Sony Bank Incorporated Privacy Policy

2. Acquisition of Personal Information

The Company shall endeavor to acquire personal information after disclosing, informing, or stating in advance the items, purpose of use, and contact point for inquiries, etc., of the personal information to be handled, and after obtaining the consent of the individual. In the event that special care-required personal information such as race and creed, etc., is included in the personal information, except as permitted by law, the Company shall not acquire such personal information without the consent of the individual. If the Company receives personal information from a third party, the Company will comply with any legal obligation to review or create records when receiving the information from the third party.

Methods of acquiring personal information (excluding "Individual Number")

2-1. The Company acquires personal information from the following sources, for example.

• Cases where personal information is provided directly by the customers by entering personal information on the "Account opening application" screen of our website
• Cases where personal information is provided by a co-user of a local clearinghouse or a third party such as a personal credit information agency
• In the event that the customer accepts inquiries or requests for consultation by telephone (the contents of telephone calls with the customer may be recorded for the purpose of improving the response quality and confirming the contents thereof)

Methods to Obtain Individual Number

2-2. The Company, in principle, has obtained an Individual Number from the following sources.

Cases where Individual Number is provided directly by the customer by entering their Individual Number via the submission page of our website.

3. Use within the Scope of Utilization Purpose

Except where the prior consent of the individual has been obtained, or where it is permitted by law, the Company shall handle personal information only within the scope required to achieve the previously specified purpose of use, and shall take measures to achieve this.

Plans of Use of Personal Information (excluding "Individual Number")

3-1. The Company shall acquire and use the personal information of the customers by appropriate and lawful means to the extent required to conduct the following operations.

• Deposit business, transfer business, money exchange business, loan business, foreign exchange business, and business incidental thereto
• Investment trust business, insurance sales business, financial instruments intermediary business, trust business, corporate bond business, and other businesses that a bank may engage in pursuant to law and other businesses incidental thereto
• Other business that banks are able to carry on and business incidental thereto (including the business that will be permitted to be handled in the future)

More specifically, this service is used for the following purposes.
Pursuant to Article 13-6-6 the Regulations Enforcement of the Banking Act and other regulations, the information on the borrowers' ability to repay debt provided by the Personal Credit Information Bureaus will not be used or provided to a third party for purposes other than the investigation of borrowers' ability to repay debt.
In addition, pursuant to Article 13-6-7 of the Regulations Enforcement of the Banking Act, the Company will not use or provide to any third party any special non-public information such as information on race, creed, family origin, registered domicile, health and medical, or criminal records for purposes other than those for securing appropriate management of the business and other necessary purposes.
In addition, the purpose of use will be clearly defined for the customer. For example, when responding to various questionnaires, etc., the purpose of use will be limited according to the occasion when the questionnaire was obtained, such as for the purpose of aggregating questionnaires.

• To accept applications for financial products and services, such as opening accounts for various types of financial products
• To verify the customers' identification based on the Act on Prevention of Transfer of Criminal Proceeds and to confirm the qualifications for using financial products and services
• For the management of continuous transactions, such as the management of dates in the transaction of deposit transactions and loan transactions
• To make decisions when applying for a loan or when using a loan on a continual basis, etc.
• For judging the appropriateness of the provision of financial products and services, such as judging in light of the principles of conformity
• In the case of credit business, to provide personal information of the customers to third parties to the extent necessary for conducting appropriate operations, such as providing the customer's personal information to the affiliated credit information Bureaus
• For the purpose of properly carrying out the outsourced business in cases where the processing of personal information is entrusted in whole or in part by other business operators, etc.
• For the exercise of rights and the fulfillment of obligations under contracts with the customers and laws
• For research and development of financial products and services through market research, data analysis, and surveys
• For various proposals related to financial products and services such as sending out direct mail
• For analyzing information on browsing history and transactions to distribute advertisements and direct mailings regarding financial products and services that match your interests and preferences
• For analyzing acquired behavioral history and other information, calculating credit scores, and providing such scores to third parties
• For various proposals of products and services such as partner companies
• For the cancellation of various transactions and for ex post facto management after the cancellation of transactions
• For proper and smooth fulfillment of inquiries about transactions, inquiries and other transactions with the customers

Purpose of Use of the Individual Number

3-2. Purpose of use of the customer's Individual Number obtained by the Company is as follows.
The Company will not use Individual Numbers for any purposes other than those permitted by law.

• (1) Preparation of statutory documents concerning financial instruments transactions
• (2) Affairs related to the numbering of deposit accounts
• (3) Affairs related to registration, change, cancellation, etc. of public money receiving accounts
• (4) Affairs related to the disclosure of information on savings accounts in the event of disasters and inheritances
• (5) Affairs related to ensuring the accuracy of personal identification matters and personal identification numbers
• (6) Other affairs related to each of the above purposes of use

Discontinue Direct Marketing

3-3. If the customer does not wish to receive information via direct mail, telephone, or e-mail, please proceed through the website.

