Transfer of Personal Data to Third Parties in Japan

Transfer of Personal data

When using a new service on the internet, you are often required to provide personal data, which is subsequently processed to provide you with the service. You may wonder whether your personal data has been transferred to third parties other than the original service provider or if the service company is appropriately processing your personal data.

For example, when you make an online reservation for a golf course, your personal data may be shared between the company operating the reservation website and the company providing the golf service. Suppose you select a credit card as the payment method for using an internet service, your payment information will be shared with the credit card company. In addition, login information and points history may be shared among group companies. Some companies may manage your personal data with in-house tools only, while others employ third-party tools.

As such, your personal data may be "shared" in various situations. In this article, we aim to clarify the measures taken by Rakuten to protect your personal data when transferring it to third parties. As Rakuten Group provides its services globally, we must adhere to various laws and regulations across multiple jurisdictions.

This article will focus only on third-party transfers under Japanese laws and regulations, and how Rakuten Group protects your privacy accordingly.

For information about the transfer of personal data to third parties outside Japan, please refer to the article "Data Transfers to Other Countries."

What is the Case for Transferring Personal Data at Rakuten?

As the Rakuten Group provides various internet services, we may need to share your personal data, as described above. In addition, when you use Rakuten ID, our member authentication system, and the points program, we may process and share information about member registration and "Rakuten Point" rewards among Rakuten Group companies.

For example,

  1. (i) We may share your personal data with the Rakuten Group companies listed as "We" in our privacy policy. This is known as "joint-use." Additionally, we may share your personal data with other Rakuten Group companies in situations described in Section 4-1, "Disclosure within Rakuten Group" of the privacy policy. This typically occurs when you use various services provided by different Rakuten Group companies with a common Rakuten ID. Such group-wide collaboration enables Rakuten Group to provide seamless service delivery inside Rakuten Group across company boundaries.

  2. (ii) Rakuten Group may share your personal data with business partners and service providers who are not part of Rakuten Group but are necessary for us to provide our services. When we transfer your personal data outside Rakuten Group, we always obtain the necessary consent or otherwise fulfill the procedures required by applicable law.

This is how we share personal data, adhering to the guidelines mandated by applicable laws.

Our Measures to Protect Personal Data

When transferring personal data, we prioritize compliance with applicable laws and regulations. However, ensuring data security doesn’t stop there. We also take steps to ensure information management security with third parties. The following are some examples of measures we take in Rakuten Group.

Transfer of Personal Data in Rakuten Group in Japan

  • ・We may share your personal data with Rakuten Group companies listed as "We" in our privacy policy. When we transfer your personal data among Rakuten Group companies, we, in principle, set a condition that the company should acquire ISMS* (Information Security Management System) certification to strengthen information security measures across the group. Even if they do not obtain ISMS certification at the time of joint-use subscription, we ensure that their security measures are equivalent. Additionally, Rakuten Group, Inc. is responsible for managing data use within joint-use companies and supervising the system to ensure that appropriate processing of personal data is carried out.

  • ・Rakuten’s global privacy framework is based on a set of internal rules called Binding Corporate Rules (BCRs). The BCRs ensure the protection of individual privacy and personal data throughout the Rakuten Group. Rakuten is very serious about maintaining global compliance at the highest standards.

  • ・Our measures for privacy protection are also explained in the section titled "Privacy" of our corporate sites. Please also check this information.

Transfer of Personal Data outside of Rakuten Group in Japan

  • ・When we need to transfer personal data to business partners and service providers outside of Rakuten Group, we conduct a preliminary review to confirm that they have appropriate security management measures in place. Additionally, we regularly assess how these entities handle personal data in the entrusted business.

  • ・In cases where your personal data is transferred to companies outside the Rakuten Group for outsourcing or transferring to third parties based on consent, we enter into contracts to ensure the proper processing of personal data and the security of information management. In the case of transferring personal data based on outsourcing, the contract explicitly restricts the use of personal data to the scope of entrusted businesses.

  • ・The Information Security page also clarifies our procedures to secure advanced security standards, such as telecommunications encryption, when providing information externally. Please ensure to review it.

*Information Security Management System (ISMS) is a system that manages various risks, such as the loss or falsification of information assets and service outages. The Rakuten Group sets standards and regulations based on ISO/IEC 27001, aiming to maintain the confidentiality, integrity, and availability of information assets.

Page Top