Last updated: October 1, 2020
1. Basic Policy
Maruho Co., Ltd. (hereinafter, the “Company”) complies with personal information protection laws and guidelines of each country and region including the Act on the Protection of Personal Information (hereinafter, the “APPI”) and the European General Data Protection Regulation (hereinafter “GDPR” collectively “Data Privacy Laws”), the Company Code of Conduct and other internal rules. The Company strictly manages personal information (as defined by applicable Data Privacy Laws hereinafter “Personal Information”) of customers, business partners, shareholders, officers, employees and other third parties (hereinafter “Data Subjects”) and does not make unauthorized use or disclosure of such Personal Information not only while they are employed, but also after their retirement.
Moreover, the Company clarifies the purpose of use before obtaining Personal Information of Data Subjects and obtain such information by lawful and fair means.
2. Method of Collection
The Company may collect Personal Information of the Data Subjects themselves, through a clinical trial and an employee’s information, which is not publicly available, from third parties which the Company contracted or overseas group companies.
3. Types and Purpose of Use of Personal Information Company collects
The Types of Personal Information Company collects for the following purposes include:
- •Name and contact data, such as postal address, email address, telephone number
- •Educational and Professional Details
- •Financial data, such as a bank account or credit card number
- •Health-related data
- •Clinical data, which is related to Company’s research and development and clinical studies, registries, and trials
The Company uses obtained Personal Information foregoing for the following purposes:
(1) Purposes of using personal information about doctors, dentists, pharmacists, pharmacies, drugstores, and other medical professionals, as well as those belonging to research institutions related to medicine and pharmacy
- a) Provision and collection of information on the appropriate use of products
- b) Provision and collection of information on product quality, safety or effectiveness
- c) Investigation of product usage, actual use, user needs, etc.
- d) Contact / response at the time of product adverse effects, accidents, recalls, etc.
- e) Identification of product delivery destinations and maintenance of communication network
- f) Research and investigation in the fields related to medicine and pharmacy
- g) Provision and collection of medical and academic information
- h) Information on academic societies and workshops hosted, co-sponsored or sponsored by the Company
- i) Business related to requesting and conducting clinical trials, post-marketing surveillance, etc. of pharmaceuticals
- j) Membership authentication for the internet site for medical professionals and communication to its members
- k) Communication with and provision of information to marketing authorization holders of products, manufacturers, distributors, medical professionals, etc.
- l) Notification / reporting to regulatory authorities
(2) Purpose of using personal information about users of products and services
- a) Send and provide products, samples and services, price settlement, and provide after-sales services
- b) Provision of information about products / samples / services and anything related
- c) Investigation of products / sample usage, actual usage, user needs, etc.
- d) Information on seminars and events hosted, co-sponsored or sponsored by the Company
- e) Member authentication for the Internet site and communication to its members
- f) Recruitment information for product monitors
(3) Purpose of use of personal information concerning users of public relations, products and other company contacts
- a) Examination, investigation and response of contents such as consultation and communication
- b) Communication with and provision of information to marketing authorization holders of products, manufacturers, distributors, medical professionals, etc.
- c) Notification / reporting to regulatory authorities
(4) Purposes of use of personal information regarding officers and employees of companies such as pharmaceutical wholesalers, etc., who have business relationships with the Company, contracts such as real estate agents, and consultants such as lawyers and certified public accountants.
- a) Fulfillment of transactions and contracts, and related communications and provision of information
- b) Administrative work related to personal number, such as payment record preparation work, and notification / reporting to regulatory authorities
(5) Purpose of use of personal information about shareholders
- a) Fulfillment of obligations stipulated in laws and regulations such as the Companies Act and responding to the exercise of shareholder rights
- b) Sending business reports and other materials
- c) Shareholder management, such as the creation of shareholder data according to prescribed standards based on various laws and regulations
- d) Administrative work related to the individual number system, such as payment record preparation work, and notification / reporting to regulatory authorities
(6) Purpose of using personal information regarding social contribution activities
- a) Communications related to the Company’s social contribution activities and provision of this information
- b) Posting on this website
(7) Purpose of use of personal information about applicants for employment
- a) Consideration and determination of adoption, provision of information, communication, etc.
