Privacy Policy

Privacy Policy

1. About this Policy

This Privacy Policy (the “Policy”) applies to the processing of your Personal Data by East Japan Railway Company (representative: Yuji Fukasawa) (“we”, “us,” and “our”).

2. Definitions

In this Policy:

  • (a) “Personal Data” means any information relating to an identified or identifiable natural person;
  • (b) “Process/Processing” means any activity or operation that is carried out in respect of the Personal Data, such as collecting, storing, using, transferring, or deleting it.

3. How we collect your Personal Data and what Personal Data we collect

We collect the following Personal Data from you.

  • (1) Booking/Purchasing of our services/products and exchanging for at our sales/exchange locations
    • (a) Personal Data collected when you use our product/service website
      • Our product/service website collects cookies, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), location information, and IP address as your access information.
    • (b) Personal Data registered for creating an account for the online booking/purchasing website
      • We collect your account information, including name, user name, birthdate, gender, nationality, address, telephone number, e-mail address, credit card number (including tokenized information), and Suica ID.
    • (c) Personal Data for booking a reserved seat and issuing/exchanging for at our sales/exchange locations
      • We collect your name, birthdate, nationality, passport number, credit card number (tokenized information), reserved seat information, receipt counter, number of people, reservation number, contact information in Japan, and account information as your reservation information.
    • (d) Personal Data related to reservation status and inquiries on the website
      • We collect the date of membership registration, membership number, name, gender, nationality, telephone number (including contact information for residence in Japan), and reply mail address as your inquiry information (In case you forget your password, we also collect your birthdate, gender, and telephone number).
    • (e) Personal Data related to purchasing/exchanging of our products at our sales/exchange locations
      • We collect your exchange/sales information which includes the following: your name, nationality, passport number, contact information in Japan (excluding for some of our services), and reservation number. We also collect your credit card number when you purchase our products at our sales/exchange locations by credit card.
    • (f) Personal Data you register at the time of reservation on our website/purchase of our products/service
      • We collect your name, e-mail address, nationality, gender, telephone number, credit card number, Pay user information, and password.
    • (g) Personal Data related to the use of our service
      • In addition to the information above, we collect your application usage information which includes your location information, browsed page, advertising history, browsing times, browsing methods, and device usage.
  • (2) Business contact information we collect when attending events or meetings
    • (a) Personal Data related to exchanged business cards
      • We collect your name, telephone number, e-mail address, company name, company address, and title/position as business contact information.
    • (b) Personal Data collected for sending seasonal greetings and greeting letters
      • We collect your business contact information which includes your name, telephone number, e-mail address, company name and address (including company address).
    • (c) Personal Data related to attendee lists
      • We collect your Personal Data (your name, affiliation, and title/position) provided on attendee lists at international conferences.
    • (d) Personal Data used for meetings and invitations
      • We collect your name, background information, career information, and photograph when we meet you or invite you to visit us.
    • (e) Minimum required Personal Data of our business partners
  • (3) Receipt of an online application of material procurement
    • (a) Personal Data related to an online application of material procurement
      • We collect your name, company name, title/position, e-mail address, and telephone number as the procurement application information.
  • (4) Information services provided by our mobile applications
    • (a) Personal Data related to the registration of our service
      • We collect your IP address, device models, operating system information, and browser information as user access information.
      • We collect user registration information, such as your country of residence, gender, year of birth, and occupation, which users voluntarily provide. (Failure to provide us with such information will have no impact on the use of our service.)
    • (b) Personal Data related to the use of our service
      • In addition to the above, we collect location information, browsed page, advertising history, browsing times, browsing methods, and device usage as your application usage information.
  • (5) Recruitment
    • (a) Personal Data of potential employees
      • We collect your name, contact details, employment history, skills such as languages, etc. and any necessary information for recruitment as recruitment information.
  • (6) Management of Employees
    • (a) Personal Data necessary for the management of our employees
      • For employee management purposes, we collect necessary information such as your name, address (including place of residence and country of residence), telephone number, birthdate, gender, family name, family employment information, health status, contact details, background information (including highest level of education), employment history, language skills, etc.
      • For employee management purposes, we collect information (your name, address, telephone number, and e-mail address) included on our name list and in our contact network.
      • For administrative purposes related to our employees, we collect your passport number, visa number, social security number, and bank account information.
  • (7) Personal Data we automatically collect when you use our online (website) services
    • (a) Personal Data related to the use of our web site
      • We collect cookies, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), location information, and IP address as your access information.
        A cookie is a technology that allows sites to store information in the browser of your computer, etc. and the information can be retrieved later. There are some contents using cookies in our web site. It is possible to disable cookies in your browser settings at any time, but please notice that in this case there may be some contents which cannot function properly or be shown correctly. For more information about cookies, please visit our Cookie Policy.
      • We use Google Analytics, a web analytics service provided by Google, LLC. We may use your purchase history in addition to your cookies, IP address, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.). For more information about the data collecting and processing by using Google Analytics, please visit the Google's page below, "How Google uses data when you use our partners' sites or apps" : https://policies.google.com/technologies/partner-sites(Link). For information on how to opt-out, please visit our Cookie Policy.

