JAL Group's Basic Policies on Information Security and the Protection of Personal Information

In light of the importance of information security and the protection of personal information in an advanced information society, the JAL Group manages and protects information that the company possesses under the following Group policies.

1. Compliance with Regulations

JAL complies with laws, regulations and guidelines stipulated by administrative bodies.

2. Establishment of management system

JAL has established an internal management system and clearly specifies division of responsibilities.

3. Compliance with internal policies, regulations and guidelines

JAL has established and complies with internal policies, regulations and guidelines.

4. Implementation of safety measures

JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.

5. Implementation of education and awareness programs

JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.

6. Affiliation with external vendors

When entrusting operations related to information management to other companies, JAL selects companies with strong experience and abilities. The contract mandates confidentiality and guarantees that the information will be properly managed.

7. Efforts to improve operations

JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.

8. Response in event of accident

In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.

9. Designation of contact

JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.

10. Release of policies

JAL will disclose its policies on information security and the protection of personal information, including this policy, by posting them on its website.

Handling of Personal Information

ZIPAIR Tokyo, Inc. (Hereinafter referred to as "ZIPAIR") shall handle and protect the customers' personal information in accordance with the "Act on the Protection of Personal Information" of Japan and "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."

1. Obtaining Personal Information and Purpose of Use

ZIPAIR shall acquire the customers' personal information through appropriate and fair means and use it for the purposes below.

  1. To provide air transportation services (reservations, sales, check-in, airport handling, cabin services, etc. Including cases of interline transportations, joint operations, code-sharing, contract operations, etc. in addition to normal transportation services)
  2. To provide services relating to point program
  3. To provide other products and services
  4. To provide information and communications; to conduct questionnaires relating to products, services, various events, campaigns, and such
  5. To conduct sales analysis, investigations and research; to develop new services and products
  6. To conduct operations relating to 1-5 above; to respond to inquiries, etc.
  7. Provision of General Insurance and services handled by our company are incidental and related to the below :

*The purpose of outsourcing insurance operations provided by insurance companies is stated on the insurance company's homepage below. Insurance companies will use the information that was provided during the booking to guide customers on insurance products that are suitable for them.

■Chubb General Insurance Co., Ltd.

https://www.chubb.com/jp-jp/footer/privacy-policy.html

2. Management and Protection of Personal Information

ZIPAIR shall appropriately manage and protect the customers' personal information, in accordance with "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."

3. Provision of Personal Data to a Third Party

ZIPAIR shall not disclose or provide the customers' personal data to a third party, except in cases described below. The provision of personal information to service providers and the joint use of personal information shall be implemented in accordance with Articles 4 and 5 below.

  1. Cases in which the customer personally gives his/her consent
  2. Cases in which the provision of personal data is based on laws
  3. Cases in which the provision of personal data is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person
  4. Cases in which the provision of personal data is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person
  5. Cases in which the provision of personal data is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned

4. Provision of Personal Information to Service Providers and Relevant Management

ZIPAIR may entrust the handling of personal information, within the scope required to achieve the purpose of use, to a third party other than the company itself. In this case, the ZIPAIR shall conduct appropriate management and supervision in accordance with item 6 of "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."

5. Joint Use of Personal Information

ZIPAIR shall jointly use the customers' personal information as follows.

Purpose of joint use

To provide air transportation services; to provide services closely related to air travel such as tours, hotels and baggage home delivery; to accumulate and manage points; to provide information, e.g. sales promotion materials including those of partner companies, questionnaires, product development, ; and to conduct other operations relating to those

Data to be used jointly

Membership number, customer's name, birthday, gender, address, TEL/FAX numbers, e-mail address, information on employment (company name, department, job title, address, TEL/FAX numbers), mailing address of items sent to customers, e.g. ticket, itinerary, type of member's card, membership region, accumulated points, reservations/boarding information, need for arrangement of wheelchair, etc.

Range of users

JAL Group Airlines (*1) , JALCard, Jalpak, JAL Hotels, JAL ABC, and JAL Sales companies

*1 JAL Group Airlines are Japan Airlines Co., Ltd. , Japan Transocean Air Co., Ltd., J-AIR Co., Ltd., Japan Air Commuter Co., Ltd., Ryukyu Air Commuter Co., Ltd., and Hokkaido Air System Co., Ltd.

privacy-policy.company_policy.section_5.users_range.company_list

Administrator of personal information

ZIPAIR Tokyo, Inc.

6. Provision of Personal Data to Foreign Business Operators

When providing customers' personal data to foreign business operators such as service providers and partner airlines, ZIPAIR will take necessary and appropriate measures in accordance with the provisions of the law. In addition, when legally required, we may submit information about your reservations and itinerary (including passport, visa information and API) to customs authorities and immigration bureaus in your country of departure, arrival, transit or stopover.

