Notice re Processing of Personal Data collected within the EEA
(“EU Privacy Notice”)

Effective from 25 May 2018

This EU Privacy Notice applies to the processing of personal data collected within the European Economic Area (“EEA”) or processed in the context of our affiliated companies in the EEA (“EU Personal Data”); it does not apply to personal data collected in other territories.

If you have obtained your JCB card from a third party issuer, then you should also consult their website for their privacy notice which will apply to their processing of your EU Personal Data.

The JCB Group (JCB Co., Ltd. and its affiliated companies) acknowledges that the protection of personal data is one of our most significant legal obligations.

As described below, this Privacy Notice applies to the activities of:

JCB Co. Ltd. Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686
JCB International Co., Ltd. Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686
JCB International (Europe) Ltd London Head Office and the following branches: 30 Eastbourne Terrace, London W2 6LA
JCB International (Europe) Ltd Paris Branch 10 Rue De La Paix, Paris 75002
JCB International (Europe) Ltd Frankfurt Branch Kaiserstrasse 9, 60311 Frankfurt
JCB International (Europe) Ltd Madrid Branch c/ Caledula, 93 - Miniparc III - Edif.E, El Soto de la Moraleja, 28109 Alcobendas, Madrid
JCB International (Europe) Ltd Vienna Branch Millennium Tower, 23rd Floor Handelskai 94 – 96 A-1200 Vienna
JCB International (Italy) S.p.A. Via Barberini, 47, 00187, Rome

Such entities shall be jointly and severally referred to as “we” and “us”.

This EU Privacy Notice sets out what EU Personal Data we collect, how we collect it, how we use it, and your rights in connection with how we process your EU Personal Data. We are committed to protecting your EU Personal Data as joint data controllers in accordance with our duties under the General Data Protection Regulation (“GDPR”). This Privacy Notice applies to all of us and for your convenience you may exercise any of your rights against any of us, and we will ensure it is routed to the correct department.

In addition, please refer to our “Cookie Policy” for more information regarding the data we collect when you access our website and how it is processed.

1. Collection, use and transfer of EU Personal Data

We have set out below, in a table format, a description of the types of EU Personal Data we collect, the sources we collect it from, how we plan to use your EU Personal Data, which are the legal basis we rely on to do so.

You can refer to section 11. Glossary for a description of the terms used in the table below.

Categories of EU Personal Data Source of EU Personal Data Use Legal Basis
Transactional data relating to card transactions by cardholders including card data, transaction information (time, date, and amount), and merchant data (name and location). * Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Merchants and acquirers.
Authorise, settle and process transactions. Contract for JCB proprietary card and franchised issuer card.
Legitimate interests for third party issuer card.
Process data related to managing merchants, acquirers, franchised issuers, third party issuers and deal with queries.
Support the issuer, acquirer or merchants’ operations, or provide or promote sales of goods and services for JCB cardholders and merchants.
Support the operations of affinity partners.
Develop new products and services for our business.
For marketing purposes.
Measure the effectiveness of advertisement, publicity and marketing.
Investigate and analyse for accounting and audit purposes.
Card data collected from cardholder including card number, cardholder name and related information. Cardholder Deal with any enquiries from the cardholder. Contract for JCB proprietary card and franchised issuer card.
Legitimate interest for third party issuer card.
EU Personal Data pertaining to value added services for users of JCB Plaza Lounge and JCB Plaza including card number, name and other relevant information, information typically required for the reservation which may include the traveller's gender, passport number, and details of those accompanying the traveller.* Visit or phone call to a JCB Plaza Lounge or JCB Plaza. Provide tailored travel and concierge services to JCB Cardholders. Legitimate interest.
Develop new products and services for our business.
For marketing purposes.
Measure the effectiveness of advertisement, publicity and marketing.
Evaluate our products and services.
Brand-wide promotional and marketing activities data including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), electronic identification data on access to websites (IP address). Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Merchants and acquirers.
Interaction with JCB websites and mobile applications.
Provide promotional and marketing services. Contract for JCB proprietary card and franchised issuer card.
Legitimate interests for third party issuer card.
For marketing purposes.
Measure the effectiveness of advertisement, publicity, and marketing.
Improve the functions of our websites and mobile applications.
Notify you of changes on our site.
Data on dispute resolution including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), merchant-related data (name and location), and sales slips. Cardholder
Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Franchised issuers, third party issuers, acquirers and merchants.
Mediate or arbitrate disputes among JCB cardholders, issuers, acquirers or merchants for resolution. Contract for disputes with JCB proprietary card and franchised issuer cardholder.
Legitimate interests for disputes with third party issuer cardholder.
Business contact information encompassing corporate and EU Personal Data for issuer, acquirer, merchant, business partner, processor, etc. (name, address, phone number, email address). Commercial dealings with third party issuers, acquirers, merchants, business partners and processors. To affect and facilitate the commercial dealings with these third parties. Legitimate interests.
Employment data pertaining to employees such as their name, address, date of birth, phone number, sex, and information on conduct in operations. Job applications, notification by employee and interviews. Carry out responsibilities of an employer and transfer data to subcontractor. Contract or Legitimate interests.
Monitoring fraudulent transactions.* Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Franchised issuers, third party issuers, acquirers and merchants.
Monitor fraudulent transactions. Legitimate interest of complying with laws and regulations that apply to us. or Legal obligations.
Notify the findings to franchised issuers or third party issuers.
Location data and IP address by JCB Co. Ltd. only. Use of JCB websites and mobile applications. To help users locate merchants and ATMs near them. Consent and contract for JCB proprietary card and franchised issuer card.
Consent for third party issuer card.
  • *

