Mizuho’s Basic Policy on Protection of Personal Data Consistent with GDPR and CCPA

Mizuho Corporation (hereinafter referred to as “Mizuho” or “we”/”our”/”us”) recognizes that protection of personal data of our customers (hereinafter referred to as “you”/”your”) is an important corporate responsibility of Mizuho. Protecting personal data is also a practice that wins the trust of the international community including Japan, which is essential when engaging in business on a global basis.
Mizuho has adopted a privacy policy based on GDPR and CCPA (hereinafter referred to as this “Privacy Policy”) on our collection and use (when used collectively, hereinafter referred to as “processing”) of your Personal Data (which means the “personal information” and “personal data” as defined in the Japanese Act on the Protection of Personal Information, “personal data” defined in the EU General Data Protection Regulation (“GDPR”), and California Consumer Privacy Act of 2018 (“CCPA”), collectively). We have also established a compliance framework, and will ensure that our officers and employees are fully aware of this Privacy Policy.

Collection of Personal Data

1. Collection of Personal Data

   In the course of providing goods or services to customers, Mizuho collects such Personal Data from you (including from your officers or employees) as your name, address, and contact information.  In the course of collecting Personal Data from you, we will clearly indicate the purpose of collection and the scope of usage of the Personal Data, and collect Personal Data only to the extent necessary.  Your submission of Personal Data to us is not a requirement of or condition to the execution of any contract between you and Mizuho, and you are under no obligation to provide Personal Data to us.  You will not be adversely affected if you fail to provide us with your Personal Data.

2. How we collect Personal Data

   In the course of transactions involving our products and services, Mizuho may collect Personal Data through the following means:

   1. Directly from you
      Verbally, in writing, over the telephone, from business cards, or through the Internet
   2. From a person duly authorized by you
      Such authorized persons may include those authorized to make an application of our goods or service on behalf of you or to introduce a customer, and medical institute persons
   3. From publicly available information
      Newspapers, medical journals, telephone directories, publications, and other various information media

3. Types of Personal Data Collected by Mizuho

   Mizuho may collect the following Personal Data.

   1. Basic information about you, such as:
      Name, home address, gender, date of birth, nationality, email address, telephone number, facsimile number, and credit card number
   2. Additional information about you, such as:
      Occupation, workplace information (company name, address, telephone number, department, title); information on family members (names, relationships, dates of birth); and marriage and other anniversary dates
   3. Details of communications with Mizuho, such as:
      Information contained in emails, fax transmissions, or letters; or provided to us using our website data entry form or as answers to surveys
   4. Information automatically obtained by websites of Mizuho
      Cookies, IP address, browser type, and date and time of access
   5. Information required by instructions or directives issued by the relevant authorities or by law, regulations, ordinances, etc.
   6. (If CCPA applies) Information that is linkable to your household

   If CCPA applies, Personal Data collected, disclosed or shared during the last 12-month period for business purposes are, from the categories set forth in Items (1) through (6) above as follows:
   With regard to the above categories of Personal Data, party from which Personal Data is collected, commercial purpose of collection, and scope within which Personal Data is provided or shared are as follows:

   Category of Personal Data	Collected from	Purpose of collection	Provided to
   Name	business partner	Sales promotion of products handled by Mizuho	Mizuho's affiliate
   email address	same as above	same as above	same as above
   telephone number	same as above	same as above	same as above

   If CCPA applies, and Personal Data classified under a category other than those enumerated in this Privacy Policy is to be used, or Personal Data classified under a category enumerated in this Privacy Policy is to be used for purposes other than those set forth herein, Mizuho will first take the steps, if any, required under this Privacy Policy, and use Personal Data after changing or updating this Privacy Policy to comply with such use.

Consent

The provisions of this Article 3 apply only to processing of Personal Data for those residing in the European Economic Area (EEA) member countries.

1. Consent

   As a general rule, the legal basis for the processing of Personal Data by Mizuho is your consent.
   The legal bases for the processing of Personal Data when you have not given us your consent are when processing is needed (i) for Mizuho to perform our contract with the customer; complete procedures at your request prior to execution of a contract; comply with our legal obligations; protect your interests and interests of other persons concerning their life and body; perform our duties for the public interest, and (ii) for the protection of legitimate interests of Mizuho or other third parties.  Legitimate interests of Mizuho or other third parties include improvements of our products and services, and improvements to the usability and security features of our website.

