April 2022
HSBC Securities (Japan) Co., Ltd.
Personal Information Protection Policy
HSBC Securities (Japan) Co., Ltd. (hereinafter, the “Company”) has established the following policy with respect to the handling of customer Personal Information, Individual Number and Specific Personal Information (collectively, "Personal Information, etc.").
When handling customer Personal Information, etc., the Company will comply with this policy in addition to relevant laws
and regulations, including the Personal Information Protection Act (hereinafter referred to as "PIPA"), and relevant
guidelines, including the Guidelines for the Protection of Personal Information in the Financial Sector (hereinafter
referred to as the "Guidelines"). The Company will continually review and improve its policy for handling of Personal
Information, etc.
In this policy:
"Connected Person" means a person whose information the customer provides to the Company in connection with transactions
with the Company. Connected Person may include, but is not limited to, any agent, any beneficiary, trustee or settler,
and any substantial owner, representative, director or officer of the customer.
"Sensitive Information" is defined in the Guidelines. It includes "Special Care-Required Personal Information" and other
information like membership of workers’ unions, family origin, registered domicile, health record and sex life etc.
(excluding the parts under "Special Care-Required Personal Information").
"Personal Related Information" is defined in the PIPA. It refers to information about a living individual, which is not
Personal Information nor Kana Processed Information and Anonymously Processed Information that are defined in the PIPA.
"Personal Information" is defined in the PIPA. It refers to information about a living individual that can identify the
specific individual by a name, date of birth or other description contained in such information, or information
containing an individual identification code defined in the PIPA.
"Personal Data" is defined in the PIPA. It refers to Personal Information constituting a personal information database
etc. defined in the PIPA.
"Individual Number" refers to a number obtained by converting a resident record code in order to identify a person (so
called "My Number").
"Specific Personal Information" refers to Personal Information that includes Individual Number information.
"Special Care-Required Personal Information" is defined in the PIPA. It refers to personal information comprising a
principal's race, religious affiliation, social status, medical history, criminal record, fact of having suffered damage
by a crime, or other descriptions etc. of which the handling requires special care so as not to cause unfair
discrimination, prejudice or other disadvantages to the principal.
1. Purposes of Use of Personal Information, etc.
The Company will use Personal Information, etc. of the customer (including Connected Persons) to the extent necessary
for the following Purposes of Use within the following Business Operations, except where the Company obtains such
customer’s consent or where permitted under the relevant laws and regulations. For the avoidance of doubt, the Company
will use Individual Number and Specific Personal Information only to the extent permitted under the relevant laws and
regulations.
(1) Business Operations
1. Financial instruments business (including sales and purchase of securities, derivative transactions, brokerage,
intermediary or agency services for sales and purchase of securities, and underwriting securities, etc.) and any
business incidental thereto;
2. Businesses and any other activities in which financial instruments business operators are permitted to engage in
accordance with relevant laws, including Money Lending Business; and
3. Any other activities and related businesses in which financial instruments business operators may be engaged in
(including activities that may be permitted in the future).
(2) Purposes of Use
The Company and HSBC Group Companies will use the customer's Personal Information, etc. for the following purposes in
relation to the provision of financial products and services. Note, however, that in compliance with Article 123,
Paragraph (1), Item (vii) of the Cabinet Order Concerning Financial Instruments Business, etc., the Company will not
use, nor shall it provide to a third party, any Sensitive Information of the customer unless the Company deems it
necessary to do so for its proper business operations or otherwise.
The Company will endeavor to decide the Purposes of Use as concretely as possible so that they are transparent to
customers, and will endeavor to specify the purpose at the time of acquiring the information. For example, if the
Company intends to propose its products using Personal Information acquired by conducting a questionnaire, the Company
will disclose such intention.
1. To provide information for the solicitation and sale of financial products, introduction, receiving an application,
management, and execution of services in accordance with the Financial Instruments and Exchange Act (hereinafter
referred to as "FIEA").
2. To: (i) ascertain the customer's identity under the Act on the Prevention of the Transfer of Criminal Proceeds, the
Foreign Exchange and Foreign Trade Act and Hong Kong Monetary Authority Guidelines, (ii) avoid financial crime and money
laundering, and comply with sanctions programmes that are administered by Japan, the United States, the United Kingdom,
the European Union, Hong Kong, United Nations, etc., and (iii) ascertain a customer's eligibility for certain financial
products and/or services.