If you do not provide Personal Data that are necessary for each operation and service, the business and service may not be able to be provided.

4. Purpose of Processing Personal Data

We process your Personal Data for the following purposes.

  • (1) Booking/Purchasing of our services/products and exchanging for at our sales/exchange locations
    • (a) For the conclusion and performance of a contract including provision of our services/products such as tickets, the management of a contract and the after-sales service of provided products/services
    • (b) For the contact necessary for providing our services/products (including the case of requesting delivery agencies to deliver products, etc.)
    • (c) For providing information on our services/products and other information related to our business activities
    • (d) For the billing and credit protection of fares and charges concerning our services/products
      (including the case of requesting a credit company for credit card payment, etc.)
    • (e) For receiving and responding to your inquiries and requests
    • (f) For registration of membership information for our services/products
  • (2) Business contact information we collect when attending events or meetings
    • (a) For business card exchange etc.
    • (b) For providing information on our services/products and other information related to our business activities
    • (c) For preparing attendee lists distributed at meetings
    • (d) For meeting and invitations
    • (e) For the negotiation, conclusion and performance of a contract with business partners, and the management of a contract
  • (3) Receipt of an online application of material procurement
    • (a) For evaluating potential business partners and contacting them
  • (4) Information services provided by our mobile applications
    • (a) For providing information on our services/products and other information related to our business activities
    • (b) For the market research on our business, or other researches or surveys
    • (c) For sales promotion and other similar activities
    • (d) For receiving and responding to your inquiries and requests
    • (e) For ensuring security of our customers and employees
    • (f) For the selection and development of software, systems, equipment, devices etc. to ensure security
    • (g) For the operation and maintenance of facilities, equipment and devices and the management of the usage status of them
    • (h) For improving the use of our service
  • (5) Recruitment
    • (a) For recruitment activities and providing information related to recruitment
  • (6) Management of Employees
    • (a) For employment management (including secondments and transfers)
    • (b) For necessary legal procedures and communications
    • (c) For other procedures and communications necessary for business
  • (7) Personal Data we automatically collect when you use our online (website) services
    • (a) For the market research on our business, or other researches or surveys
    • (b) For business analysis related to our business
    • (c) For ensuring security of our customers and employees
    • (d) For the selection and development of software, systems, equipment, devices etc. for ensure security
    • (e) For the operation and maintenance of facilities, equipment and devices and the management of the usage status of them
    • (f) For analyzing our website usage status

5. Showing advertisements by using Personal Data

By analyzing Personal Data collected from you using our online service (website) and mobile application service, we may show you advertisements that are relevant to you. Advertisement to be shown is mainly based on the following information:

  • Access information (cookie, action history, etc.) when you use our online service
  • Log information (browsed page, advertising history, browsing time, browsing method, etc.) when you use our service

6. Disclosure of Personal Data to recipients

In order to run each business and service, we share/provide your Personal Data with our group companies and external partners. We also share/provide the Personal Data of employees with public organizations in order to comply with laws and regulations. Our group companies and external partners with whom we share Personal Data are as follows.

