Notice regarding Processing of Personal Data in the context of an establishment within the EEA, UK or otherwise within the scope of the GDPR
(“European Privacy Notice”)
Effective from 25 May 2018
This European Privacy Notice applies to the processing of personal data collected within the European Economic Area (“EEA”), the UK or processed in the context of our affiliated companies in the EEA or the UK (“European Personal Data”) or otherwise within the scope of this GDPR or the UK GDPR. It does not apply to personal data collected in other territories.
If you have obtained your JCB card from a third party issuer, then you should also consult their website for their privacy notice which will apply to their processing of your personal data.
The JCB Group (JCB Co., Ltd. and its affiliated companies) acknowledges that the protection of personal data is one of our most significant legal obligations.
As described below, this European Privacy Notice applies to the activities of:
JCB Co. Ltd. (“JCB Co.”) | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan |
JCB International Co., Ltd. (“JCBI”) | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan |
JCB International (France) SAS (“JCBIF”) | 10 Rue De La Paix, Paris 75002, France |
JCB International (Europe) Ltd (“JCBIE”)London Head Office and the following branches: | 30 Eastbourne Terrace, London W2 6LA, the United Kingdom |
JCB International (Europe) Ltd Frankfurt Branch | Kaiserstrasse 9, 60311 Frankfurt, Germany |
JCB International (Europe) Ltd Madrid Branch | c/ Caledula, 93 - Miniparc III - Edif.E, El Soto de la Moraleja, 28109 Alcobendas, Madrid, Spain |
JCB International (Europe) Ltd Vienna Branch | Millennium Tower, 23rd Floor Handelskai 94 - 96 A-1200 Vienna, Austria |
JCB International (Europe) Ltd Rome Branch | Via Sallustiana 26, 00187, Rome, Italy |
Such entities shall be jointly and severally referred to as “we” and “us”.
This European Privacy Notice sets out what European Personal Data we collect, how we collect it, how we use it, and your rights in connection with how we process your European Personal Data. We are committed to protecting your European Personal Data as joint data controllers in accordance with our duties under the General Data Protection Regulation (“GDPR”) and/or the UK version of the GDPR (“UK GDPR”) and Data Protection Act 2018. This Privacy Notice applies to all of us and for your convenience you may exercise any of your rights against any of us, and we will ensure it is routed to the correct department.
In addition, please refer to our “Cookie Policy” for more information regarding the data we collect when you access our website and how it is processed.
1. Collection, Use and Legal Basis of European Personal Data
We have set out below, in a table format, a description of the types of European Personal Data we collect, the sources we collect it from, how we plan to use your European Personal Data, which are the legal basis we rely on to do so.
You can refer to section 11. Glossary for a description of the terms used in the table below.
Categories of European Personal Data | Source of European Personal Data | Use | Legal Basis |
---|---|---|---|
Payment transaction data relating to card payment by cardholders including card data (card number (including the unique token that results from tokenization ), expiry date and security information), transaction information (time, date, currency and amount), and merchant data (name and location). | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants and acquirers. |
Authorise, settle and process transactions for JCB proprietary cards and franchised issuer cards. | Contract for JCB proprietary card and franchised issuer card. Legitimate interests for third party issuer card. |
Support the operations of affinity partners of JCB proprietary cards and franchised issuer cards. | |||
Provide JCBIF’s merchants with merchant acquiring services. | |||
Switch authorisation request / response messages and settlement data between issuers, acquirers and merchants. | |||
Process data related to managing merchants, acquirers, franchised issuers, third party issuers and deal with queries. | |||
Support the issuer, acquirer or merchants’ operations, or provide or promote sales of goods and services for JCB cardholders and merchants. | |||
Develop new products and services for our business. | |||
For marketing purposes. | |||
Measure the effectiveness of advertisement, publicity and marketing. | |||
Investigate and analyse for accounting and audit purposes. | |||
Card data collected from cardholder including card number, cardholder name and related information. | Cardholder | Deal with any enquiries from the cardholder. | Contract for JCB proprietary card and franchised issuer card. Legitimate interest for third party issuer card. |
European Personal Data pertaining to value added services for users of JCB Plaza Lounge and JCB Plaza including card number, name and other relevant information, information typically required for the reservation which may include the traveller's gender, passport number, and details of those accompanying the traveller. | Visit or phone call to a JCB Plaza Lounge or JCB Plaza. | Provide tailored travel and concierge services to JCB cardholders. | Legitimate interest. |
Develop new products and services for our business. | |||
For marketing purposes. | |||
Measure the effectiveness of advertisement, publicity and marketing. | |||
Evaluate our products and services. | |||
