forth in Provision to Third Parties in Foreign Countries in accordance with laws and regulations and related rules.
When providing personal data, including outsourcing to foreign countries, NRI Group grasps the system for protecting personal information in the destination country, checks the status of security control measures at the destination, and gives corrective instructions etc. as necessary.
Security for Websites etc.
When personal information is registered with us from the website, we use a data encryption technology called SSL as a security measure to prevent eavesdropping on the network.
SSL (Secure Sockets Layer): A common technology used as a security measure for communications on websites. When input data is sent over the Internet, interception is prevented by encrypting the entire communication.
NRI Group takes great care in its management of personal information, but given the nature of the Internet and email, we cannot fully guarantee the confidentiality of personal information. Please keep this in mind when using websites and email.
Handling of Cookies etc.
(1)Overview of information obtained from customers when accessing this website
This website acquires the following information when accessed by customers.
- Information that identifies the terminal device (cookie information and other terminal device identification codes)
- Customers’ use environments (e.g., connection source IP address, OS, browser information) and location information
- History of pages viewed by customers on this website (access history)
This information is automatically recorded mainly through cookies etc. when customers use the site. Cookies can be disabled or deleted by changing browser settings. However, this can result in problems such as the inability to use services, so we recommend enabling them.
Cookies: A mechanism for storing server information on the computer of a customer accessing a website. By recording the date and time of a customer's last visit, the number of visits, and information once inputted, the customer can easily use the previously selected functions. Please note that cookies can identify information about customers’ computers, but do not include personally identifiable information (e.g., name, address, phone number, email address).
Access history (access log): Contains information such as the domain name, IP address, browser, and OS of a customer accessing the website, the date and time of access, and the page(s) viewed. However, it does not contain personally identifiable information.
(2)Purposes of using cookies etc.
- Website maintenance and service improvement
- Development and improvement of products and services
- Proposals for products and services to NRI Group customers
(3)Use of Google Analytics
This website uses Google Analytics, a service of Google Inc., to grasp the visit status of customers. For the mechanism of data collection and processing in Google Analytics, please check the information provided by Google Inc. (https://policies.google.com/technologies/partner-sites?hl=en).
If you do not want Google Analytics to collect your data, you can opt out (disable) Google Analytics in your browser's add-on settings.
To opt out of Google Analytics, install the "Google Analytics opt-out add-on" and change your browser's add-on settings.
Information relating to Google Analytics
- Tool provider: Google Inc.
- Google Analytics Out-Out Add-On
Handling of Personal Information by Product/Service
NRI Group may individually stipulate matters relating to the handling of personal information, such as the purposes of use of personal information, provision to third parties, security, and contact information for each product or service on the websites, in emails, or otherwise in provision of various information relating to the relevant products and services. In such cases, if there are any provisions or special provisions that differ from this Notice on Handling of Personal Information, the terms for the handling of personal information stipulated for the relevant product or service etc. will prevail.
This Notice on Handling of Personal Information is subject to amendment without notice due to revision of related laws and regulations etc. and changes to NRI Group policies.
Enacted: April 1, 2002
Latest revision: June 27, 2023
Corporate Communications Department
Nomura Research Institute, Ltd.