  • (1) Booking/Purchasing of our services/products and exchanging for at our sales/exchange locations
    • Our group companies:
      • - Information service vendors for development, operation, maintenance, and management of our system (located in Japan)
      • - Internet service vendors that respond to inquiries and requests (located in Japan)
      • - Transport related service vendors that process fare settlement of our products for overseas customers visiting Japan (located in Japan)
      • - Travel agencies and worker dispatching companies for exchanging/selling our products for overseas customers visiting Japan (located in Japan)
    • External business partners:
      • - Information service vendors for that process fare settlement of our products for overseas customers visiting Japan (located in Japan)
      • - Travel agencies for the exchanging/selling our products to overseas customers visiting Japan (located in Japan)
      • - Information service vendors for that process our products for overseas customers visiting Japan (located in Japan)
  • (2) Receipt of an online application of material procurement
    • External business partners
      • - Information service vendors for operation and maintenance of an application form for new business transactions (located in Japan)
  • (3) Information services provided by our mobile applications
    • Our group companies
      • - Information service vendors for development, operation and maintenance of web applications (located in Japan)
  • (4) Management of Employees
    • Public organizations (located in Japan)
  • (5) Personal Data we automatically collect when you use our online (website) services
    • Our group companies
      • - Information service vendors for development, operation, maintenance, and management of our system (located in Japan)
    • External business partners
      • - Google, LLC

7. Storage period for Personal Data

We will retain your Personal Data that we collect for the period necessary to Process such Personal Data. However, this does not apply if we are required by law to retain your Personal Data for a longer period of time, in which case, we will retain it for the period required by law.

8. Your rights

You have a number of legal rights in relation to the Personal Data that we hold about you. These rights may vary depending on where you are located and which data protection laws apply to the relationship between you and us, but typically will include the following:

  • (a) Right to obtain information regarding the Processing of the relevant Personal Data and to access the relevant Personal Data that we hold;
  • (b) Right to request rectification of the relevant Personal Data if it is inaccurate or incomplete;
  • (c) Right to request erasure of the relevant Personal Data in certain circumstances;
  • (d) Right to request that we restrict our Processing of the relevant Personal Data in certain circumstances;
  • (e) Right to object to our Processing of the relevant Personal Data;
  • (f) Right to receive the relevant Personal Data in a structured, commonly used, and machine-readable format and/or to request that we directly transmit such Personal Data to a recipient where this is technically feasible; and
  • (g) Right to withdraw your consent to our Processing of the relevant Personal Data at any time (the withdrawal does not affect the lawfulness of Processing of Personal Data based on consent before its withdrawal).

You may exercise any of your rights by contacting us, using the information about us indicated in Section 10 below. You also may lodge a complaint with the data protection authority if you believe that any of your rights have been infringed by us.

9. Security control measures

To control the security of Personal Data, we will implement the items listed below. The following are examples only, and the specific measures to be implemented to control security may differ depending on each Personal Data.

  • (1) Formulation of basic policies
    We will formulate and publicize “Basic Policies Regarding the Processing of Personal Information” in order to ensure the proper Processing of Personal Data.
  • (2) Development of disciplines regarding the Processing of Personal Data and so on
    We will formulate internal rules regarding the Processing of Personal Data in order to properly acquire, store, use, manage, etc. Personal Data.
  • (3) Organizational security control measures
    We will designate a person responsible for Processing Personal Data and we will also clarify those employees who will Process Personal Data; further, we will establish a system for notifying the responsible person in case an accident occurs, such as any leak of Personal Data (including any suspected accident of Personal Data).
  • (4) Personal security control measures
    We will provide regular education and training to employees regarding matters to be noted and so on relating to the Processing of Personal Data; further, we will also include confidentiality matters relatingto Personal Data in our internal rules.
  • (5) Physical security control measures
    When we destroy or delete Personal Data, we will dispose of information by cutting, dissolving, physically destroying, or using other methods that make restoration thereof difficult.
  • (6) Technical security control measures
    When we store or transfer Personal Data, we will take measures necessary to prevent leaks thereof, such as encryption and setting passwords.
  • (7) Understanding the external environment
    We will take necessary and proper security control measures to manage Personal Data securely, with an understanding of the legislation for the protection of personal information in the foreign country where the Personal Data is stored.
  • (8) Supervision of employees
    In order to ascertain how employees Process Personal Data, we will confirm that operations are conducted in conformity with laws and regulations, and internal rules, etc. by conducting an audit and so on not less than once a year. If there are any problems, we will promptly improve the situation.
  • (9) Supervision of outsourcees
    In order to ascertain how Personal Data is Processed by outsourcees, we will confirm that operations are conducted in conformity with contracts and laws and regulations, etc. by conducting an audit and so on not less than once a year. If there are any problems, we will take necessary measures.