Brand-wide promotional and marketing activities data including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), electronic identification data on access to websites (IP address).*1 | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants and acquirers. Interaction with JCB websites and mobile applications. |
Provide promotional and marketing services. | Contract for JCB proprietary card and franchised issuer card. Legitimate interests for third party issuer card. |
For marketing purposes. | |||
Measure the effectiveness of advertisement, publicity, and marketing. | |||
Improve the functions of our websites and mobile applications. | |||
Notify you of changes on our site. | |||
Data on dispute resolution including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), merchant-related data (name and location), and sales slips. | Cardholder Use of a JCB proprietary card, franchised issuer card and third party issuer card. Franchised issuers, third party issuers, acquirers and merchants. |
Mediate or arbitrate disputes among JCB cardholders, issuers, acquirers or merchants for resolution. | Contract for disputes with JCB proprietary card and franchised issuer cardholder. Legitimate interests for disputes with third party issuer cardholder. |
Business contact information encompassing corporate and European Personal Data for issuer, acquirer, merchant, business partner, processor, etc. (name, address, phone number, email address). | Commercial dealings with third party issuers, acquirers, merchants, business partners and processors. | To affect and facilitate the commercial dealings with these third parties. | Legitimate interests. |
Compliance information relating to directors, significant shareholders and other ultimate beneficiaries of merchants (only in relation to direct acquiring) and acquirers. | Merchants (in relation to direct acquiring only), and acquirers. | To ensure JCB's compliance with Customer Know your Customer (KYC), Anti-money Laundering (AML), Countering Financing of Terrorism (CFT) and anti-bribery and corruption (ABC) laws. | Consent, Legitimate Interests or compliance with legal obligations. |
Employment data pertaining to employees such as their name, address, date of birth, phone number, sex, and information on conduct in operations. | Job applications, notification by employee and interviews. | Carry out responsibilities of an employer and transfer data to subcontractor. | Contract or Legitimate interests. |
Monitoring and/or protecting against fraudulent transactions. | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Franchised issuers, third party issuers, acquirers, risk based authentication solution providers and merchants. |
Monitor and/or protect fraudulent transactions. | Legitimate interest of complying with laws and regulations that apply to us or Legal obligations. |
Notify the findings to franchised issuers or third party issuers. | |||
Authentication transaction data relating to identifying cardholders through J/Secure authentication service including purchase information (card number, date, time, currency, amount, cardholder' billing address, shipping address, cardholder's name, cardholder's email address and cardholder's phone number), merchant data (name and location) and cardholder's internet-connected device information (IP address, location data, OS type, OS language, device ID, SIM information, and hardware serial number), (collectively, ‘Attribute Information’)*2 | Use of a JCB proprietary card, franchised issuer card and third party issuer card. Merchants. Cardholder's internet-connected devices. |
Authenticate and process transactions for JCB proprietary cards and franchised issuer cards Monitor and prevent against fraudulent transactions for JCB proprietary cards and franchised issuer cards. | For JCB proprietary cards and franchised issuer cards : contract and legitimate interests of complying with laws and regulations that apply to us., though for example: Detection, investigation, assessment, monitoring and prevention of fraud and other crime; mitigation of financial and business risk; and/or compliance with anti-money laundering (AML), counter-terrorism financing (CTF), anti-bribery and corruption (ABC) and similar laws. |
Allow the risk based authentication solution providers to calculate a risk score which may be used by third parties as part of the risk based authentication solution provider's service but only in pseudonymised form and in a way which the third party can never determine the identity of any data subject from European Personal Data. | For JCB proprietary cards and franchised issuer cards: contract. For the risk based authentication solution provider's use please see their data privacy notice. |
||
Provide JCBIF’s merchants with J/Secure authentication service Switch authentication request / response messages between issuers, acquirers and merchants. |
Legitimate interest. | ||
Location data and IP address relating to providing merchants and ATMs locator services. *2 | Use of JCB websites and mobile applications. | To help users locate merchants and ATMs near them. | Consent and contract for JCB proprietary card and franchised issuer card. Consent for third party issuer card. |
- *1
The processing of certain categories of European Personal Data may not be subject to GDPR or UK GDPR when the cardholder's internet-connected device is physically used in territories other than the EEA or UK. Other European data protection laws such as the e-Privacy Directive (2002/58/EC) or UK equivalent may apply when the cardholder's internet-connected device, the merchant and JCB are all within the EEA or UK.