3. Management of ongoing transactions, such as the management of dates in various transactions;
4. To make decisions on offers for various transactions, confirm eligibility for using instruments and services, and ongoing transactions, etc.;
5. To make decisions about the appropriateness of providing financial products and services, such as decisions made in light of the principle of suitability.
6. To appropriately carry out operations when commissioned with all or part of the processing of Personal Information by another business etc.
7. To fulfill obligations and exercise rights based on contracts with the customer or based on laws.
8. For research and development of products and services through market research, data analysis, and questionnaire surveys;
9. For making proposals concerning products and services by means of direct mail, email, etc.
10. To make proposals on the products and services of HSBC Group Companies or associated companies etc.
11. Cancellation of various transactions and post-cancellation management of transactions.
12. To monitor and control the various risks that are necessary to be managed by HSBC Group Companies.
13. Appropriate and smooth performance of transactions with customers.
Notwithstanding the Purposes of Use provided in each item above, the Company will not use the Individual Number and
Specific Personal Information for the purposes other than those permitted under the Act on the Use of Numbers to
Identify a Specific Individual in Administrative Procedures. The Company’s Purposes of Use of Individual Number and
Specific Personal Information are as follows:
1. Preparation of legal documents regarding financial instrument transactions.
2. Processing of account opening and reporting regarding financial instrument transactions.
3. Preparation of legal documents regarding payment records.
4. Other purposes in relation to 1 through 3 above.
The Purposes of Use of Personal Information, etc. by the Company, may be found on the Company's website.
(3) Discontinuance of Direct Marketing
In case a customer requests the Company to stop using his/her Personal Information for the purposes of direct marketing
such as sending direct mails or solicitation by phone, the Company will discontinue the usage for such purpose.
2. Proper Acquisition of Personal Information, etc.
To the extent necessary for the achievement of the Purposes of Use specified in item 1 above, the Company will acquire
Personal Information, etc. of the customer orally or in writing by appropriate and lawful means, for example, from the
following information sources.
Examples
Where the information is provided directly by a document that the customer is required to fill in and submit (e.g.
submission of an application form by the person in question, data entry via the website by the person in question).
Cases where personal information is provided by third parties, such as a personal credit information organization.
3. Personal Data Provided to Third Parties
The Company will not provide a customer’s Personal Data it retains to third parties without the prior consent of the
individual concerned, except as permitted by relevant laws and regulations. However, in the case where the Company
entrusts the Personal Data to a third party within the necessary scope to achieve its Purposes of Use, or in the
case where the Personal Data is to be jointly utilized by a specified party set forth in item 6 below, the Company
may provide a customer’s Personal Data even without the prior consent of the customer.
Where providing Persona Data to third parties in foreign countries (including the above cases of the entrustment of
the handling of the Personal Data and the joint use of the Personal Data), the Company will not do so without
obtaining prior consent of the customer, except for cases permitted by relevant laws and regulations. If a third
party is located in a foreign country which has established a personal information protection system recognized to
have equivalent standards to that of Japan (as set forth in the rules of the Personal Information Protection
Commission (“PIPC”)) the Company may provide the customers’ Personal Data to the third party without obtaining the
prior consent of the customer.
In addition, the Company may provide a customer’s Personal Information, without obtaining prior consent, to a third
party in a foreign country which has developed a framework that conforms to the standards set forth in the rules of
PIPC and is regarded as equivalent on an ongoing basis to the measures that a business operator handling Personal
Information is required to take pursuant to the provisions of the PIPA (hereinafter referred to as "Equivalent
Measures"). In such event, the Company shall take measures necessary to ensure the continuous implementation of the
Equivalent Measures by such third parties, and a customer may seek information on such measures.
At the time of obtaining consent from the customer, it might be difficult to specify the name of the foreign
country, or obtain and provide information on its regime for protecting personal information, or information on the
measures to be taken by the third party to protect Personal Information in an appropriate and reasonable manner.
Therefore, a customer may request the Company to provide the aforementioned information at a later date.
The Company shall not provide all or part of the information with respect to any requests for information in the
event that there is a risk that the proper performance of its business will be seriously impaired.
In providing customers’ Personal Related Information to a third party and where the third party is expected to
receive the Personal Related Information as Personal Data, except as otherwise provided by relevant laws and
regulations, the Company shall confirm and provide the information in accordance with the provisions of such laws
and regulations.
Further, the Company will not provide Individual Number and Specific Personal Information to third parties beyond
what is allowed under the laws and regulations.