10. Contact details

If you have any questions about this Policy, your rights, or any other matter relating to the protection of your Personal Data, please contact our Privacy Information Desk at the following address:

  • (a) Address of head office: 2-2-2 Yoyogi, Shibuya-ku, Tokyo 151-8578, Japan
  • (b) Email address: privacy-info@jreast.co.jp

If you are located in the EEA or the UK, please contact our EU/UK representative using the contact details in Section 3 of “For customers in the EEA and the UK”.

For customers in the EEA and the UK

For customers in the EEA and the UK

This section applies to customers in the EEA and the UK.

1. Legal basis

The legal basis for Processing your Personal Data is as follows:

  • (a) When the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract
  • (b) When the processing is necessary for compliance with a legal obligation to which we are subject (e.g. when following the information disclosure orders from government/court based upon laws and regulation announced by government agencies/courts)
  • (c) When the processing is necessary in order to protect the vital interests of yours or of another individual
  • (d) When the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your privacy related rights, interests, and freedom. The legitimate interests pursued by us or a third party are as follows:
    • Customer satisfaction improvement;
    • Service improvement;
    • Direct marketing;
    • Illegal act prevention;
    • Regular communication with business partners and others;
    • Protection of assets (security) of our customers and our company; and
    • Safety of our employees.

2. Transfers of Personal Data outside the EEA or the UK

Your Personal Data may be transferred to, and stored by, a third party outside the EEA or the UK (e.g. Japan and Singapore). Where we transfer your Personal Data to a third party outside the EEA or the UK, we will ensure that:

  • (a) the recipient destination has been subject to a finding from the European Commission or has been designated by the government of the UK as ensuring an adequate level of protection for the rights and freedoms that you possess in respect of your Personal Data; or
  • (b) the recipient enters into standard data protection clauses that have been approved by the European Commission, or other contracts for the transfer of Personal Data as required by data protection laws, with us.

You can obtain more details of the protection given to your Personal Data when it is transferred outside the EEA or the UK by contacting us using the information about us indicated in Section 10 above.

3. EU/UK representative

You may contact our EU/UK representative using the contact details below.

  • (a) EU representative
    DP-Dock GmbH
    Address: Ballindamm 39 20095 Hamburg Germany
    Website: www.dp-dock.com (Link)
    E-mail Address: JR-EAST@gdpr-rep.com
  • (b) UK representative
    DP Data Protection Services UK Ltd.
    Address: s 16 Great Queen Street Covent Garden London WC2B 5AH, United Kingdom
    Website: www.dp-dock.com (Link)
    E-mail Address: JR-EAST@gdpr-rep.com

For Customers in California (Addendum for California Consumer Privacy Act)

For Customers in California
(Addendum for California Consumer Privacy Act)

Last Updated: August 1st, 2023

If you are a California “consumer” within the meaning of the California Consumer Privacy Act of 2018 (“CCPA”), this Addendum for California Consumer Privacy Act (“CCPA Addendum”) applies to you. The CCPA Addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.

This CCPA Addendum uses certain terms that have the meanings given to them in the CCPA, including:

  • “Personal Information,” which means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  • “Sell,” “selling,” “sale,” or “sold,” which means the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, the Personal Information by a business to a third party for monetary or other valuable consideration.
  • “Share,” “shared,” or “sharing,” which means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, the Personal Information by a business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

1. Our Collection, Use, and Disclosure of Your Personal Information

  • A. Categories, Sources, Purposes and Retention Period of Your Personal Information Collected or to Be Collected

The table below describes the categories of your Personal Information that we collect, or have collected during the 12-month period prior to the effective date of this CCPA Addendum.