    Where noted the categories of Personal Data are not processed by JCB International (Italy) S.p.A.

Please note that depending on the purpose for which we use your EU Personal Data, we may rely on more than one legal basis for processing. When we rely on legitimate interest, we do so because we have determined that this processing is required to be performed by us or a third party controller to ensure the safe and effective working of your JCB card and the settlement of transactions or it is in our legitimate business interest. In making this determination we have considered your rights under European data protection law and balanced them against our legitimate interests. If you have any queries, you can contact us at the email address listed in section 12. Contact Us of this notice.

Generally we don’t rely on your consent as a legal basis for processing other than in relation to sending direct marketing communications to you or collecting your location data through interaction with JCB websites and mobile applications. You have the right to withdraw your consent at any time (for more information on this see section 6(4) Right to stop your EU Personal Data being used for direct marketing purposes below).

We may use your EU Personal Data for purposes other than the ones listed above. Should this be the case, we will inform you of the purpose in accordance with applicable laws and regulations.

2. Recipients

In order to achieve our purposes set out in the table above, we may share your EU Personal Data with the following categories of recipients:

(1) franchised issuers;

(2) third party issuers;

(3) Affinity partners;

(4) merchants;

(5) acquirers;

(6) service providers; and

(7) public bodies.

We require all third parties who process EU Personal Data on our behalf to respect the security of your EU Personal Data and to treat it in accordance with their contractual or legal obligations.

We may need to share your EU Personal Data with more recipients than the ones listed above. Should this be the case, we will inform you of the change in accordance with applicable laws and regulations.

3. Automated decision making

Automated decision making takes place when our electronic systems process EU Personal Data to make a decision about you or your business without human intervention. We are allowed to use automated decision making in the following circumstances:

(1) authorising transactions;

(2) authenticating transactions; and

(3) detecting suspicious transactions including monitoring fraudulent transactions.

You will not be subject to decisions that will have a legal or significant impact on you based solely on automated processing, unless we have a lawful basis for doing so and we have notified you. For more information on your rights in connection with automated decision making, please see section 6(8) Right not to be subject to decisions based solely on automated processing below.

4. If you fail to provide EU Personal Data

Where we need to collect EU Personal Data by law, or under the terms of a contract we have with you and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with card services). If that is the case, we may have to cancel a product or service you have with us.