4. Handling of Sensitive Information
The Company will not acquire, utilise, nor provide to third parties, customer’s Sensitive Information, except in
cases as illustrated by the Guidelines including cases based on relevant laws and regulations and the case in which
there is a prior consent of the individual concerned within the scope of business need.
5. Entrustment of Operations Concerning Personal Data
The Company shall entrust its operations concerning Personal Data to a third party within the necessity to achieve
the Purposes of Use as exemplified below. Note that the Company, in entrusting its operations to a third party, will
execute an agreement with the third party regarding the stringent handling of the Personal Data within such third
party, and ensure that there are appropriate security control measures in place.
Examples
- Operations regarding printing and dispatch of documents to be sent to customers.
- Operations related to transactions
- Operations to send out direct mails
- Operations and maintenance of computer systems
- Maintenance of books and records relating to business operations
6. Joint Use of Personal Data
The Company may jointly use Personal Data (excluding Individual Number and Specific Personal Information) with
other parties as follows:
(1) Joint Use of Information among HSBC Group Companies
The Company may jointly use Personal Data with HSBC Group Companies in order to provide high value-added
products and services and/or conduct strong risk management and enhancement of HSBC group business controls.
This joint use will be undertaken under necessary control measures, and when there are restrictions set by
applicable laws and regulations other than the PIPA, such as the FIEA, the Company shall comply with such laws
and regulations.
(2) Jointly Used Personal Data
Information (name, address, date of birth, contents and purpose of a transaction, and occupation) of the
customer (including its Connected Persons to the extent necessary for the implementation of the Purposes of Use)
regarding the Company's financial instruments business and other transactions.
(3) Scope of Joint Users
The Company and other HSBC group companies, the ultimate parent company of which is HSBC Holdings plc. (“HSBC
Group Companies”).
http://www.hsbc.com/about-hsbc/structure-and-network
(4) Purposes of Use
1. The information will be used to monitor and manage the various risks that are necessary to be so monitored and
managed for the business operations of the HSBC group.
2. To: (i) ascertain the customer's identity under the Act on Prevention of Transfer of Criminal Proceeds, the
Foreign Exchange and Foreign Trade Act and Hong Kong Monetary Authority Guidelines, (ii) avoid financial crime
and money laundering, and comply with sanctions programmes that are administered by Japan, the United States,
the United Kingdom, the European Union, Hong Kong, United Nations, etc. or (iii) ascertain a customer's
eligibility for certain financial products and/or services.
3. To plan and develop various financial products and services and related proposals.
4. To properly and smoothly implement transactions with customers.
(5) Company Name
Our company name, address, and the name of the Representative Director responsible for management of Personal
Data are shown below:
HSBC Securities (Japan) Co., Ltd.
11-1, Nihonbashi 3-chome Chuo-ku, Tokyo Japan
Chikako Nagahara
Representative Director and Chief Executive Officer
7. Procedures for Disclosure etc. of Retained Personal Data
Upon receipt of a request/demand for disclosure etc. by a customer in relation to the purpose of utilization,
disclosure, correction, addition or deletion, ceasing of provision to a third party, disclosure of a third party
provision record of the customer’s Retained Personal Data, as defined in the PIPA (hereinafter referred to as a
“Disclosure Request, etc.”), the Company shall action the Disclosure Request, etc., without delay, by means of
providing an electronic record, delivering documents or by other means agreed with the customer.
In case the customer inquiries about the existence of his/her Individual Number in the Company's records, the
Company shall disclose whether it retains such Individual Number or not.
(1)Cases that cannot be handled
The Company may not respond to the Disclosure Request, etc. in the following cases:
1. if we cannot confirm the identity of the customer or if we cannot confirm the authority of the agent of the
customer;
2. if the application form is inadequately completed or if the fee is not paid within the prescribed period;
3. if we are not required to respond under relevant laws and regulations, for example, because the item requested
does not fall within the definition of Retained Personal Data; or
4. if there is threat to seriously interfere with our business.
If the Company decides not to accept the customer's Demand for Disclosure etc., in whole or in part, the Company
shall notify the customer thereof without delay.
(2)Documentation and Procedures for Handling a Disclosure Request, etc.
In order to make a Disclosure Request, etc., the customer shall submit a form prescribed by the Company. The
Company, in handling the Disclosure Request, etc. shall confirm the identity of the customer or his/her agent in
a manner comparable to the procedures required by the Act on the Prevention of the Transfer of Criminal Proceeds
etc., by requesting the customer or his/her agent to submit necessary documents etc.