2. Withdrawal of consent

   You may withdraw their consent on the processing of Personal Data at any time.  Your withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.  You have the right to withdraw your consent by contacting Mizuho Personal Information Center.

Use of Personal Data

1. Purposes for which Personal Data is used

   Mizuho will use your Personal Data only within the scope and for the purposes set forth below in Paragraph 4-2, and for no other purposes.

2. Purposes of use of Personal Data collected by Mizuho

   Mizuho will use your Personal Data for the following purposes:

   1. For communications (including sending emails and direct marketing catalogs) regarding transactions of products and services provided by Mizuho and/or Mizuho Group companies; and for handling of shipment of products, and payments and other related matters.
   2. For the manufacture and sales promotion of products handled by Mizuho and/or Mizuho Group companies; and for development of services, and to engage in activities that contribute to the offering and promotion of these services.
   3. To engage in activities related to improving the quality of products and services provided by Mizuho and/or Mizuho Group companies; and for handling after-sale services provided.
   4. For dissemination of notices regarding seminars, lectures, etc. hosted, jointly hosted, or supported by Mizuho and/or Mizuho Group companies.
   5. To engage in work (including conducting questionnaires and monitoring surveys) related to research and development of medical devices, etc. of Mizuho and/or Mizuho Group companies.
   6. To respond to your inquiries and take steps to resolve any issues or complaints made by you.
   7. For hiring of employees, etc. and for management of human resources.
   8. For management of facilities and equipment.

   In addition to providing information directly to customers, Mizuho may also provide information in the form of direct mail and email marketing.
   If Personal Data is to be processed for any purpose other than those listed above, Mizuho will notify you clearly setting forth the purpose and scope of the processing, and obtain their consent before such data is collected or used.

3. Suspension of use of Personal Data

   You may decide that you do not wish to have all or part of their Personal Data collected and owned by Mizuho used for the purpose of direct mail and email marketing. In such case, please contact Mizuho Personal Information Center at the contact address set forth in Article 9 below.  We will do our best to meet your wishes.

Provision of and joint use of Personal Data with third parties

1. Restrictions on the provision of Personal Data to third parties

   If we are to provide third parties with data identical to all or part of your Personal Data that we are keeping, we will make the transfer only after obtaining your consent, unless the provision falls under any of the exemptions under GDPR, CCPA or the laws of Japan.  In such case, we will select third parties with care, and request that they take the same appropriate measures in the management of Personal Data in accordance with GDPR, etc., as taken by Mizuho.

2. Monitoring of service providers

   When using your Personal Data, Mizuho may entrust the handling, etc. of the Personal Data to third party service providers within the scope of the purposes of use. We will impose an obligation upon the service providers to strictly manage Personal Data at the same level as they are managed by Mizuho, and we will monitor the service providers in a suitable manner.  When entrusting handling, etc. of Personal Data of customers residing in EEA member countries to service providers, we will comply with the security management of Personal Data by executing a contract including standard contractual clauses prescribed by GDPR.

3. Service providers of Mizuho

   1. If all or part of the handling of personal information is to be entrusted, the persons to whom Personal Data is entrusted;
   2. Persons who are business partners for products and services provided by Mizuho and/or Mizuho Group companies, or are service providers regarding these products and services;
   3. Business operators and professionals who provide professional advice on business management/operation and other matters;
   4. Trade counterparties, business partners, and intermediaries of Mizuho Group companies;
   5. Each of Mizuho Group companies
   6. If provision of Personal Data is required by law, persons receiving the Personal Data;

4. Personal Data to be used jointly, and persons who jointly use the Personal Data

   Within the scope of the purpose of use set forth in Article 4-2, Mizuho may jointly use your Personal Data with Mizuho Group companies (Mizuho Medical Co., Ltd. http://www.mizuhomedical.co.jp/、Mizuho Urban Co., Ltd. ) and other business operators that we will clearly indicate.  Personal Data that will be jointly used is as follows.  The business operator that first collected such Personal Data is responsible for the management of such data.

