Rakuten's Approach

Rakuten Group recognizes that privacy is not merely a compliance matter but is a key enabling factor for building the Rakuten Ecosystem sustainably through innovation, technologies and stakeholders' trust. Rakuten Group strives to implement, enhance and enforce privacy requirements to enable its users to fully enjoy the Rakuten ecosystem.

Management System

Rakuten Group has appointed a Global Privacy Manager who leads Rakuten Group's privacy strategy in accordance with the requirements of the General Data Protection Regulation ("GDPR"), an EU privacy regulation and Rakuten Group's Binding Corporate Rules ("BCRs"), our set of internal privacy regulations. The Global Privacy Manager works together with the Regional Privacy Officers and the Local Privacy Officers to monitor privacy compliance and risks within the Group and ensure accountability with the applicable privacy laws. They report, in a timely manner, to the Group Information Security & Privacy Protection Committee as well as at Corporate Management Meetings.
In addition, we have implemented internal processes to oversee personal data use to assure governed, compliant and safe data handling across the Group. A review process for new data collection, sharing and use by privacy specialists and other relevant internal stakeholders has been established to confirm that our data use follows our privacy policy, internal rules and applicable laws.

Efforts to Ensure Privacy

Rakuten Group provides services that are safe for our customers and in compliance with the applicable privacy laws in the areas where we operate. However, some countries have only limited or fragmented privacy rules or may lack a general privacy framework.
Therefore, Rakuten Group relies on its own privacy framework as the fundamental guarantee and operational baseline in terms of privacy and data protection worldwide. Rakuten Group is very serious about maintaining global compliance at a high standard.

Introduction of Rakuten Group Binding Corporate Rules

Rakuten Group has adopted globally a set of privacy and data protection rules referred to as Binding Corporate Rules ("BCR"). The BCR is an internal regulation that all Rakuten Group companies must follow and establish the privacy and data protection standard within Rakuten Group. Rakuten Group's BCR is comprised of two sets of Binding Corporate Rules, one under the General Data Protection Regulation ("GDPR"), approved by the National Data Protection Commission in Luxembourg, and the other, under the United Kingdom General Data Protection Regulation ("UK GDPR"), approved by the Information Commissioner of the United Kingdom (hereinafter, both sets of rules should be understood and referred as the "BCRs").

Rakuten Group was the first Japanese company that obtained approval from the authority in Luxembourg and recently, the first Japanese company that obtained approval under the UK GDPR from the responsible authority in the United Kingdom. BCRs establish Rakuten Group's global privacy framework and ensure the protection of individual's privacy and personal data throughout the Rakuten Group.
These rules comprise the main privacy principles such as lawful processing, purpose limitation and data quality, as well as recognize the right to information, rectification, objection, and others as granted under the applicable privacy laws. Depending on the region where Rakuten users are based and the applicable privacy regulation, they may enjoy additional rights.
Please see here for details.

Aligning with Domestic Standards

As part of our business activities in Japan, we regularly check and monitor compliance with the Personal Information Protection Law and other laws and guidelines established by relevant authorities. Moreover, three companies in the Rakuten Group have received Privacy Mark Certification (see below), given to accredited businesses that have established systems for appropriately protecting personal information in accordance with the Japanese Industrial Standard, "Personal information protection management systems - requirements (JIS Q 15001)."

Privacy Mark Certified Company

  • Rakuten Securities, Inc.
  • Rakuten Insight, Inc.
  • Rakuten Communications Corp.

Ensuring Transparent Data Handling

Rakuten Group collects, uses and stores customer information to constantly improve the services we provide. Not only do we comply with relevant laws and regulations, we strive to ensure transparency in each of our services by disclosing the usage of personal data and, when necessary, by giving clear explanations to users with easy-to-understand language and visuals.
With the launch of our renewed Privacy Center, we aim to ensure our users are even more informed, by explaining how we handle personal data and introducing other privacy topics relevant to society, so that they can use Rakuten Group services with greater peace of mind. In the future, we will expand the content related to personal information and privacy, which are essential to our customers' daily lives as well as our services.

Monitoring Privacy Regulation

Since Rakuten Group operates globally, it is essential for us to monitor trends such as the enactment, revision and repeal of privacy laws in various countries. The Global Privacy Office cooperates with the Regional Privacy Officers and the Privacy Officers of each Group company to monitor and quickly escalate any operational changes that may be necessary.
On a regular basis, the Global Privacy Office shares a privacy dashboard that visualizes the privacy compliance status of, as well as the risks and challenges faced by each of our businesses. This ensures that potential risks and challenges are communicated to all business leaders. In this way, we promote an effective, forward-looking approach to privacy that anticipates future trends while also taking into consideration existing laws.

Employee Training on Privacy

A key aspect to reinforce the adoption of our continuous improvement model is employee training and awareness. To ensure that all employees have a shared understanding about the importance of privacy, we have established a team dedicated to privacy training and awareness. In addition to annual Group-wide training and onboarding of new hires, we organize Rakuten Privacy Awareness Day every year, held in conjunction with the globally recognized Data Privacy Day. Additionally, employees receive a variety of educational messages through different channels - such as posters, infographics and a monthly digest called "The Privacy Times".

Specified User Information Handling Policy

In June 2023, the Japanese Telecommunications Business Act was amended to require businesses utilizing Specified User Information to create and disclose its handling policy. We established this policy with the aim of ensuring customer understanding of the purposes and protection measures related to the Specified User Information handled by Rakuten Group, Inc., in accordance with the requirements of the law.
Please refer to the Specified User Information Handling Policy from here.