Category of Personal Information Collected Example
Identifiers Name, user name, birthdate, address, e-mail address, Suica ID, IP address, passport number, Pay user information, visa number, social security number
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) Telephone number, credit card number, password, occupation, family name, family employment information, education, bank account information
Protected classification characteristics under California or federal law Gender, nationality, health status
Commercial information Reserved seat information, receipt counter, number of people, reservation number, the date of membership registration, membership number, purchase history
Internet or network activity information Cookie, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), device usage, device models, browser information
Geolocation data Location information
Audio, electronic, visual and similar information Photograph
Professional or employment-related information Company name, company address, title/position, affiliation, background information, career information, employment history, skills such as languages, etc.
Sensitive Personal Information Location information, account information, Pay user information, credit card number, password, passport number

Business or Commercial Purposes. The business or commercial purposes for which your Personal Information will be collected and used, or was collected, are as described in Section 4 of the Policy. We do not use or disclose your sensitive Personal Information for purposes other than those specified in the CCPA. In addition, we do not collect or use your sensitive Personal Information for the purpose of inferring characteristics about you.

Categories of Sources. The categories of sources from which your Personal Information was collected during the 12-month period prior to the effective date of this CCPA Addendum are as follows.

  • Obtained directly from you

Retention Period. The retention period of your Personal Information is as described in Section 7 of the Policy.

  • B. Sale, Sharing and Disclosure of Your Personal Information
    • (A) Sale and Sharing of Your Personal Information
      We do not sell, share, and have not sold or shared during the 12-month period prior to the effective date of this CCPA Addendum, your Personal Information, including the Personal Information of consumers under the age of 16.
    • (B) Disclosure of Your Personal Information for a Business Purpose
      The table below describes: (i) the categories of your Personal Information that we have disclosed for our operational business purposes during the 12-month period prior to the effective date of this CCPA Addendum; and (ii) the categories of third parties to whom we have disclosed such Personal Information for our operational business purposes during the 12-month period prior to the effective date of this CCPA Addendum.
Category of Personal Information Disclosed Example Third Parties to whom Personal Information Was Disclosed in the Last 12 Months
Identifiers Name, user name, birthdate, address, e-mail address, Suica ID, IP address, passport number, Pay user information, visa number, social security number Our group companies, external business partners, public organizations
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) Telephone number, credit card number, password, occupation, family name, family employment information, education, bank account information Our group companies, external business partners, public organizations
Protected classification characteristics under California or federal law Gender, nationality, health status Our group companies, external business partners, public organizations
Commercial information Reserved seat information, receipt counter, number of people, reservation number, the date of membership registration, membership number, purchase history Our group companies, external business partners
Internet or network activity information Cookie, device number, operating system, action history (accessed URL, contents, order, advertising history, browsing time, browsing method, etc.), device usage, device models, browser information Our group companies, external business partners
Geolocation data Location information Our group companies, external business partners
Professional or employment-related information Company name, company address, title/position, affiliation, background information, career information, employment history, skills such as languages, etc. External business partners, public organizations

2. Your Rights and Requests

If you are a California consumer, you have certain rights regarding your Personal Information, as described below:

  • I. Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information we have collected, used, and disclosed about you during the 12 months preceding your request:
    • (I) The categories of Personal Information we collected about you;
    • (II) The categories of sources from which we collected such Personal Information;
    • (III) The business or commercial purposes for collecting your Personal Information;
    • (IV) The categories of third parties with whom we disclosed such Personal Information; and
    • (V) The specific pieces of Personal Information we have collected about you.
  • II. Deletion: You have the right to request that we delete certain Personal Information we collected from you.
  • III. Correction: You have the right to request that we correct inaccurate Personal Information we collected from you.

How to Submit a Request. To make an access, deletion or correction request, please contact us using the information about us indicated in Section 10 of the Policy. Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your Personal Information or complying with your deletion or correction request.

Upon receiving an access, deletion, or correction request from you, we first will verify your identity by requiring you to submit Personal Information you have provided us already (such as your name or e-mail address), and by matching the information you submitted with what we already have. If we are unable to verify your identity because you have not submitted this information, we may refuse your request.

If you use an authorized agent to make an access, deletion, or correction request on your behalf, we may require the agent to provide documents proving that you have given the agent signed permission to make the request. We also may require you to (1) verify your own identity directly with us, or (2) directly confirm with us that you provided the authorized agent permission to submit the request.

Additional Information. If you exercise any of your rights under the CCPA, you have the right not to receive discriminatory treatment from us. To the extent permitted by applicable laws and regulations, we may charge a reasonable fee to comply with your request.

3. Changes to this CCPA Addendum

We may change this CCPA Addendum from time to time. The date “Last Updated” at the top of this CCPA Addendum states when this CCPA Addendum was last updated. Any changes will become effective upon us posting the revised CCPA Addendum.