   1. Basic information about you, such as:
      Name, home address, gender, date of birth, nationality, email address, telephone number, facsimile number, and credit card number
   2. Additional information about you, such as:
      Occupation, workplace information (company name, address, telephone number, department, title); information on family members (names, relationships, dates of birth); and marriage and other anniversary dates
   3. Details of communications with Mizuho, such as:
      Information contained in emails, fax transmissions, or letters; or provided to us using our website data entry form or as answers to surveys
   4. Information automatically obtained by websites of Mizuho
      Cookies, IP address, browser type, and date and time of access
   5. Information required by instructions or directives issued by the relevant authorities or by law, regulations, ordinances, etc.(If CCPA applies) Information that is linkable to your household

5. Status of Personal Data Sales (if CCPA applies)

   1. Mizuho has not provided or sold Personal Data to a third party for business or commercial purpose during the past 12 months.
   2. Mizuho will not sell Personal Data of a minor who is less than 16 years of age to a third party for business or commercial purpose.

Handling of Personal Data Retained by Mizuho

1. Retention of accurate Personal Data

   Mizuho will take appropriate measures to ensure that your Personal Data is kept accurate and up-to-date.

2. Retention period of Personal Data

   Mizuho will retain Personal Data for as long as it is necessary to fulfill the purposes of their use.  Upon expiry of this retention period, we will erase, pseudonymize or anonymize the Personal Data in a manner ensuring their safety within a reasonable period.  In the retention, erasure, pseudonymization, or anonymization of Personal Date, we will comply with laws, regulations, and other requirements of the territories in which Mizuho operates.

3. Automated means

   Mizuho will not make decisions based solely on automated processing, including profiling of Personal Data.

4. Your rights with respect to Personal Data

   You have the following rights under GDPR, etc. (excluding CCPA; the same applies hereafter in this Article 6).  You are able to exercise these rights by contacting (either by email or telephone) Mizuho Personal Information Center.  When you notify us that you wish to exercise your rights, and after we verify your identification, we will, as a general rule, contact you within one (1) month from the date of receipt of your notice, unless the matter falls under any of the exceptions provided in GDPR, etc.

   1. Your right of access to Personal Data
      You have the right to check whether your Personal Data is being processed and, if Personal Data has been collected and/or is being used, you have the right to access such Personal Data and other supplementary information.
   2. Your right to rectification of Personal Data
      You have the right to have inaccurate Personal Data rectified.
   3. Your right to erasure of Personal Data
      In certain circumstances, you have the right to have your Personal Data erased.
   4. Your right to restrict processing of Personal Data
      In certain circumstances, you have the right to restrict the use of your Personal Data.
   5. Your right to object to the processing of Personal Data
      You have the right to object to the processing of your Personal Data if the processing is based on legitimate interests of Mizuho or a third party.
   6. Your right to data portability
      You have the right to receive Personal Data you provided to Mizuho in a structured, commonly used and machine readable format.  You also have the right to request that we transmit this data directly to another controller without our hindrance.

5. Rights of “consumers” to Personal Data (if CCPA applies)

   If CCPA applies, individuals (including any of your employees to whom CCPA applies; the same applies hereinafter) who are “consumers” under CCPA have the following rights.  “Consumers” are able to exercise these rights by contacting (either by email or telephone) Mizuho Personal Information Center set forth in 9. below.

   1. Your right to access to Personal Data
      You have the right to access to your Personal Data up to twice in a 12-month period.  Mizuho will provide you with the information, free of charge, in a readily useable and portable format (e.g., through your account if you have an account with us, or by mail, email or other means if you do not maintain an account with us) within 45 days of receiving your request.
   2. Your right of deletion of Personal Data
      Unless any of the exceptions permitted under CCPA applies, if you are a “consumer” under CCPA, you have the right to request deletion of your Personal Data that was collected from you.  In such case, if Mizuho provided such Personal Data to a service provider, we will instruct that service provider to make such deletion.
   3. Your right not to be discriminated
      You have the right not to be discriminated against because you exercised any of your rights under CCPA, such as being charged prices or rates different from those charged to other individuals who are “consumers,” or being provided different services from them, or being denied goods or services.
   4. Right to opt-out of the sale of Personal Data
      This is a right to direct Mizuho to stop selling Personal Data, or not to sell Personal Data in the future.  Mizuho has not sold, and will not sell, Personal Data of a “consumer” to a third party.

