Privacy Policy
For customers in the EEA and the UK
For Customers in California (Addendum for California Consumer Privacy Act)
For Customers in the Peoples' Republic of China (Addendum for the Peoples' Republic of China)
For Customers in the Republic of Korea (Addendum for the Republic of Korea)
For Customers in the Kingdom of Thailand (Addendum for the Kingdom of Thailand)
This Privacy Policy (the “Policy”) applies to the processing of your Personal Data by East Japan Railway Company (representative: Yuji Fukasawa) (“we”, “us,” and “our”).
In this Policy:
We collect the following Personal Data from you.
If you do not provide Personal Data that are necessary for each operation and service, the business and service may not be able to be provided.
We process your Personal Data for the following purposes.
By analyzing Personal Data collected from you using our online service (website) and mobile application service, we may show you advertisements that are relevant to you. Advertisement to be shown is mainly based on the following information:
In order to run each business and service, we share/provide your Personal Data with our group companies and external partners. We also share/provide the Personal Data of employees with public organizations in order to comply with laws and regulations. Our group companies and external partners with whom we share Personal Data are as follows.
We will retain your Personal Data that we collect for the period necessary to Process such Personal Data. However, this does not apply if we are required by law to retain your Personal Data for a longer period of time, in which case, we will retain it for the period required by law.
You have a number of legal rights in relation to the Personal Data that we hold about you. These rights may vary depending on where you are located and which data protection laws apply to the relationship between you and us, but typically will include the following:
You may exercise any of your rights by contacting us, using the information about us indicated in Section 10 below. You also may lodge a complaint with the data protection authority if you believe that any of your rights have been infringed by us.
To control the security of Personal Data, we will implement the items listed below. The following are examples only, and the specific measures to be implemented to control security may differ depending on each Personal Data.
If you have any questions about this Policy, your rights, or any other matter relating to the protection of your Personal Data, please contact our Privacy Information Desk at the following address:
If you are located in the EEA or the UK, please contact our EU/UK representative using the contact details in Section 3 of “For customers in the EEA and the UK”.
For customers in the EEA and the UK
This section applies to customers in the EEA and the UK.
The legal basis for Processing your Personal Data is as follows:
Your Personal Data may be transferred to, and stored by, a third party outside the EEA or the UK (e.g. Japan and Singapore). Where we transfer your Personal Data to a third party outside the EEA or the UK, we will ensure that:
You can obtain more details of the protection given to your Personal Data when it is transferred outside the EEA or the UK by contacting us using the information about us indicated in Section 10 above.
You may contact our EU/UK representative using the contact details below.
For Customers in California (Addendum for California Consumer Privacy Act)
Last Updated: August 1st, 2023
If you are a California “consumer” within the meaning of the California Consumer Privacy Act of 2018 (“CCPA”), this Addendum for California Consumer Privacy Act (“CCPA Addendum”) applies to you. The CCPA Addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.
This CCPA Addendum uses certain terms that have the meanings given to them in the CCPA, including:
The table below describes the categories of your Personal Information that we collect, or have collected during the 12-month period prior to the effective date of this CCPA Addendum.
Category of Personal Information Collected | Example |
---|---|
Identifiers | Name, user name, birthdate, address, e-mail address, Suica ID, IP address, passport number, Pay user information, visa number, social security number |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | Telephone number, credit card number, password, occupation, family name, family employment information, education, bank account information |
Protected classification characteristics under California or federal law | Gender, nationality, health status |
Commercial information | Reserved seat information, receipt counter, number of people, reservation number, the date of membership registration, membership number, purchase history |
Internet or network activity information | Cookie, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), device usage, device models, browser information |
Geolocation data | Location information |
Audio, electronic, visual and similar information | Photograph |
Professional or employment-related information | Company name, company address, title/position, affiliation, background information, career information, employment history, skills such as languages, etc. |
Sensitive Personal Information | Location information, account information, Pay user information, credit card number, password, passport number |
Business or Commercial Purposes. The business or commercial purposes for which your Personal Information will be collected and used, or was collected, are as described in Section 4 of the Policy. We do not use or disclose your sensitive Personal Information for purposes other than those specified in the CCPA. In addition, we do not collect or use your sensitive Personal Information for the purpose of inferring characteristics about you.