- *2
The categories of European Personal Data are collected by JCB Co., Ltd. only.
Please note that depending on the purpose for which we use your European Personal Data, we may rely on more than one legal basis for processing. When we rely on legitimate interest, we do so because we have determined that this processing is required to be performed by us or a third party controller to ensure the safe and effective working of your JCB card and the settlement of transactions or it is in our legitimate business interest. In making this determination we have considered your rights under European data protection law and balanced them against our legitimate interests. If you have any queries, you can contact us at the email address listed in section 12. Contact Us of this notice.
Generally we don’t rely on your consent as a legal basis for processing other than in relation to sending direct marketing communications to you or collecting your location data through interaction with JCB websites and mobile applications. You have the right to withdraw your consent at any time (for more information on this see section 6(4) Right to stop your European Personal Data being used for direct marketing purposes below).
We may use your European Personal Data for purposes other than the ones listed above. Should this be the case, we will inform you of the purpose in accordance with applicable laws and regulations.
2. Recipients
In order to achieve our purposes set out in the table above, we may share your European Personal Data with the following categories of recipients:
(1) franchised issuers;
(2) third party issuers;
(3) affinity partners;
(4) merchants;
(5) acquirers;
(6) service providers;
(7) risk based authentication solution providers; and
(8) public bodies.
We require all third parties who process European Personal Data on our behalf to respect the security of your European Personal Data and to treat it in accordance with their contractual or legal obligations.
We may need to share your European Personal Data with more recipients than the ones listed above. Should this be the case, we will inform you of the change in accordance with applicable laws and regulations.
3. Automated decision making
Automated decision making takes place when our electronic systems process European Personal Data to make a decision about you or your business without human intervention. We are allowed to use automated decision making in the following circumstances:
(1) authorising transactions; *3;
(2) authenticating transactions; *3;
(3) detecting suspicious transactions *4; and
(4) preventing and monitoring fraudulent transactions. *4.
- *3
For the JCB proprietary cards and franchised issuer cards only.
- *4
For the JCB proprietary cards, franchised issuer cards and third party issuer cards.
You will not be subject to decisions that will have a legal or significant impact on you based solely on automated processing, unless we have a lawful basis for doing so and we have notified you. For more information on your rights in connection with automated decision making, please see section 6(8) Right not to be subject to decisions based solely on automated processing below.
4. If you fail to provide European Personal Data
Where we need to collect European Personal Data by law, or under the terms of a contract we have with you and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with card services). If that is the case, we may have to cancel a product or service you have with us.
5. International Transfer of European Personal Data
JCB Co., Ltd. is a Japanese corporation, and in order to provide you with our services we will process data in Japan. Transferring European Personal Data to Japan is necessary for the purposes of use set out in sections 1 and 2 above. You should be aware that data protection law in Japan may differ from the data protection law applicable to you in the EU or the UK. However, we have adequate safeguards in place based on valid legal grounds, such as the European Commission adequacy decision adopted between the EU and Japan on 23 January 2019 and approved by the UK, for transferring European Personal Data from the EU and the UK to Japan and standard data protection provisions approved by the European Commission and the ICO.
If your JCB Card has been issued by a third party issuer, and you use your JCB card at merchants in the EEA or UK, it is necessary for JCB Co., Ltd. and JCB International Co., Ltd. to transfer your European Personal Data to the relevant third party issuer in order to authenticate, authorise or settle your card transaction. Such third party issuer may be located in a country with different data protection standards.
If your JCB Card has been issued by JCB Co., Ltd. or franchised issuers, and you use your JCB card at merchants in the EEA or UK which use the J/Secure authentication service, it is necessary for JCB Co., Ltd. and franchised issuers to transfer your Attribute Information to risk based authentication solution providers in order to obtain the identity assurance rating which are used to prevent you from fraudulent transactions. Such risk based authentication solution providers may be located in a country with different data protection standards. Please note that you can object to this transfer, at any time, by contacting us at the contact details set out at Section 12 below but this will limit your further use of the JCB Card in certain circumstances.
