SUMITOMO MITSUI CONSTRUCTION CO., LTD.

Contact
Japanese

Company Policy

EXPLANATION ON THE BASIC POLICY ON INFORMATION SECURITY
(INCLUDING HANDLING OF PERSONAL INFORMATION)

BASIC POLICY ON INFORMATION SECURITY

Sumitomo Mitsui Construction Co., Ltd. and the rest of the Sumitomo Mitsui Construction group companies (hereinafter collectively referred to as “SMC Group Company(ies)”) fully recognize the importance of information security*1 and endeavor to handle information properly in various business activities, as members of advanced information and communications society. Toward this goal, the SMC Group Companies will develop an information security management system (“ISMS”) and continuously make improvements. Through this initiative, the SMC Group Companies will ensure that personal information and other information assets are securely protected, and also strive to live up to the expectations of society concerning information security at each SMC Group Company.

1. PURPOSE AND SCOPE OF APPLICATION
The purpose of this Policy is to ensure that all employees*2 working for the SMC Group Companies fully recognize the importance of information security in various business activities and also act properly. The Policy applies to all business activities of the SMC Group Companies.
2. ROLE OF MANAGEMENT
Management of each SMC Group Company shall provide management resources that are necessary for implementing measures in accordance with this Policy in order to maintain a proper level of information security. They shall also develop an organization and program for operating the ISMS and clearly define the responsibilities and authority of those operating the ISMS.
3. RISK MANAGEMENT PERTAINING TO INFORMATION SECURITY
The SMC Group Companies shall specify systematic procedures and standards for information security risk assessment*3 and also formulate and implement measures for properly enforcing information security based on the result of the risk assessment.
4. INFORMATION SECURITY ACTIVITIES
  1. 1) Compliance with laws and contracts
    All employees of the SMC Group Companies shall comply with the requirements of any applicable laws, regulations, and contracts in a reliable manner.
  2. 2) Training on information security
    The SMC Group Companies shall provide training to all employees on the ISMS and compliance program for the protection of personal information*4.
  3. 3) Business continuity management
    The SMC Group Companies shall develop a protocol for immediately reporting any occurrence or precursor of an information security incident*5.
    The SMC Group Companies shall develop a business continuity management program to protect against any information security incident.
5. HANDLING OF PERSONAL INFORMATION

The SMC Group Companies shall properly handle any personal information that is used in their business activities pursuant to the Act on the Protection of Personal Information and the internal rules, etc. of each SMC Group Company.