Categories of Sources. The categories of sources from which your Personal Information was collected during the 12-month period prior to the effective date of this CCPA Addendum are as follows.
Retention Period. The retention period of your Personal Information is as described in Section 7 of the Policy.
Category of Personal Information Disclosed | Example | Third Parties to whom Personal Information Was Disclosed in the Last 12 Months |
---|---|---|
Identifiers | Name, user name, birthdate, address, e-mail address, Suica ID, IP address, passport number, Pay user information, visa number, social security number | Our group companies, external business partners, public organizations |
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | Telephone number, credit card number, password, occupation, family name, family employment information, education, bank account information | Our group companies, external business partners, public organizations |
Protected classification characteristics under California or federal law | Gender, nationality, health status | Our group companies, external business partners, public organizations |
Commercial information | Reserved seat information, receipt counter, number of people, reservation number, the date of membership registration, membership number, purchase history | Our group companies, external business partners |
Internet or network activity information | Cookie, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), device usage, device models, browser information | Our group companies, external business partners |
Geolocation data | Location information | Our group companies, external business partners |
Professional or employment-related information | Company name, company address, title/position, affiliation, background information, career information, employment history, skills such as languages, etc. | External business partners, public organizations |
If you are a California consumer, you have certain rights regarding your Personal Information, as described below:
How to Submit a Request. To make an access, deletion or correction request, please contact us using the information about us indicated in Section 10 of the Policy. Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your Personal Information or complying with your deletion or correction request.
Upon receiving an access, deletion, or correction request from you, we first will verify your identity by requiring you to submit Personal Information you have provided us already (such as your name or e-mail address), and by matching the information you submitted with what we already have. If we are unable to verify your identity because you have not submitted this information, we may refuse your request.
If you use an authorized agent to make an access, deletion, or correction request on your behalf, we may require the agent to provide documents proving that you have given the agent signed permission to make the request. We also may require you to (1) verify your own identity directly with us, or (2) directly confirm with us that you provided the authorized agent permission to submit the request.
Additional Information. If you exercise any of your rights under the CCPA, you have the right not to receive discriminatory treatment from us. To the extent permitted by applicable laws and regulations, we may charge a reasonable fee to comply with your request.
We may change this CCPA Addendum from time to time. The date “Last Updated” at the top of this CCPA Addendum states when this CCPA Addendum was last updated. Any changes will become effective upon us posting the revised CCPA Addendum.
We will post a prominent notice on the site to notify you of any significant changes to this CCPA Addendum and indicate the date it was most recently updated.
If you have any questions or concerns regarding this CCPA Addendum or our privacy practices, please contact us using the information about us indicated in Section 10 of the Policy.
For Customers in the Peoples' Republic of China (Addendum for the Peoples' Republic of China)
This Addendum applies when the Processing of Personal Data is subject to the Personal Information Protection Law of the People's Republic of China (the “PIPL”). This Addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.
We shall engage in Processing such as collection, retention, use, processing, transmission, provision, disclosure, and deletion of Personal Data.
In the case of Processing Sensitive Personal Data (as defined in Article 28 of the PIPL), we shall implement measures required under the PIPL, such as notifying you of the necessity of Processing Sensitive Personal Data, and the effects on individuals' rights and interests.
We shall Process your location information, reserved seat information, credit card number, Suica ID, Pay user information, password and passport number as Sensitive Personal Data. The necessity of Processing your Sensitive Personal Data, and the effects on individual rights and interests, are as follows:
It is necessary for us to Process your location information for (a) market research on our business, or other researches or surveys, (b) business analysis related to our business, (c) ensuring security of our customers, (d) the selection and development of software, systems, equipment, devices etc. for ensure security, (e) the operation and maintenance of facilities, equipment and devices and the management of the usage status of them, (f) analyzing our website usage status, (g) improving the use of our service, and (h) providing information on our services/products, sales promotion and other information related to our business activities.