7. Request for Disclosure, etc. and Inquiries

(1) "Notification of purpose of use," "Disclosure," "Correction, etc." "Stopping the use, etc." of retained personal data

We will respond to requests by a customer or his/her representative as follows in accordance with the "Act on the Protection of Personal Information" of Japan.

Notification of purpose of use

We will notify the purpose of use of such retained personal data as may lead to the identification of the person concerned. However, in the following cases, we may reject a request, in whole or in part, and give the reason why.

  • [1] Cases in which notifying the person of the purpose of use or publicly announcing it might harm the life, body, property, or other rights or interests of the person or a third party
  • [2] Cases in which notifying the person of the purpose of use or publicly announcing it might harm the rights or legitimate interests of the ZIPAIR
  • [3] Cases in which it is necessary to cooperate with a state institution or a local public body in executing the operations prescribed by laws and in which notifying the person of the Purpose of Use or publicly announcing it might impede the execution of the operations concerned
Disclosure

We will disclose such retained personal data as may lead to the identification of the person concerned. (When the retained personal data does not exist, we will respond accordingly.) However, in the following cases, we may reject a request, in whole or in part, and give the reason why.

  • [1] Cases in which disclosure might harm the life, body, property, or other rights or interests of the person or a third party
  • [2] Cases in which disclosure might seriously impede the proper execution of the business of the entity concerned handling personal information
  • [3] Cases in which disclosure violates other laws
Correction, etc.

When requested by a person to correct, add, or delete such retained personal data as may lead to the identification of the person concerned on the ground that the retained personal data is contrary to the fact (hereinafter "Correction, etc."), we will, except in cases in which special procedures are prescribed by any other laws for such correction, addition, or deletion, make a necessary investigation. As a result, when we have corrected, added, or deleted all or part of the retained personal data as requested, we will notify the effect without delay. When we have decided not to make such correction, addition, or deletion, we will notify and give the reason without delay.

Stopping the use, etc.

When requested to stop using, erase or stop providing to a third party such retained personal data as may lead to the identification of the person concerned (hereinafter "Stopping the use, etc."), and where it is found that the request has a reason, we will stop using, erase or stop providing to a third party the retained personal data concerned without delay to the extent necessary for redressing the violation. However, if it costs a great deal or otherwise difficult to stop using or to erase the retained personal data concerned, we may take necessary alternative measures to protect the rights and interests of the person. When we have stopped using, erased or stopped providing to a third party all or part of the retained personal data as requested, we will notify without delay. When we have decided not to stop using, not to erase or not to stop providing a third party the retained personal data, we will notify and give the reason without delay.

(Procedures for Request)

Please send the request form (*1) , required documents (*2) and fee (*3) (when requesting "notification of purpose of use" and "disclosure") to the following address.

ZIPAIR Tokyo, Inc.
Narita International Airport, Terminal 1, North Wing, 4F NA407,
1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-0011

*1:Request Forms

Please download and complete request forms from below.

*2:Required Documents

Please attach the documents below to verify the identity of the individual. When a request is sent by a representative, please attach documents to verify the identity of the representative together with a power of attorney.

<Documents to identify the individual> (In case the request is sent by a representative, please attach documents of the representative)

A copy of either one of the following; driver's license, passport, health insurance certificate, basic resident registration card with photo, pension book, disability book, foreign resident registration certificate, seal registration certificate (A certified copy of the seal registration issued by the municipality.)

<Documents to confirm address>

In case the address is not written by a public entity on the documents above, please attach a certified copy of the residence certificate or the original copy of the foreign resident registration (issued within 3 months prior to the request).

<Documents to confirm power of attorney>

(In case of legal representative)

Documents to verify legal representative, e.g. family register, guardian registration certificate

(In case of voluntary representative)

Power of attorney (with the registered seal of the individual and the seal registration certificate attached)

In case a request is sent by a voluntary representative, we will check whether he/she has been commissioned by the individual, we may disclose directly to the individual, or such.

*3:Fee

In case of requesting "Notification of purpose of use" or "Disclosure," please enclose stamps worth 500 yen as a fee.

Notes

・If the disclosure request cannot be confirmed (e.g., due to data retention period expiration), disclosure may not be possible.

・Boarding confirmation and issuance of boarding certificates are handled by our Contact Center.

(However, please note that we may refuse if we cannot confirm your identity.)

(2) Contact for Inquiries

If you have any inquiries regarding "Handling of Personal Information", please send your letter to the following address.

ZIPAIR Tokyo, Inc.
Narita International Airport, Terminal 1, North Wing, 4F NA407, 1-1 sanrizuka aza goryobokujyo, Narita-city, Chiba, 282-0011

Handling of personal information of EEA residents