  1. 1) Obtainment of personal information
    The SMC Group Companies shall obtain personal information through lawful and fair means.
  2. 2) Use of personal information
    The SMC Group Companies shall only use personal information for the purpose of use as specified when the personal information was obtained and to the extent that is necessary for them to conduct related operational tasks.
    If any SMC Group Company intends to jointly use personal information with a third party or outsource the handling of personal information to a third party, it shall conduct a strict review of the third party in advance and properly manage the third party to ensure that personal information is properly handled and securely protected.
  3. 3) Provision of personal information to third parties
    The SMC Group Companies shall not provide any personal information to a third party without obtaining the consent of the individuals to whom the personal information pertains, unless otherwise stipulated by law.
  4. 4) Management of personal information
    The SMC Group Companies shall implement various safety management measures, including information security measures, and endeavor to prevent any unauthorized access to personal information as well as loss, destruction, falsification, leakage, etc. of personal information in order to ensure the accuracy and safety of the personal information.
  5. 5) Disclosure, correction, suspension of use, and deletion of personal information
    The SMC Group Companies recognize that each individual has the right to make a request to have his/her personal information disclosed, corrected, suspended from use, deleted, etc. Accordingly, the SMC Group Companies shall respond to any such request in a proper manner pursuant to the applicable laws, common practice, etc. In this connection, if there is any comment or inquiry concerning the SMC Group Companies’ handling of personal information, please send it to a designated contact point.
6. DOCUMENTATION AND MAINTENANCE
The SMC Group Companies shall develop the ISMS, document and implement it, and maintain it while also continuously improving the effectiveness of the system.
7. HANDLING OF VIOLATIONS
If anyone is found to have committed a violation of this Policy or any rules under this Policy, the SMC Group Companies shall deal with the violation pursuant to the applicable rules.
Enacted on January 1st, 2007
Revised on April 1st, 2009
  • Sumitomo Mitsui Construction Co., Ltd.
  • Sumitomo Mitsui Construction Group Companies
  • Sumiken Mitsui Road Co., Ltd.
  • SMC Co., Ltd.
  • SMC Precon Inc.
  • SMC Reform Co., Ltd.
  • SMC Civil Technos Co., Ltd.
  • SMC Concrete Co., Ltd.
  • Seiwa Corporation
  • SMC Tech Co., Ltd.
  • Aseismic Devices Co., Ltd.
  • Fibex Co., Ltd.
  • Amenity Life Co., Ltd.
  • Cosmo Planning Co., Ltd.
*1: Information security
This means maintenance of the confidentiality, integrity, and usability of information.
Confidentiality: Prohibition of use by or non-disclosure of information to any unauthorized individuals, entities, and processes
Integrity: Protection of the accuracy and completeness of assets
Usability: Availability for access and use when requested by authorized entities
*2: All employees
The term refers to:
  1. 1) directors, executive officers, others treated equivalently to a director or officer, advisers, employees, temporary workers, seconded workers, part-time workers, etc. who are obliged to comply with the rules of the company; and
  2. 2) employees of vendors and contractors who must continuously perform their work in the offices being managed by the company for a certain period of time.
*3: Risk assessment
This means the entire process from risk analysis to risk evaluation.
Risk analysis: Systematic use of information to identify risk factors and calculate risks
Risk evaluation: The process of comparing the calculated risks to the applicable risk standards in order to determine the significance of those risks
*4: Program for the protection of personal information
This means a set of internal rules for the protection of personal information. Such rules include this Policy, personal information protection rules, and any other relevant rules and regulations.
*5: Information security incident
This means any undesirable or unexpected individual information security event or a series of information security events that has a high likelihood of jeopardizing the company’s business operation or threatening information security.

PURPOSE OF USE OF PERSONAL DATA, ETC. IN THE COMPANY’S POSSESSION

1. PURPOSE OF USE OF PERSONAL DATA IN THE COMPANY’S POSSESSION

The company shall hold in its possession any personal information that is necessary for its business operation. The company shall use such personal data within the scope of the following businesses and purposes.

● Scope of the company’s businesses as specified in its articles of incorporation
  1.   1. undertaking of engineering works, construction works, works involving pre-stressed concrete, electrical works, pipe works, and other types of works, and design supervision service
  2.   2. design supervision service for marine development, regional development, city development, resource development, and environmental improvement
  3.   2. various engineering and consulting services including investigation, planning, proposal, etc. related to any of the works and services as specified in the preceding items
  4.   4. acquisition, management, use, disposal, and leasing of real estate
  5.   5. sales and purchase of real estate, real estate brokerage and appraisal
  6.   6. manufacturing, provision, sales, and leasing of engineering and construction work materials, pre-stressed concrete products, aseismic apparatus, vibration control apparatus, machinery, equipment, etc.
  7.   7. maintenance and repair of, and security service for, engineered structures and buildings
  8.   8. landscape and gardening business
  9.   9. development, acquisition, licensing, and sales of industrial property rights, copyrights, and computer software
  10. 10. information processing service business and information provision service business
  11. 11. development, sales, leasing, maintenance, and management of computers and other electronic equipment for office use
  12. 12. general leasing business
  13. 13. management, administration, operation, and leasing of nursing homes for the elderly, training/medical/sports facilities, leisure facilities such as skiing grounds, amusement parks, etc., lodging facilities, and restaurants
  14. 14. worker dispatching business
  15. 15. non-life insurance agency business
  16. 16. money loaning and other financial service business
  17. 17. business of providing service to prevent environmental destruction
  18. 18. collection, transportation, disposal, and recycling of industrial waste
  19. 19. design, work, and supervisory service related to investigation, assessment, and addressing cases of soil and groundwater contamination
  20. 20. power generation business using renewable energy sources as well as management and operation of such business, and provision and sales of electricity
  21. 21. any other businesses that are ancillary to the businesses as specified in the preceding items
● Purpose of use
  1.   1. operation of the aforementioned businesses, and various activities that are ancillary to those businesses
  2.   2. provision of business information
  3.   3. various activities for responding to inquiries and information requests, etc.
  4.   4. fulfilment of the company’s duties, exercising of its rights, and various ancillary activities
  5.   5. In regard to any specific personal information and individual numbers (hereinafter collectively referred to as “Specific Personal Information, Etc.”) as stipulated in the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, the company shall only use the personal information to: prepare withholding records and payment records; provide the personal information to the employee shareholding association so that it can perform the administrative task of preparing payment records; and perform administrative tasks of filing reports, applications, and claims concerning health insurance, employees’ pension insurance, employment insurance, and worker’s accident insurance.