We will post a prominent notice on the site to notify you of any significant changes to this CCPA Addendum and indicate the date it was most recently updated.

4. Contact Details

If you have any questions or concerns regarding this CCPA Addendum or our privacy practices, please contact us using the information about us indicated in Section 10 of the Policy.

For Customers in the Peoples' Republic of China (Addendum for the Peoples' Republic of China)

For Customers in the Peoples' Republic of China
(Addendum for the Peoples' Republic of China)

This Addendum applies when the Processing of Personal Data is subject to the Personal Information Protection Law of the People's Republic of China (the “PIPL”). This Addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.

1. How We Process Your Personal Data

We shall engage in Processing such as collection, retention, use, processing, transmission, provision, disclosure, and deletion of Personal Data.

2. Processing of Sensitive Personal Data

In the case of Processing Sensitive Personal Data (as defined in Article 28 of the PIPL), we shall implement measures required under the PIPL, such as notifying you of the necessity of Processing Sensitive Personal Data, and the effects on individuals' rights and interests.

We shall Process your location information, reserved seat information, credit card number, Suica ID, Pay user information, password and passport number as Sensitive Personal Data. The necessity of Processing your Sensitive Personal Data, and the effects on individual rights and interests, are as follows:

  • (1) Necessity of Processing
    • Location information

      It is necessary for us to Process your location information for (a) market research on our business, or other researches or surveys, (b) business analysis related to our business, (c) ensuring security of our customers, (d) the selection and development of software, systems, equipment, devices etc. for ensure security, (e) the operation and maintenance of facilities, equipment and devices and the management of the usage status of them, (f) analyzing our website usage status, (g) improving the use of our service, and (h) providing information on our services/products, sales promotion and other information related to our business activities.

    • Reserved seat information, credit card number, Suica ID, Pay user information, password and passport number

      It is necessary for us to Process your reserved seat information, credit card number, Suica ID, Pay user information, password and passport number for (a) the conclusion and performance of a contract including provision of our services/products such as tickets, the management of a contract and the after-sales service of provided products/services, (b) the contact necessary for providing our services/products (including the case of requesting delivery agencies to deliver products, etc.), (c) providing information on our services/products and other information related to our business

      activities, (d) the billing and credit protection of fares and charges concerning our services/products (including the case of requesting a credit company for credit card payment, etc.), (e) receiving and responding to your inquiries and requests, and (f) registration of membership information for our services/products.

(2) Effects on Individuals' Rights and Interests
Your Sensitive Personal Data are managed under appropriate security control measures, and the possibility of negative effects on individuals' rights and interests due to a data breach is limited.

3. Provision of Personal Data

We provide your (i) reserved seat information, exchange location, reservation number, number of people, name, nationality, passport number and birthdate for the purpose of reserving tickets online on JR East Train Reservation and issuing the ticket based on the reservation, (ii) cookies for the purpose of counting the number of visitors to JR East Train Reservation website, (iii) e-mail address, membership number and name (birthdate, gender, nationality and telephone number, if necessary) for the purpose of responding to customer inquiries on JR East Train Reservation to the following our group companies outside China (within Japan): RAILWAY INFORMATION SYSTEMS CO.,LTD., JR East Information Systems Company, and JR East Net Station Co.,Ltd..

For Customers in the Republic of Korea (Addendum for the Republic of Korea)

For Customers in the Republic of Korea
(Addendum for the Republic of Korea)

Last Updated: August 1st, 2023

This Addendum supplements our Privacy Policy (the “Policy”) and sets forth, in greater detail, the information related to how we collect, use, and disclose the Personal Data of users in South Korea.

1. Transfers of Personal Data

Specifically, we transfer your (i) reserved seat information, exchange location, reservation number, number of people, name, nationality, passport number and birthdate for the purpose of reserving tickets online on JR East Train Reservation and issuing the ticket based on the reservation, (ii) cookies for the purpose of counting the number of visitors to JR East Train Reservation website, (iii) e-mail address, membership number and name (birthdate, gender, nationality and telephone number, if necessary) for the purpose of responding to customer inquiries on JR East Train Reservation to the following our group companies outside South Korea (within Japan) during a certain retention period as long as necessary to fulfill the purposes: RAILWAY INFORMATION SYSTEMS CO.,LTD., JR East Information Systems Company, and JR East Net Station Co.,Ltd..