4. Provide of Personal Information

Except as permitted by law, the Company shall not provide personal information to third parties without separately obtaining the individual's prior consent. In cases where personal information is provided to a third party and we are required by law to maintain a record of such provision to the third party, the company shall comply with such requirement. In addition, the Company may outsource the processing of personal information to a third party to the extent necessary to achieve the purpose of the use. In such a case, the Company shall properly supervise such third party to ensure the secure management of personal information.

Shared use of personal information (Except for "Individual Number")

4-1. As an exception to the sharing of personal information with third parties, when using personal data shared with a specific person, disclose in advance to the customer the fact that personal data will be used jointly, the items of the personal data to be used jointly, the scope of the persons to be used jointly, the purposes of use of the users, and the name of the person responsible for the control of the personal data in advance on the website, etc. and then the Company shall use the personal data jointly.

(1) Matters related to joint use with Sony Financial Group (related to Article 27, paragraph 5, item 3 of the Protection Law)

Sony Financial Group (hereinafter referred to as the person set forth in [2]) shall share personal data as follows:
In the event of restrictions under the Financial Instruments and Exchange Law or other relevant laws other than the Personal Information Protection Law, such joint use shall be handled in accordance with such laws and regulations.

[1]Items of personal data to be used jointly

• (a)Attribute information (e.g., address, name, date of birth, gender, place of work, position, contact information such as telephone number and e-mail address, information that can be used to identify or specify individuals such as personal identification code, and family member information)
• (b)Financial data (e.g., revenues and expenditures, status of assets and liabilities, etc.)
• (c)Transactional information (e.g., product and service types, transaction amounts, information on applications for contract dates, information on claims for insurance incidents, purpose of transaction, security number, management numbers such as branch numbers or account numbers, transaction histories, records and background, and information on decisions on whether or not transactions are acceptable)
• (d)Information obtained through Sony Financial Group's applications, websites, or other documents (hereinafter referred to as the person specified in [2]) (e.g., application usage status, browsing history, location information, questionnaire response data, etc.)

[2] Scope of joint users

Sony Financial Group Inc. and its consolidated subsidiaries and affiliates accounted for by the equity method, which have already made public notices pursuant to Article 27, Paragraph 5, Item 3 of the Protection Law (hereinafter referred to as the "Sony Financial Group")

[3] Purpose of joint use

• (a) For the planning and development of various financial products and services provided by Sony Financial Group
• (b) To provide suggestions and information on Sony Financial Group's corporate information, financial products, services, and other related information, as well as to respond to comments and inquiries
• (c) In order to carry out other operations incidental to a. b. above and the operations of Sony Financial Group smoothly

[4] The name of the person responsible for the management of personal data

Sony Financial Group companies that originally acquired the relevant personal data

Provision of Personal Information to Sony Group Companies

4-2. The Company may provide personal data to Sony Group Companies (*) only after clarifying the purpose of use, items, etc., of the personal data to be provided by such companies and obtaining the prior consent of the individual regarding the provision of personal information to third parties. In such a case, the personal information provided will be limited to the items necessary for the purpose of such provision and will not be used for any other purpose.
(*) The Sony Group Companies excluding the Sony Financial Group (Sony Financial Group Inc. and its consolidated subsidiaries and affiliates accounted for under the equity method). For further details, please refer to the following page.

Sony Group Affiliated Companies (Sony Group Inc's website)

Outsourcing of Handling of Personal Data (excluding "Individual Number")

4-3. The Company outsources the handling of personal data in the following cases, for example.

• Business matters related to the dispatch of Application to open account documents, cash cards, transaction balance reports, etc.
• Foreign Exchange and Other Business Related to Foreign Transactions
• Business matters related to the dispatch of direct mail
• Work-related to the operation and maintenance of information systems

Outsourcing of Specific Personal Information Handling

4-4. The Company outsources the handling of Specific Personal Information to the extent required to carry out the following duties.

• Business matters to Prepare Statutory Documents Pertaining to Financial Instruments Transactions
• Business matters related to the numbering of deposit accounts
• Work-related to the operation and maintenance of information systems

Transfer to a foreign country

4-5. When we provide customers' personal information to third parties such as foreign entities, including subcontractors and joint users, we will only disclose such information with the consent of the customer, except in any of the following cases:

• (1) When the third party is located in a foreign country or region that is stipulated by law as having a personal information protection system at a level equivalent to that of Japan.
• (2) When the third party is located in a foreign country or region and has implemented security measures comparable to those required of business operators handling personal information.

When providing personal data to an entrusted entity (including sub-contractors, etc.) located outside of Japan, we ensure that necessary and appropriate measures are taken for the secure management of information.
In addition, upon request from the person in question, we will provide information on measures for safety management, etc., at contractors (including sub-contractors, etc.) located in the relevant foreign country and region.
If, at the time of obtaining consent, the third party to which personal information is to be provided cannot be identified or for some other reason cannot be provided, but the third party can be identified after the fact, information regarding the provision of personal information to the third party in a foreign country can be provided upon request from the person in question. For details, please contact our English help desk in Section 8-3.