(3)Disclosure Request, etc. by an Agent
An agent who makes a Disclosure Request, etc. on behalf of a customer shall be one of the following:
1. A legal guardian of a customer who is a minor or a ward that is of age.
2. An agent authorized by the customer to make the Disclosure Request, etc.
The Company will request a public certificate or power of attorney to confirm the authority of the agent, in
addition to the above mentioned identity checking process.
(4)Handling Fee
The Company will charge a fee of JPY 1,100 per case for the handling of a Disclosure Request, etc. The fee is
payable at the time of such request and shall be paid in cash.
8. Security Control Measures
The Company takes necessary and appropriate action in relation to security controls to avoid data leakage, loss
or damage of customers’ Personal Information, etc. The Company shall exercise necessary and appropriate
supervision over staff and outsourced vendors (including subcontractors) who are handling customers’ Personal
Information, etc.
(Development of Rules on the Handling of Customers' Personal Data)
The Company shall establish rules for the handling of customer Personal Data detailing how to handle the data,
clarifying those in charge and for defining the roles at each stage of data processing (acquisition, use,
storage, provision, deletion, disposal, etc).
(Organizational Security Control Measures)
The Company shall:
- Assign a person to be responsible for the management of Personal Data.
- Maintain Security Control Measures under its Rules of Employment etc.
- Process Personal Data by applying the above mentioned rules.
- Maintain methods by which the handling status of Personal Data can be checked.
- Maintain and conduct a regime for monitoring and auditing the handling status of Personal Data.
- Maintain a regime to deal with incidents such as leakage etc.
(Measures for Human Security Management)
The Company shall:
- Enter into a non-disclosure agreement etc. with employees covering Personal Data.
- Clarify employees’ roles and responsibilities.
- Inform, educate, and train employees regarding these Security Control Measures.
- Check employees’ compliance with processes to manage Personal Data.
(Physical Security Control Measures)
The Company shall:
- Establish measures to prevent theft of equipment, etc.
- Manage recording media, etc. appropriately.
- Prohibit Personal Data to be taken outside the designated managed area in principle.
- Prohibit usage of floppy disk、USB port, personal laptop, etc., in principle.
- Strictly manage a log of entrance and exit of employees and visitors based on its rules for access management.
- Prevent mistakes of sending Personal Data by fax, telex, and emails and conduct checking of recipients and
receipts to prevent Personal Data loss, etc.
- When disposing or returning equipment, process deletion of Personal Data in recordable media in the equipment
appropriately.
- Dispose paper-based Personal Data in the box dedicated to the collection and disposal of sensitive documents.
(Technical Security Control Measures)
The Company shall:
- Identify and verify users of Personal Data.
- Set up area controls and limit access to Personal Data.
- Manage access entitlements to Personal Data.
- Establish measures to prevent leakage and destruction of Personal Data.
- Record and analyze access to Personal Data.
- Record and analyze the ongoing status of information systems that process Personal Data.
- Monitor and audit information systems that process Personal Data.
(Understanding of External Environments)
When handling Personal Information of customers in foreign countries, the Company shall implement appropriate
Security Control Measures, after understanding the regime, etc. related to the protection of Personal
Information in the foreign countries concerned.
9. Contacts
The Company shall deal with complaints regarding the handling of Personal Information etc. properly and in a
timely manner. Please use the following phone number for any inquires, comments, complaints, and Disclosure
Request, etc. concerning the Company’s handling of Personal Information etc. and Security Control Measures.
Compliance Department
HSBC Securities (Japan) Co., Ltd.
Tel: 03-5203-3111 (Weekdays 9 a.m. - 5 p.m.)
10. Authorized Personal Information Protection Organization
The Company is a member of the Japan Securities Dealers Association and Financial Futures Association of Japan,
which are authorized Personal Information Protection Organizations. If you have any complaints or inquiries
regarding the handling of Personal Information, you may contact these organizations as below:
Personal Information Consulting Centre
Japan Securities Dealers Association
Tel: 03-6665-6784 (http://www.jsda.or.jp)
Personal Information Complaints/Consultations Centre
Financial Futures Association of Japan
Tel: 03-5280-0881 (http://www.ffaj.or.jp/)
11. Changes to this Policy
The contents of this policy may by changed without notice and without informing customers individually in
accordance with relevant laws and regulations due to legislative amendments and others reasons. In such case,
the changes shall be published on the Company’s website.
End
HSBC Securities (Japan) Co., Ltd.
11-1, Nihonbashi 3-chome Chuo-ku, Tokyo Japan
Chikako Nagahara
Representative Director and Chief Executive Officer