2. Periods of Retention of Personal Data

If required to retain Personal Data pursuant to applicable Korean laws, such as those set forth below, we will retain Personal Data solely for the retention periods and purposes prescribed thereunder:

  • (a) Records on contracts or withdrawal of offers and the like
    • Reasons for retention: Article 6 of the Act on Consumer Protection, etc. in E-commerce (“E-commerce Act”); and Article 6 of the Enforcement Decree thereof
    • Duration of Retention: 5 years
  • (b) Records on payment settlement and supply of goods, etc.
    • Reasons for retention: Article 6 of the E-commerce Act; and Article 6 of the Enforcement Decree thereof
    • Duration of Retention: 5 years
  • (c) Records on Processing of consumer disputes and complaints
    • Reasons for retention: Article 6 of the E-commerce Act; and Article 6 of the Enforcement Decree thereof
    • Duration of Retention: 3 years
  • (d) Records on access
    • Reasons for retention: Article 15-2 of the Communications Secrecy Protection Act; and Article 41 of the Enforcement Decree thereof
    • Duration of Retention: 3 months

3. Procedures/Methods for Destruction of Personal Data

  • Procedures of destruction

We select the Personal Data to be destroyed (i.e., Personal Data whose purpose of processing is achieved or whose retention period has expired) and destroy it.

  • Method of destruction

If printed on paper, the Personal Data will be destroyed by shredding, incinerating, melting, or some other similar method, and if saved in electronic form, the data will be destroyed by technical methods which ensure that the data cannot be restored or recovered.

4. Rights and Obligations as a Data Subject and How to Exercise Them

Notwithstanding Article 8 (Your rights) above of the Policy, users may exercise their rights within the scope recognized under the Korean Personal Information Protection Act. A user and/or their legal guardian may access, correct, or delete the user’s registered Personal Data at any time. A user and/or their legal guardian may also withdraw consent to the collection, use, provision, or storage of Personal Data that the user provided in order to use the services. Please contact the Privacy department responsible for handling matters related to Personal Data protection in Article 5. (Contact Us) below of this Addendum if you wish to exercise any of these above rights.

5. Contact Us

If you have any questions or concerns about our use of your Personal Data, or wish to inquire about our Personal Data handling practices, and exercise your rights to access, correct or inquire about deletion of Personal Data, please contact us using the information about us indicated in Section 10 of the Policy.

For Customers in the Kingdom of Thailand (Addendum for the Kingdom of Thailand)

For Customers in the Kingdom of Thailand
(Addendum for the Kingdom of Thailand)

This addendum applies to data subjects in Thailand. In addition to those other laws and regulations applicable to us, we will respect and fulfil our duties under the Personal Data Protection Act B.E. 2562 (2019) (the “Thai PDPA”), where applicable. The addendum supplements our Privacy Policy (the “Policy”) and prevails over any conflicting provisions in the Policy.

The term “Personal Data” used in this Addendum shall have the same meaning given to it in the Thai PDPA, i.e. any information relating to a natural person, which enables the identification of such natural person, whether directly or indirectly. However, it shall not include information of a deceased person.

1. Legal Basis Processing your Personal Data

We will handle your Personal Data consistent with the consent you give to us. However, we are also able to rely on grounds described under the Thai PDPA to Process your Personal Data without having to obtain your consent. Said grounds include but are not limited to:

  • 1) Where it is for vital interests to prevent or suppress any danger to a person’s life, body or health;
  • 2) Where it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract;
  • 3) Where it is necessary for legitimate interests of us or of a third party to Process your Personal Data. However, if we rely merely on the basis of legitimate interests to Process your Personal Data, we will take into account interests or fundamental rights you have as a data subject; and
  • 4) Where we have to comply with our statutory obligations.

2. Whether Your Provision of Personal Data is Necessary?

In most cases, providing your Personal Data is not mandatory.

However, in some cases, you are under a statutory or contractual obligation to provide the Personal Data to us, or it is necessary for you to provide your Personal Data in order to enter into a contract with us. These include:

If you book, purchase or request our services/products, and if you refuse to provide the necessary Personal Data, this will obstruct us in managing the service relationship with you, and in providing the services to you;

If you conduct business or procure materials from us, and if you refuse to provide the necessary Personal Data, this will obstruct us in managing the business relationship and in providing the service to you.

