Privacy
Rakuten's Approach
Rakuten Group recognizes that privacy is not merely a compliance matter but is a key enabling factor for building the Rakuten Ecosystem sustainably through innovation, technologies and stakeholders' trust. Rakuten Group strives to implement, enhance and enforce privacy requirements to enable its users to fully enjoy the Rakuten ecosystem.
Management System
Rakuten Group has appointed a Global Privacy Manager who leads Rakuten Group's privacy strategy in accordance with the requirements of the General Data
Protection Regulation ("GDPR"), an EU privacy regulation and Rakuten Group's Binding Corporate Rules ("BCRs"), our set of internal privacy regulations.
The Global Privacy Manager works together with the Regional Privacy Officers and the Local Privacy Officers to monitor privacy compliance and risks
within the Group and ensure accountability with the applicable privacy laws. They report, in a timely manner, to the Group Information Security &
Privacy Protection Committee as well as at Corporate Management Meetings.
In addition, we have implemented internal processes to oversee personal
data use to assure governed, compliant and safe data handling across the Group. A review process for new data collection, sharing and use by privacy
specialists and other relevant internal stakeholders has been established to confirm that our data use follows our privacy policy, internal rules and
applicable laws.
Efforts to Ensure Privacy
Rakuten Group provides services that are safe for our customers and in compliance with the applicable privacy laws in the areas where we operate. However, some
countries have only limited or fragmented privacy rules or may lack a general privacy framework.
Therefore, Rakuten Group relies on its own privacy
framework as the fundamental guarantee and operational baseline in terms of privacy and data protection worldwide. Rakuten Group is very serious about
maintaining global compliance at a high standard.
Introduction of Rakuten Group Binding Corporate Rules
Rakuten Group has adopted globally a set of privacy and data protection rules referred to as Binding Corporate Rules ("BCR"). The BCR is an internal regulation that all Rakuten Group companies must follow and establish the privacy and data protection standard within Rakuten Group. Rakuten Group's BCR is comprised of two sets of Binding Corporate Rules, one under the General Data Protection Regulation ("GDPR"), approved by the National Data Protection Commission in Luxembourg, and the other, under the United Kingdom General Data Protection Regulation ("UK GDPR"), approved by the Information Commissioner of the United Kingdom (hereinafter, both sets of rules should be understood and referred as the "BCRs").
Rakuten Group was the first Japanese company that obtained approval from the authority in Luxembourg and recently, the first Japanese company that obtained
approval under the UK GDPR from the responsible authority in the United Kingdom. BCRs establish Rakuten Group's global privacy framework and ensure the
protection of individual's privacy and personal data throughout the Rakuten Group.
These rules comprise the main privacy principles such as lawful
processing, purpose limitation and data quality, as well as recognize the right to information, rectification, objection, and others as granted under the
applicable privacy laws. Depending on the region where Rakuten users are based and the applicable privacy regulation, they may enjoy additional rights.
Please see here for details.
Aligning with Domestic Standards
As part of our business activities in Japan, we regularly check and monitor compliance with the Personal Information Protection Law and other laws and guidelines established by relevant authorities. Moreover, three companies in the Rakuten Group have received Privacy Mark Certification (see below), given to accredited businesses that have established systems for appropriately protecting personal information in accordance with the Japanese Industrial Standard, "Personal information protection management systems - requirements (JIS Q 15001)."
Privacy Mark Certified Company
- Rakuten Securities, Inc.
- Rakuten Insight, Inc.
- Rakuten Communications Corp.
Ensuring Transparent Data Handling
Rakuten Group collects, uses and stores customer information to constantly improve the services we provide. Not only do we comply with relevant laws and
regulations, we strive to ensure transparency in each of our services by disclosing the usage of personal data and, when necessary, by giving clear explanations
to users with easy-to-understand language and visuals.
With the launch of our renewed Privacy Center, we aim to ensure our users are even more informed, by
explaining how we handle personal data and introducing other privacy topics relevant to society, so that they can use Rakuten Group services with greater peace
of mind. In the future, we will expand the content related to personal information and privacy, which are essential to our customers' daily lives as well as our
services.
Monitoring Privacy Regulation
Since Rakuten Group operates globally, it is essential for us to monitor trends such as the enactment, revision and repeal of privacy laws in various countries.
The Global Privacy Office cooperates with the Regional Privacy Officers and the Privacy Officers of each Group company to monitor and quickly escalate any
operational changes that may be necessary.
On a regular basis, the Global Privacy Office shares a privacy dashboard that visualizes the privacy compliance
status of, as well as the risks and challenges faced by each of our businesses. This ensures that potential risks and challenges are communicated to all
business leaders. In this way, we promote an effective, forward-looking approach to privacy that anticipates future trends while also taking into consideration
existing laws.
Employee Training on Privacy
A key aspect to reinforce the adoption of our continuous improvement model is employee training and awareness. To ensure that all employees have a shared understanding about the importance of privacy, we have established a team dedicated to privacy training and awareness. In addition to annual Group-wide training and onboarding of new hires, we organize Rakuten Privacy Awareness Day every year, held in conjunction with the globally recognized Data Privacy Day. Additionally, employees receive a variety of educational messages through different channels - such as posters, infographics and a monthly digest called "The Privacy Times".
Specified User Information Handling Policy
In June 2023, the Japanese Telecommunications Business Act was amended to require businesses utilizing Specified User Information to create and disclose its handling policy. We established this policy with the aim of ensuring customer understanding of the purposes and protection measures related to the Specified User Information handled by Rakuten Group, Inc., in accordance with the requirements of the law.
Please refer to the Specified User Information Handling Policy from here.