5. Measures for Managing the Security of Personal Data

We take strict security measures to protect personal information we collect and maintain by applying the Sony Financial Group's common policy (this includes the Sony Group's common policy), which has been established based on industry standards and best practices such as the International Organization for Standardization (ISO) 27001 standards and the National Institute of Standards and Technology (NIST) SP800 series.
These measures include implementation and periodic review of organizational information security management, periodic education and training for employees, periodic inventory of information assets, implementation of physical security control measures (e.g., employee entry/exit control, terminal management), encryption of communications, strict access control, periodic vulnerability management for information systems, etc.

Safety control measures

5-1. We are taking strict security measures as follows to protect personal information that we obtain/keep.

• Setting a basic policy
  In an aim to realize proper management of personal information, we are setting basic policies such as "Compliance to relevant regulations and guidelines", or "Contact window for queries and complaints".
• Disciplinary measures as to handling of personal information
  We are setting disciplinary measures as to handling of personal information for every step as obtaining, making use of, keeping, letting others have, deleting, discarding. The measure includes relevant articles as to handling personal information, job assignment of person in charge and his/her supervisor.
• Organizational Safety Control Measures
  In addition to appointing a person responsible for the handling of personal information, we have established a system to clarify the officers and employees who handle personal information and the scope of personal information handled by such officers and employees, and to report to the person responsible in the event that a violation of laws and regulations or handling rules is detected or any indication of such a violation is detected.
• Personal Safety Control Measures
  We provide regular training to our officers and employees on matters to keep in mind regarding the handling of personal information.
• Physical Security Control Measures
  In the areas where personal information is handled, we control the access of officers and employees, limit the equipment they may bring in, and take measures to prevent unauthorized persons from viewing personal information.
• Technical Security Control Measures
  We implement access control to limit the scope of persons in charge and the personal information databases handled.
• Understanding the external environment
  When we handle personal information in a foreign country, we implement safety control measures based on our understanding of the systems for the protection of personal information in that foreign country.

6. Personal Information of Customers Under the Age of 15

The Company shall endeavor to comply with all laws and regulations applicable to the collection, storage, and use of personal information relating to customers under the age of 15. In the event of a child having provided personal information to the Company without the consent of their parent or guardian, we ask that a parent or guardian contacts our English help desk in Section 8-3.

7. Alteration of the Privacy Policy

The Company may alter this Privacy Policy from time to time to the extent permitted by law. In such a case, the Company shall notify customers of the amended Privacy Policy on the website in advance. In addition, to ensure the appropriate handling of personal information, the Company shall endeavor to continuously strengthen and improve the structure of our personal information management, including reviewing this Privacy Policy, in light of changes in society and the environment.

8. Responding to a Request, etc. for Disclosure etc.

The Company shall respond appropriately to requests for disclosing, correcting, or ceasing to use (for introducing products and services, etc.), and deletion of personal information, as well as other comments and inquiries regarding the handling of personal information, based on the provisions of laws and regulations. Please contact the address of the company to which you provided information for assistance. For details of the procedures, please refer to the Inquiry Guidelines of the Disclosure of the Retained Personal Data (information is only available in Japanese language), etc.

Ensuring the Accuracy of Personal Data

8-1. The Company strives to keep personal data of the customers accurate and up-to-date.
If the customer needs to modify or update the personal data provided, please proceed via our website or make a request to our English help desk.

Request for Disclosure, etc. Procedures

8-2. Requests regarding notice of the Purpose of Utilization of the Company Retained Personal Data (in relation to Article 32, Paragraph 2 of the Protection law), disclosures (in relation to Article 33, Paragraph 1 of the Protection law), corrections, etc. (in relation to Article 34, Paragraph 1 of the Protection law), and suspension of use, etc. and suspension of provision to third parties (in relation to Article 35, Paragraphs 1,3 and 5 of the Protection law) (hereinafter referred to as "Request for Disclosure, etc."), please refer to our "Procedures for Request for Disclosure, etc." (information is only available in Japanese language).

Procedures for Request for Disclosure, etc.

Contact point for complaints and inquiries regarding the handling of retained personal data

8-3. For complaints and inquiries regarding the handling of the Company retained personal data and security control measures, please contact the following.

Sony Bank: The Contact Point for Customer Complaints and Inquiries

English help desk

Please contact us via "Start a chat" on our website.
Business hours
Weekdays 9:00 a.m. to 5:30 p.m.
Weekends and holidays 9:00 a.m. to 5:00 p.m. (Closed from Dec. 31 to Jan. 3)

Certified Personal Information Protection Organization

8-4. The Company is a member of the following Certified Personal Information Protection Organization.
Each group receives complaints and inquiries regarding the handling of personal information by its member companies.

All Banks Personal Data Protection Council (http://www.abpdpc.gr.jp/)
[Complaints and Inquiries Desks]
Japanese Bankers Association Customer Relation Center
Telephone 03-5222-1700