3. Cross border transfer

We may share or transfer your Personal Data with our group companies and external partners as indicated above in Japan. In such case, we will ensure that the destination country or international organization that receives your Personal Data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of Personal Data as prescribed by the Thai Personal Data Protection Committee. In the absence of the guidance as to which countries shall be considered as to have adequate data protection standard and the rules for the protection of Personal Data issued by the Thai Personal Data Protection Committee as referred to above, we will share or transfer your Personal Data to our group companies and external partners in such the foreign countries in accordance with your consent, providing that you will be informed of the inadequate Personal Data protection standards of such destination country or international organization, or by relying on other exemptions permitted by the Thai PDPA.

4. Your Rights and Requests

As a data subject, you have certain rights regarding your Personal Data, as described in the Thai PDPA. However, you may not be entitled to exercise all the said rights since your entitlements are subject to the nature or the purpose of the collection, use or disclosure of your Personal Data carried out by us, as will be further explained below. Hence, for your information, and so that you duly understand and recognise each of your rights, we summarise all rights prescribed under the Thai PDPA, as follows:

Right to Withdrawal of Consent: You have the right to withdraw your consent to collect, use and/or disclose your Personal Data so long as there are no restrictions in so doing by law or the contract which gives benefit to you. However, the withdrawal of consent shall not affect the collection, use, or disclosure of Personal Data for which you have already given consent legally.

Right to Access:You have the right to request information about how your Personal Data is collected, used or disclosed, including the right to access to your own Personal Data and to obtain a copy of such Personal Data, as well as to request for disclosure of your Personal Data that you believe we obtained without your consent.

Right to Rectification:You have the right to require us to correct or complete your Personal Data that you believe it is inaccurate or incomplete.

Right to Erasure:You have the right to request us to have your Personal Data erased and to have confirmation of such erasure, or to make your Personal Data anonymous under certain conditions and on certain grounds in accordance with the Thai PDPA, as follows:

  • Where your Personal Data is no longer necessary in relation to the purpose for which it was collected, used or disclosed;
  • Where your consent for collection, use or disclosure of such Personal Data is withdrawn, and where we have no legal grounds for such collection, use or disclosure;
  • Where you have objected to the collection, use or disclosure of your Personal Data, and we have no legal ground to reject such request; or
  • Where there is no legal basis for the collection, use or disclosure thereof.

Right to Restriction:You have the right to request us to restrict the use of your Personal Data in the following circumstances:

  • Where there is a pending examination process to your request for rectification as stated above;
  • Where you have a right to erasure on the grounds that the collection, use or disclosure of your Personal Data carried out by us is unlawful but you do not want such Personal Data to be erased;
  • Where your Personal Data is no longer needed for the purpose of collection, use or disclosure but it is still required by you for the establishment, exercise or defence of legal claims; or
  • Where you have objected to the collection, use or disclosure of your Personal Data, and the verification of such objection is pending.

Right to Data Portability:You have the right to request that we send or transfer your Personal Data which we collected and arranged to be in a format readable or commonly used by ways of automatic tools or equipment, and which can be used or disclosed by automated means to another organisation or directly to you in accordance with the conditions and grounds specified under the Thai PDPA. Your right in this regard will only apply to the Personal Data which you have consented to be collected, used or disclosed, or which we collect, use or disclose by relying on the necessity for performance of a contract.

Right to Object:You have the right to object to the collection, use or disclosure of your Personal Data in accordance with the conditions and grounds specified under the Thai PDPA, for example, where we rely on the legitimate interest ground to collect, use or disclose your Personal Data without your consent, unless we can demonstrate compelling legitimate grounds for the collection, use or disclosure which override your interests; or where it was done for the establishment, exercise or defence of legal claims.

Right to Lodge a Complaint:You have the right to lodge a complaint to relevant committee(s) under the Thai PDPA if we or our employees, contractors and/or data processors, fail to comply with the Thai PDPA or the announcements issued under the Thai PDPA.

5. Contact details

If you have any questions or concerns regarding this Thai PDPA Addendum or our privacy practices, please contact us using the information about us indicated in Section 10 of the Policy.