2. JOINT USE OF PERSONAL INFORMATION

Any personal information in the company’s possession may be jointly used with any of the SMC Group Companies as well as any of the company’s joint business partners, etc. for the purpose of use as specified in the preceding section. If any personal information will be actually jointly used with other companies, the company will notify information in advance as to the identities of the joint users, who will be the information manager, etc.

3. DEDICATED CONTACT POINT

In case of any inquiry concerning the personal data being held by the company or personal information in general, please communicate it to the following contact point.

General Affairs Department
Sumitomo Mitsui Construction Co., Ltd.
2-1-6 Tsukuda, Chuo-ku, Tokyo 104-0051
Phone: 03-4582-3022

4. PROCEDURE FOR ACCEPTING REQUESTS TO DISCLOSE INFORMATION, ETC.

The company will accept requests to disclose, correct, add to, delete, or suspend the use of any personal data, etc. in its possession in accordance with the procedure described below.
Please note that the company cannot accept such requests to disclose personal data through other means, i.e., over the phone or in person at the company office.

(1) Request acceptance procedure

Please enter the required information in the application document and mail it to the address specified in ‘3. DEDICATED CONTACT POINT’ above, together with a copy of an individual identification document and return envelope (see 4. (2) ‘Fee required for personal data disclosure’ for details). After the application has been received, the company will send its response to the requesting party in writing by mail.

● Individual identification documents:
  • - driver’s license;
  • - passport;
  • - extract of the family register (i.e., only showing required items such as the address, name, etc.);
  • - copy of the certificate of residence (i.e., only showing required items such as the address, name, etc.);
  • - certificate of insured person under any insurance policy (i.e., only showing required items such as the address, name, etc.);
  • - pension book; or
  • - certificate of alien registration, etc.
  •    * If the current address and the address that has been previously registered with the company are different, please submit a copy of the certificate of residence that shows the relocation record.
  •    * If the certificate being submitted to the company includes the registered domicile information, please cover up the area and make a photocopy of the document.
  •    * If the request is filed through a representative, please also include a power of attorney and a copy of the representative’s identification document in addition to the identification document of the individual that is making the request.
  •    * If the surname of the individual making the request has been changed due to marriage, etc., please submit one of the following identification documents:
    A transcript or extract of the family register, public document (i.e., driver’s license, etc.) with a photo of the individual’s face attached and showing both the previous and current names of the individual, or the certificate of residence showing both the previous and current names of the individual
  •    * If the company finds any missing information or item in the application documents, it will notify the requesting party and return all documents, etc. The requesting party will be responsible for resubmitting the application documents including the missing information or item.
(2) Fee required for personal data disclosure

If an individual intends to request the company to disclose his/her personal information being held by the company, the individual must send the application documents to the company by post, including a return envelope (JIS square-type No. 2 for A4-size documents) with sufficient stamps attached to cover the simple registered mail postage (450 yen for up to 100 g).
Please note that, if the disclosure request cannot be granted or any information or item is missing in the application, the company will use the return envelope to convey the information to the requesting party and will not refund the postage.