It is necessary for us to Process your reserved seat information, credit card number, Suica ID, Pay user information, password and passport number for (a) the conclusion and performance of a contract including provision of our services/products such as tickets, the management of a contract and the after-sales service of provided products/services, (b) the contact necessary for providing our services/products (including the case of requesting delivery agencies to deliver products, etc.), (c) providing information on our services/products and other information related to our business
activities, (d) the billing and credit protection of fares and charges concerning our services/products (including the case of requesting a credit company for credit card payment, etc.), (e) receiving and responding to your inquiries and requests, and (f) registration of membership information for our services/products.
(2) Effects on Individuals' Rights and Interests
Your Sensitive Personal Data are managed under appropriate security control measures, and the possibility of negative effects on individuals' rights and interests due to a data breach is limited.
We provide your (i) reserved seat information, exchange location, reservation number, number of people, name, nationality, passport number and birthdate for the purpose of reserving tickets online on JR East Train Reservation and issuing the ticket based on the reservation, (ii) cookies for the purpose of counting the number of visitors to JR East Train Reservation website, (iii) e-mail address, membership number and name (birthdate, gender, nationality and telephone number, if necessary) for the purpose of responding to customer inquiries on JR East Train Reservation to the following our group companies outside China (within Japan): RAILWAY INFORMATION SYSTEMS CO.,LTD., JR East Information Systems Company, and JR East Net Station Co.,Ltd..
For Customers in the Republic of Korea (Addendum for the Republic of Korea)
Last Updated: August 1st, 2023
This Addendum supplements our Privacy Policy (the “Policy”) and sets forth, in greater detail, the information related to how we collect, use, and disclose the Personal Data of users in South Korea.
Specifically, we transfer your (i) reserved seat information, exchange location, reservation number, number of people, name, nationality, passport number and birthdate for the purpose of reserving tickets online on JR East Train Reservation and issuing the ticket based on the reservation, (ii) cookies for the purpose of counting the number of visitors to JR East Train Reservation website, (iii) e-mail address, membership number and name (birthdate, gender, nationality and telephone number, if necessary) for the purpose of responding to customer inquiries on JR East Train Reservation to the following our group companies outside South Korea (within Japan) during a certain retention period as long as necessary to fulfill the purposes: RAILWAY INFORMATION SYSTEMS CO.,LTD., JR East Information Systems Company, and JR East Net Station Co.,Ltd..
If required to retain Personal Data pursuant to applicable Korean laws, such as those set forth below, we will retain Personal Data solely for the retention periods and purposes prescribed thereunder:
We select the Personal Data to be destroyed (i.e., Personal Data whose purpose of processing is achieved or whose retention period has expired) and destroy it.
If printed on paper, the Personal Data will be destroyed by shredding, incinerating, melting, or some other similar method, and if saved in electronic form, the data will be destroyed by technical methods which ensure that the data cannot be restored or recovered.
Notwithstanding Article 8 (Your rights) above of the Policy, users may exercise their rights within the scope recognized under the Korean Personal Information Protection Act. A user and/or their legal guardian may access, correct, or delete the user’s registered Personal Data at any time. A user and/or their legal guardian may also withdraw consent to the collection, use, provision, or storage of Personal Data that the user provided in order to use the services. Please contact the Privacy department responsible for handling matters related to Personal Data protection in Article 5. (Contact Us) below of this Addendum if you wish to exercise any of these above rights.
If you have any questions or concerns about our use of your Personal Data, or wish to inquire about our Personal Data handling practices, and exercise your rights to access, correct or inquire about deletion of Personal Data, please contact us using the information about us indicated in Section 10 of the Policy.
For Customers in the Kingdom of Thailand (Addendum for the Kingdom of Thailand)
This addendum applies to data subjects in Thailand. In addition to those other laws and regulations applicable to us, we will respect and fulfil our duties under the Personal Data Protection Act B.E. 2562 (2019) (the “Thai PDPA”), where applicable. The addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.