(8) Purpose of use of personal information about employees (executives, employees, advisors, contract employees, part-time employees, temporary employees, etc.), former employees and their families
- a) Management of work, salary and bonus payments, personnel affairs, evaluations, skill development, well-being, health and safety, etc.
- b) Communications and provision of information to the Company’s group and affiliate companies.
- c) Administrative work related to the individual number system, such as health insurance and employee pension insurance, and contacting and providing health insurance associations
- d) Administrative work related to individual numbers, such as tax withholding slip preparation, and notification / reporting to regulatory authorities
(9) Other purposes of use
- a) Subcontracting, provision to third-parties, and joint use required to achieve the purposes of use described in 1 to 8 above.
The Company will notify Data Subjects separately, if the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such information.
4. Lawful basis for Processing (GDPR)
The lawful basis for processing is as follows;
- (1) the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- (2) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- (3) processing is necessary for compliance with a legal obligation to which the Company is subject;
- (4) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
- (6) processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which requires protection of Personal Information, in particular where the Data Subject is a child. Such legitimate interests include management of Personal Information within the Company, and marketing of products and services.
5. Provision to Third Parties
5.1 The Basis of the Provision to Third Parties
In principle, the Company does not provide Personal Information to any third party without the consent of the Data Subject. However, the Company may provide Personal Information for the following cases with regard to Personal Information of Data Subjects residing in Japan, and may provide Personal Information of Data Subjects residing in the European Union or European Economic Area (hereinafter collectively referred to as "EU") pursuant to the lawful basis set forth in the preceding section 4(2) to 4(6) without the consent of the Data Subject.
- (1) Cases of joint use in accordance with the procedures stipulated in applicable laws and regulations
- (2) Cases of entrusting the handling of Personal Information
- (3) Cases based on laws and regulations
- (4) Cases in which there is a need to protect a human life, body or assets, and when it is difficult to obtain the consent of the Data Subject
- (5) Cases in which there is a special need to enhance public hygiene or promote the upbringing of healthy children, and when it is difficult to obtain the consent of the Data Subject
- (6) Cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining the consent of the Data Subject would interfere with the performance of the said affairs.
5.2 Who the Company provides, shares and discloses
- a) The Company may share Data Subject’s personal information with any person working within the Company or with any employees working within the group companies on a need to know basis to ensure the Company is able to perform our obligations to Data Subjects.
- b) Where the Company uses third party service providers who process personal information on our behalf in order to provide services to Data Subjects. This includes, but is not limited to, contract research organizations, site management organizations, research laboratories, IT system providers and IT contractors, payroll providers and pension administration providers.
- c) The Company may share personal information with our regulators, governmental or quasi-governmental organizations, law enforcement authorities and with courts, tribunals and arbitrators in order to comply with our regulatory and legal obligations.
- d) If the Company sells or assigns any part of our business and/or integrates it with another organization, the Data Subject’s personal information may be disclosed to our advisers and to prospective purchasers, joint venture partners and their advisers, or related third parties.
6. Provision to Persons Overseas
If the Company provides Personal Information for third parties or overseas group companies across national borders, it will confirm laws, regulations and rules regarding cross-border transfer of Personal Information and implement such transfers in compliance with those laws, etc. In exceptional cases for unsecured third countries where the European Commission has not made an adequacy decision under applicable laws and regulations, the Company will execute contracts, including Standard Contractual Clauses (“SCC”) in accordance with the GDPR, with third parties to protect Personal Information.
If the Company and/or any member of the group companies in the EU provide Personal Information to Japan, it shall be done pursuant to the adequacy decision made by the European Commission.
7. Security Control Actions
In order to handle Personal Information properly, the Company strives to strengthen and improve internal systems properly by appointing Chief Information Security Officer, and complying with applicable laws, regulations and guidelines.
In addition, upon entrusting the handling of Personal Information, the Company selects as an entrusted party a person that handles Personal Information properly, stipulate matters necessary to enable the entrusted party to control Personal Information properly and strives to protect Personal Information.