5. International Transfer of EU Personal Data

JCB Co., Ltd. is a Japanese corporation, and in order to provide you with our services we will process data in Japan. Transferring EU Personal Data to Japan is necessary for the purposes of use set out in sections 1 and 2 above. You should be aware that data protection law in Japan may differ from the data protection law applicable to you in the EU. However, we have adequate safeguards in place based on valid legal grounds, such as standard data protection provisions approved by the European Commission, for transferring EU Personal Data to Japan.

6. Your rights in relation to EU Personal Data

You have the following rights regarding your EU Personal Data that we hold:

(1) Right of access

You can request details of your EU Personal Data that we hold. We will confirm whether we are processing your EU Personal Data and we will disclose supplementary information including the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding data transfers to non-EEA countries, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your EU Personal Data, but we may charge you a fee to cover our administrative costs if you request further copies of the same information.

(2) Right of correction

We will comply with your request to correct incomplete or inaccurate parts of your EU Personal Data, although we may need to verify the accuracy of the new information you provide us.

(3) Right to be forgotten

At your request, we will delete your EU Personal Data promptly if:

  • it is no longer necessary to retain your EU Personal Data;

  • you withdraw the consent which formed the basis of your EU Personal Data processing;

  • you object to the processing of your EU Personal Data and there are no overriding legitimate grounds for such processing;

  • the EU Personal Data was processed illegally; or

  • the EU Personal Data must be deleted for us to comply with our legal obligations.

We will decline your request for deletion if processing of your EU Personal Data is necessary:

  • to comply with our legal obligations;

  • in pursuit of a legal action;

  • to detect and monitor fraud; or

  • for the performance of a task in the public interest.

(4) Right to stop your EU Personal Data being used for direct marketing purposes.

At your request, we will stop using your EU Personal Data for the purpose of direct marketing. If you want to stop us from calling, emailing you in connection with marketing communications, please email us at the email address listed in section 12. Contact Us of this notice.

Please note that even if we stop all marketing communications, you may still receive administrative communications from us.

(5) Right to restrict processing of your EU Personal Data

At your request, we will limit the processing of your EU Personal Data if:

  • you dispute the accuracy of your EU Personal Data;

  • your EU Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your EU Personal Data;

  • we no longer need to process your EU Personal Data, but you require your EU Personal Data in connection with a legal claim; or

  • you object to the processing pending verification as to whether an overriding legitimate ground for such processing exists.

We may continue to store your EU Personal Data to the extent required to ensure that your request to limit the processing is respected in the future.

(6) Right to data portability

At your request, we will provide you free of charge with your EU Personal Data in a structured, commonly used and machine readable format, if:

  • you provided us with EU Personal Data;

  • the processing of your EU Personal Data is based on your consent or required for the performance of a contract; or

  • the processing is carried out by automated means.

(7) Right to object

Where we process your EU Personal Data based upon our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims.

(8) Right not to be subject to decisions based solely on automated processing

You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your EU Personal Data, unless you have given us your explicit consent or where they are necessary for a contract with us.

(9) Right to withdraw consent

You have the right to withdraw any consent you may have previously given us at any time.

(10) Right to complain to a supervisory authority

If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.

If you wish to contact us in connection with the exercise of your rights listed above, please email us at the email address listed in section 12. Contact Us of this notice. We will respond to your written request as soon as possible and no later than 30 days from receiving it.

Unless stated otherwise, we will not charge you any fee in connection with the exercise of your rights. In so far as it is practicable, we will notify the recipients of your EU Personal Data of any correction, deletion, and/or limitation on processing of your EU Personal Data.

Please note that if you decide to exercise your rights under sub-sections (3), (4), (5), (7), (8) and (9), depending on our response, you may not be able to take full advantage of all of our benefits and services from that point on.

7. Retention Period

We will keep your EU Personal Data on file for as long as is necessary to achieve our purposes listed in the table in section 1 Collection, use and transfer of EU Personal Data above.

We only keep EU Personal Data as permitted by law applicable to us, which is typically for a period of 7 years but may be up to 10 years.