6. Your rights in relation to European Personal Data
You have the following rights regarding your European Personal Data that we hold:
(1) Right of access
You can request details of your European Personal Data that we hold. We will confirm whether we are processing your European Personal Data and we will disclose supplementary information including the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding data transfers to non-EEA and non-UK countries, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your European Personal Data, but we may charge you a fee to cover our administrative costs if you request further copies of the same information.
(2) Right of correction
We will comply with your request to correct incomplete or inaccurate parts of your European Personal Data, although we may need to verify the accuracy of the new information you provide us.
(3) Right to be forgotten
At your request, we will delete your European Personal Data promptly if:
- ・
it is no longer necessary to retain your European Personal Data;
- ・
you withdraw the consent which formed the basis of your European Personal Data processing;
- ・
you object to the processing of your European Personal Data and there are no overriding legitimate grounds for such processing;
- ・
the European Personal Data was processed illegally; or
- ・
the European Personal Data must be deleted for us to comply with our legal obligations.
We will decline your request for deletion if processing of your European Personal Data is necessary:
- ・
to comply with our legal obligations;
- ・
in pursuit of a legal action;
- ・
to detect, predict and monitor fraud; or
- ・
for the performance of a task in the public interest
(4) Right to stop your European Personal Data being used for direct marketing purposes.
At your request, we will stop using your European Personal Data for the purpose of direct marketing. If you want to stop us from calling, emailing you in connection with marketing communications, please email us at the email address listed in section 12. Contact Us of this notice.
Please note that even if we stop all marketing communications, you may still receive administrative communications from us.
(5) Right to restrict processing of your European Personal Data
At your request, we will limit the processing of your European Personal Data if:
- ・
you dispute the accuracy of your European Personal Data;
- ・
your European Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your European Personal Data;
- ・
we no longer need to process your European Personal Data, but you require your European Personal Data in connection with a legal claim; or
- ・
you object to the processing pending verification as to whether an overriding legitimate ground for such processing exists.
We may continue to store your European Personal Data to the extent required to ensure that your request to limit the processing is respected in the future.
(6) Right to data portability
At your request, we will provide you with your European Personal Data in a structured, commonly used and machine readable format, if:
- ・
you provided us with European Personal Data;
- ・
the processing of your European Personal Data is based on your consent or required for the performance of a contract; or
- ・
the processing is carried out by automated means.
(7) Right to object
Where we process your European Personal Data based upon our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims.
(8) Right not to be subject to decisions based solely on automated processing
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your European Personal Data, unless you have given us your explicit consent or where they are necessary for a contract with us.
(9) Right to withdraw consent
You have the right to withdraw any consent you may have previously given us at any time.
(10) Right to complain to a supervisory authority
If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.
If you wish to contact us in connection with the exercise of your rights listed above, please email us at the email address listed in section 12. Contact Us of this notice. We will respond to your written request as soon as possible and no later than 30 days from receiving it.
Unless stated otherwise, we will not charge you any fee in connection with the exercise of your rights. In so far as it is practicable, we will notify the recipients of your European Personal Data of any correction, deletion, and/or limitation on processing of your European Personal Data.
Please note that if you decide to exercise your rights under sub-sections (3), (4), (5), (7), (8) and (9), depending on our response, you may not be able to take full advantage of all of our benefits and services from that point on.
7. Retention Period
We will keep your European Personal Data on file for as long as is necessary to achieve our purposes listed in the table in section 1 Collection, Use and Legal Basis of European Personal Data above.
We only keep European Personal Data as permitted by law applicable to us, which is typically for a period of 7 years but may be up to 10 years.
Please note, JCB is subject to a number of applicable laws and regulations globally which may require European Personal Data to be kept for longer periods such as in relation to tax filings, government investigations, the investigation of fraud and transaction monitoring and litigation and dispute resolution in accordance with our data retention policy. Your data will be kept securely. If you have any queries about how and for how long your European Personal Data is kept, you may contact us at the email address listed in section 12. Contact Us of this notice.