The term “Personal Data” used in this Addendum shall have the same meaning given to it in the Thai PDPA, i.e. any information relating to a natural person, which enables the identification of such natural person, whether directly or indirectly. However, it shall not include information of a deceased person.
We will handle your Personal Data consistent with the consent you give to us. However, we are also able to rely on grounds described under the Thai PDPA to Process your Personal Data without having to obtain your consent. Said grounds include but are not limited to:
In most cases, providing your Personal Data is not mandatory.
However, in some cases, you are under a statutory or contractual obligation to provide the Personal Data to us, or it is necessary for you to provide your Personal Data in order to enter into a contract with us. These include:
If you book, purchase or request our services/products, and if you refuse to provide the necessary Personal Data, this will obstruct us in managing the service relationship with you, and in providing the services to you;
If you conduct business or procure materials from us, and if you refuse to provide the necessary Personal Data, this will obstruct us in managing the business relationship and in providing the service to you.
We may share or transfer your Personal Data with our group companies and external partners as indicated above in Japan. In such case, we will ensure that the destination country or international organization that receives your Personal Data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of Personal Data as prescribed by the Thai Personal Data Protection Committee. In the absence of the guidance as to which countries shall be considered as to have adequate data protection standard and the rules for the protection of Personal Data issued by the Thai Personal Data Protection Committee as referred to above, we will share or transfer your Personal Data to our group companies and external partners in such the foreign countries in accordance with your consent, providing that you will be informed of the inadequate Personal Data protection standards of such destination country or international organization, or by relying on other exemptions permitted by the Thai PDPA.
As a data subject, you have certain rights regarding your Personal Data, as described in the Thai PDPA. However, you may not be entitled to exercise all the said rights since your entitlements are subject to the nature or the purpose of the collection, use or disclosure of your Personal Data carried out by us, as will be further explained below. Hence, for your information, and so that you duly understand and recognise each of your rights, we summarise all rights prescribed under the Thai PDPA, as follows:
Right to Withdrawal of Consent: You have the right to withdraw your consent to collect, use and/or disclose your Personal Data so long as there are no restrictions in so doing by law or the contract which gives benefit to you. However, the withdrawal of consent shall not affect the collection, use, or disclosure of Personal Data for which you have already given consent legally.
Right to Access:You have the right to request information about how your Personal Data is collected, used or disclosed, including the right to access to your own Personal Data and to obtain a copy of such Personal Data, as well as to request for disclosure of your Personal Data that you believe we obtained without your consent.
Right to Rectification:You have the right to require us to correct or complete your Personal Data that you believe it is inaccurate or incomplete.
Right to Erasure:You have the right to request us to have your Personal Data erased and to have confirmation of such erasure, or to make your Personal Data anonymous under certain conditions and on certain grounds in accordance with the Thai PDPA, as follows:
Right to Restriction:You have the right to request us to restrict the use of your Personal Data in the following circumstances:
Right to Data Portability:You have the right to request that we send or transfer your Personal Data which we collected and arranged to be in a format readable or commonly used by ways of automatic tools or equipment, and which can be used or disclosed by automated means to another organisation or directly to you in accordance with the conditions and grounds specified under the Thai PDPA. Your right in this regard will only apply to the Personal Data which you have consented to be collected, used or disclosed, or which we collect, use or disclose by relying on the necessity for performance of a contract.
Right to Object:You have the right to object to the collection, use or disclosure of your Personal Data in accordance with the conditions and grounds specified under the Thai PDPA, for example, where we rely on the legitimate interest ground to collect, use or disclose your Personal Data without your consent, unless we can demonstrate compelling legitimate grounds for the collection, use or disclosure which override your interests; or where it was done for the establishment, exercise or defence of legal claims.
Right to Lodge a Complaint:You have the right to lodge a complaint to relevant committee(s) under the Thai PDPA if we or our employees, contractors and/or data processors, fail to comply with the Thai PDPA or the announcements issued under the Thai PDPA.
If you have any questions or concerns regarding this Thai PDPA Addendum or our privacy practices, please contact us using the information about us indicated in Section 10 of the Policy.