Please note, JCB is subject to a number of applicable laws and regulations globally which may require EU Personal Data to be kept for longer periods such as in relation to tax filings, government investigations, the investigation of fraud and transaction monitoring and litigation and dispute resolution in accordance with our data retention policy. Your data will be kept securely. If you have any queries about how and for how long your EU Personal Data is kept, you may contact us at the email address listed in section 12. Contact Us of this notice.

8. Security

We have a management system to correct and prevent unauthorized access, loss, destruction, falsification, and leakage of EU Personal Data, as well as the appropriate technical and organizational measures to address such risks, as further detailed below. The goal of these measures is to maintain our data protection standards and to ensure we have the necessary safeguards for the processing of EU Personal Data.

  • (1)

    We limit access to EU Personal Data to authorised executives and employees only.

  • (2)

    We limit our collection and use of EU Personal Data to the extent necessary for providing our services and managing operations.

  • (3)

    If we outsource the processing of EU Personal Data to third parties, we base our selection on said third parties having adequate safeguards in place that meet our EU Personal Data protection standards, and we regularly audit their compliance with applicable data protection policies, laws and regulations.

  • (4)

    We strive to manage EU Personal Data accurately and efficiently.

  • (5)

    We pseudonymise and encrypt EU Personal Data where necessary.

  • (6)

    We strive to ensure our system and service’s confidentiality, integrity, availability, and recoverability.

  • (7)

    We have systems in place to ensure we can restore the availability and access to EU Personal Data in a timely manner in the event of a physical or technical incident.

  • (8)

    We periodically inspect, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the security of our processing.

9. Accountability

We are responsible for all the safeguards implemented in relation to the processing of EU Personal Data, and we maintain an electronic record of all processing activities of our EU Personal Data.

10. Updates

This Privacy Notice may be updated to reflect changes to our EU Personal Data processing policy. In the event there is material change to this Privacy Notice we will inform you via our website.

11. Glossary

Some of the words in this Privacy Notice have the meanings set out below:

  • acquirers: these are financial institutions or other parties that contract with merchants for JCB card transactions;

  • affinity partners: third parties that are authorised to offer co-branded JCB Cards; consent: when you have explicitly given us your consent for processing of your EU Personal Data;

  • contract: to allow us to perform our contract with you;

  • franchised issuers: these are companies who can issue JCB branded cards jointly with us in Japan;

  • legitimate interest: where it is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not outweigh those interests;

  • legal obligation: where we need to comply with a legal obligation (for example compliance with anti-money laundering and fraud laws or compliance with a court order);

  • merchants: these are merchants where JCB cards are transacted.

  • public bodies: they refer to supervisory authorities, government agencies and public entities that deal with EU Personal Data. We may provide your EU Personal Data to public bodies to comply with our legal and regulatory duties;

  • service providers: we may engage service providers including financial institutions that issue cards, financial institutions that acquire merchants and process card transactions, subcontractors for card transactions and provision of services and service providers that facilitate card transactions and monitor unauthorized card access. These third parties may come to access or otherwise process your personal data in the course of providing these services and may not process your EU Personal Data unless there are adequate legal reasons for them to do so. All third party service providers and subcontractors are required by contract to comply with all relevant data protection laws and security requirements in relation to your EU Personal Data; and

  • third party issuers: these are companies who can independently issue by license JCB branded cards.

12. Contact Us

If you have any questions or opinions regarding this Privacy Notice, or if you have a request regarding information you provided us, you may either email us or send us a letter to the address below:

JCB Co., Ltd. Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan Information Governance Team, Compliance Administration Department
jcb-eudataprotection@info.jcb.co.jp
JCB International Co., Ltd. Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan Information Governance Team, Internal Control Department
jcbinter-eudataprotection@info.jcb.co.jp
JCB International (Europe) Ltd London Head Office 30 Eastbourne Terrace, London W2 6LA , The United Kingdom Information Governance Team, Corporate Department
jcbeuro-eudataprotection@info.jcb.co.jp

In addition, our EU Data Protection Officer may be contacted at eu-dpo@info.jcb.co.jp.

Last updated: 5,25 ,2018