8. Various Procedures for Disclosure, Revision, Cessation of Use, Etc. of Personal Information
The Company will promptly respond to inquiries regarding disclosure, revision, cessation of use, deletion and other handling of Personal Information pursuant to the provisions of applicable laws and regulations.
The Company may ask inquirers about their contact details and other detailed information to confirm that they are the Data Subjects of the relevant Personal Information.
- a) Contact information for requests for disclosure, etc. Same as the following contact information for the consultation service for protection of personal information.
- b) Forms of documents to be submitted by request for disclosure, etc. and other methods of request for disclosure, etc.
It shall be accepted by receiving by post documents containing a requester's address, name, and method of contact and documents verifying the identity of the principal or the agent.
- c) Method to verify that a requester for disclosure, etc. is the principal or the agent It shall be verified by a method to request provision of registration details. A power of attorney shall be required if the requester is an agent.
- d) Method to charge fees (limited to cases where fees are specified). A postage fee will be charged in cases where the purpose of utilization of personal information for disclosure is notified or where personal information for disclosure is disclosed.
Data Subjects hold the following rights.
- (1) The right to access – The Data Subject has the right to request the Company for copies of the Data Subject’s personal data.
- (2) The right to rectification – The Data Subject has the right to request that the Company correct any information believed to be inaccurate. The Data Subject has the right to request the Company to complete the information believed to be incomplete.
- (3) The right to erasure – The Data Subject has the right to request that the Company erase the Data Subject’s personal data, under certain conditions.
- (4) The right to restrict processing – The Data Subject has the right to request that the Company restrict the processing of the Data Subject’s personal data, under certain conditions.
- (5) The right to data portability – The Data Subject has the right to request that the Company transfer the data that the Company has collected to another organization, or directly to the Data Subject, under certain conditions.
- (6) The right to object to processing – The Data Subject has the right to object to the Company's processing of the Data Subject’s personal data, under certain conditions.
- (7) The right to not be subject to profiling and automated decision making- The Data Subject has the right not be subject to solely automated decision making such as profiling that produces any legal or similar material effect on the Data Subject.
- (8) The right to withdraw the Data Subject’s consent at any time by contacting the Company in written form.
10. The right to file a complaint with the authorities
Data Subjects have the right to file a complaint with the data authorities in their respective jurisdictions.
JAPAN: Personal Information Protection Commission https://www.ppc.go.jp/
(1) Purposes of use
To manage the transfer of access information, etc., and confirm that the operations are performed by the same Data Subject.
To prevent unauthorized access and ensure the security of a Data Subject’s usage environment (user terminals, etc.).
To store the character display size set by the Data Subject to improve the user experience.
To understand the access status of Data Subjects and use it to create better sites.
Also, for retargeting services, site analysis services, etc., third parties such as Internet advertising companies may use information obtained by cookies and web beacons about Data Subjects who visit this site.
If Data Subjects do not want a third party to use the cookie information, etc. for posting web advertisements, Data Subjects can access the opt-out page provided on the third party's website to stop the use of this service.
(2) About the use of this site
The cookie information acquired by this site and the information obtained by web beacons do not include Data Subject information (name, birthday, job category, work address, telephone number, email address, etc.).
However, after registering as a member, in some cases, we may provide a service that utilizes the acquired cookie information, etc. for the purpose of providing more suitable information to the Data Subject.
When a Data Subject browses a website, the browsing history and input contents of this site sent and received between the Data Subject’s browser and the server are stored in small data files on the Data Subject’s computer or mobile device. This technology allows the Web server to identify the previous usage status of a Data Subjects’s device when Data Subjects access the site again.
A Data Subject can stop the function of cookies by changing the settings for sending and receiving cookies.
** Web beacon
By using a small image file embedded in a web page or email, when a Data Subject browses this web page or email, browsing information is recorded on the web server side.
12. Retention Period of Personal Information
The retention period of Personal Information shall be as permitted under applicable laws and regulations shall be promptly erased after the retention period, unless necessary for contractual or other purpose of processing.
Contact information for complaints concerning the handling of personal information for disclosure
General Affairs Dept.