Privacy Protection

1. Privacy Principles

The Shiseido Group (hereafter “Group”) is fully aware of the importance of personal information obtained through business activities, considers ensuring the safety of such information to be its social responsibility, and makes sure to implement privacy protection on a Group-wide basis under the “Shiseido Group Privacy Rules,” which must be followed by all people working for the Group.

Also, the “Shiseido Global Privacy Principles,” which were established as the Group’s common privacy principles, as well as each Group company’s privacy policies are publicly disclosed.

2. Privacy Protection Management Systems

（1）Management structure

The Shiseido Group has privacy protection systems in place under the leadership of the Chief Legal Officer (CLO) and the Legal Department. The CLO has ultimate responsibility for privacy protection and engages in the planning and implementation of related strategies and initiatives while communicating with the management team.

The Chief Information Technology Officer (CITO) is responsible for the implementation and oversight of security measures to protect personal information. In addition, the Vice President of the Information Security Department is responsible for promoting and executing these measures. Representatives of the overseas regional headquarters are responsible for managing the handling of personal information within their jurisdictions. The heads of departments of each Group company confirm the protection and management of personal information handled in their departments on a regular basis, provide education and training to employees, and respond to security incidents.

（2）Development of policies and rules

To promote information security management systems, we refer to several major related guidelines or best practices such as the ISO 31000 international standard for risk management, the ISO 27001 international standard for information security management systems, the NIST Cybersecurity Framework of the National Institute of Standards and Technology, the CIS Controls of the Center for Internet Security*, and the Cybersecurity Management Guidelines of Ministry of Economy, Trade and Industry.

Furthermore, specific guidelines and rules have been formulated. These include the above-mentioned “Shiseido Group Information Security Policy,” in addition to rules and regulations regarding confidential information management, data protection, and security measures on information systems. We are working to promote compliance with these guidelines and rules on a global scale by encouraging the engagement of overseas offices.
To ensure information security in activities involving external business partners, we ask them to observe the “Shiseido Group Supplier Code of Conduct,” which includes requirements for proper handling of confidential information and personal information. When outsourcing important operations, we check the information security management systems of the business partners before we execute a service agreement requesting them to take appropriate safety management measures.

*Center for Internet Security (CIS): An organization established in 2000 by the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the National Institute of Standards and Technology (NIST), and other government agencies, businesses, and academic institutions to work together on Internet security standards.

3. Initiatives to Promote Privacy Protection

（1）Employee training/education/awareness

The Shiseido Group conducts e-learning programs and holds group sessions on a regular basis to help employees increase their awareness and knowledge of privacy protection. We provide guidance to new graduate and mid-career hires during orientation sessions to instill the importance of privacy protection in our personnel from the time they start with the Group.

To keep employees updated on privacy protection issues, the latest information is posted on our internal portal.

（2）Promotion of privacy by design

The Shiseido Group has developed internal systems and processes that enable the Legal and Information Security departments to be involved in the development of new business or services from the beginning so that necessary privacy protection measures can be taken at the planning/designing stage.

（3）Supply chain security

At the Shiseido Group, when entrusting all or part of the handling of Personal Information to a third party, we appropriately manage and supervise the entrusted third party to ensure the security management of the Personal Information.

（4）Monitoring activities

The Shiseido Group periodically checks and assesses its information assets including personal information. Also, to check if privacy protection measures have been implemented appropriately in all offices, departments, and affiliates, we conduct a risk-based assessment of their information systems and issue an order for improvement if a problem is detected. As for our business partners to whom we outsource the handling of personal information, we check their information security management systems and operational status thereof on a regular basis even after executing service agreements with them.

（5）Privacy incident response

The Shiseido Group has established a system to respond to incidents related to personal information. In the event of a possible data breach or violation of laws and regulations, the Legal, Risk Management, Information Security, Information Systems, and other departments work together to respond to the incident.
If a privacy incident such as personal information breach occurs, the Group will report to the authorities concerned and data subjects, following the laws and regulations of each country/region.

（6）Third-party assessment

To verify that the Shiseido Group’s implementation of its privacy protection initiatives and management systems are appropriate, we enlist external experts to conduct an assessment if necessary. Issues and challenges identified through the assessments are then considered to develop privacy protection strategies and initiatives.

（7）Disciplinary action

Violations of Shiseido Group’s privacy principles, policies, and practices may be subject to disciplinary action, including potential termination, in accordance with applicable laws.

ABOUT US