8. Security
We have a management system to correct and prevent unauthorized access, loss, destruction, falsification, and leakage of European Personal Data, as well as the appropriate technical and organizational measures to address such risks, as further detailed below. The goal of these measures is to maintain our data protection standards and to ensure we have the necessary safeguards for the processing of European Personal Data.
- (1)
We limit access to European Personal Data to authorised executives and employees only.
- (2)
We limit our collection and use of European Personal Data to the extent necessary for providing our services and managing operations.
- (3)
If we outsource the processing of European Personal Data to third parties, we base our selection on said third parties having adequate safeguards in place that meet our European Personal Data protection standards, and we regularly audit their compliance with applicable data protection policies, laws and regulations.
- (4)
We strive to manage European Personal Data accurately and efficiently.
- (5)
We pseudonymise and encrypt European Personal Data where necessary.
- (6)
We strive to ensure our system and service’s confidentiality, integrity, availability, and recoverability.
- (7)
We have systems in place to ensure we can restore the availability and access to European Personal Data in a timely manner in the event of a physical or technical incident.
- (8)
We periodically inspect, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the security of our processing.
9. Accountability
We are responsible for all the safeguards implemented in relation to the processing of European Personal Data, and we maintain an electronic record of all processing activities of our European Personal Data.
10. Updates
This Privacy Notice may be updated to reflect changes to our European Personal Data processing policy. In the event there is material change to this Privacy Notice we will inform you via our website.
11. Glossary
Some of the words in this Privacy Notice have the meanings set out below:
- ・
acquirers: these are financial institutions or other parties that contract with merchants for JCB card transactions;
- ・
affinity partners: third parties that are authorised to offer co-branded JCB Cards;
- ・
consent: when you have explicitly given us your consent for processing of your European Personal Data;
- ・
contract: to allow us to perform our contract with you;
- ・
franchised issuers: these are companies who can issue JCB branded cards jointly with us in Japan;
- ・
J/Secure authentication service: JCB's authentication program to verify the authenticity of a cardholder that enables the secure processing of payment card transactions in the remote environment;
- ・
legitimate interest: where it is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not outweigh those interests;
- ・
legal obligation: where we need to comply with a legal obligation (for example compliance with anti-money laundering and fraud laws or compliance with a court order);
- ・
merchants: these are merchants where JCB cards are transacted.
- ・
public bodies: they refer to supervisory authorities, government agencies and public entities that deal with European Personal Data. We may provide your European Personal Data to public bodies to comply with our legal and regulatory duties;
- ・
service providers: we may engage service providers including financial institutions that issue cards, financial institutions that acquire merchants and process card transactions, subcontractors for card transactions and provision of services and service providers that facilitate card transactions and monitor unauthorized card access. These third parties may come to access or otherwise process your personal data in the course of providing these services and may not process your European Personal Data unless there are adequate legal reasons for them to do so. All third party service providers and subcontractors are required by contract to comply with all relevant data protection laws and security requirements in relation to your European Personal Data;
- ・
risk based authentication solution provider: we may engage specialist service providers that assist us in authenticating cardholders and transactions by analyzing transaction data and related information from a wide range of sources; and
- ・
third party issuers: these are companies who can independently issue by license JCB branded cards.
12. Contact Us
If you have any questions or opinions regarding this Privacy Notice, or if you have a request regarding information you provided us, you may either email us or send us a letter to the address below:
JCB Co., Ltd. | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan | Information Governance Team, Compliance Administration Department jcb-eudataprotection@info.jcb.co.jp |
JCB International Co., Ltd. | Aoyama Rise Square 5-1-22 Minami Aoyama, Minato-ku, Tokyo 107-8686, Japan | Information Governance Team, Internal Control Department jcbinter-eudataprotection@info.jcb.co.jp |
JCB International (Europe) Ltd London Head Office | 30 Eastbourne Terrace, London W2 6LA , The United Kingdom | Information Governance Team, Corporate Department jcbeuro-eudataprotection@jcbeurope.eu |
JCB International (France) SAS | 10 Rue De La Paix, Paris 75002, France | Information Governance Team, Administration, Compliance and Internal Control Department jcbif-eudataprotection@jcbeurope.eu |
In addition, our European Data Protection Officer may be contacted at eu-dpo@info.jcb.co.jp.
Last updated: 1 July, 2022