   If a “consumer” under CCPA requests disclosure of his/her Personal Data pursuant to (1) or (2) above, Mizuho will respond to such request within the period required under CCPA after verification that the request is being made by the customer himself/herself in a manner set forth below. In any of the following cases, Mizuho may request submission of information that is only possessed by the “consumer” himself/herself.

   • If a “consumer” is requesting disclosure of the categories of Personal Data that Mizuho has collected, verification will take the form of Mizuho asking two or more questions on Personal Data of the “consumer” that Mizuho considers appropriate for verification purpose, and receiving correct answers to these questions.
   • If a “consumer” is requesting disclosure of a specific Personal Data, verification will take the form of Mizuho asking three or more questions on Personal Data of the “consumer” that Mizuho considers appropriate for verification purpose, and receiving correct answers to these questions, and having the requestor sign and submit a signed declaration under penalty of perjury that the requestor is the “consumer” whose Personal Data is the subject to the disclosure request.

   If, on the other hand, a “consumer” under CCPA requests deletion of his/her Personal Data pursuant to the above, Mizuho respond to the request within the period required by CCPA upon verifying the request by a method that Mizuho considers appropriate according to the category of Personal Data being deleted.  In such case, Mizuho may request the “consumer” to provide information that only the “consumer” possesses.

6. Your right to lodge a complaint with a supervisory authority

   You have the right to lodge a complaint with a supervisory authority of a country, territory, international organization, etc. in accordance with GDPR, etc. regarding Mizuho's handling of their Personal Data.

7. Request by agent

   A consumer under CCPA may exercise the right set forth in 6-5 through an authorized agent.  In such case, such consumer shall submit to Mizuho a power of attorney signed by itself. In addition, Mizuho will ask the authorized agent for identification verification in the same manner as set forth in 6-5.

Transfers of Personal Data to third countries, etc.

Mizuho expects to transfer Personal Data collected from EEA member countries to Japan or other countries, territories or international organizations, etc. within/outside EEA.  Countries to which we intend to transfer Personal Data include countries recognized in GDPR as providing adequate level of data protection (which includes Japan as well as Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay) but also countries for which an adequacy decision has not been adopted.  Mizuho will not transfer your Personal Data to a country without an adequacy decision unless we receive your explicit consent to the transfer, or the receiver has either signed a contract to comply with binding corporate rules (“BCR”) based on GDPR, or we have entered into contract with the receiver containing standard contractual clauses (“SCC”) which are found to offer adequate protection under GDPR.  If you submitted the relevant Personal Data, we will disclose a copy of these contracts if any has been executed, after masking any confidential information, if you request for such disclosure.

Security Management of Personal Data

1. Compliance with relevant laws, regulations, and guidelines

   Mizuho complies with the GDPR, CCPA as well as other relevant laws, regulations, and industry guidelines.

2. Security management measures

   Mizuho makes every effort to protect customers' Personal Data, including taking with preventive and security measures to protect against unauthorized access, destruction, tampering, or divulgence.

3. Compliance system within Mizuho

   Mizuho has an organizational system in place for the protection of Personal Information, including a Data Protection Officer (“DPO”) to oversee compliance, and personal information management officers in each department.

4. In-house rules for the handling and management of Personal Data

   Mizuho has established rules on the handling of Personal Data setting standards on appropriate acquisition, maintenance, use, and disposal of Personal Data, and ensuring that these standards are strictly complied.  We also adopted a code of conduct and concrete rules for the prevention of unauthorized access, destruction, tampering and divulgence of Personal Data.

5. In-house training

   Mizuho has in-house training programs on protection of Personal Data.  We are committed to protecting Personal Data by ensuring that our employees are made fully aware of the details of personal data protection.

6. Review of in-house rules on the handling and management of Personal Data on an on-going basis

   Mizuho reviews and improves the rules on the handling of Personal Data and the organizational system for implementing those rules on an on-going basis, to ensure that their implementation continues to be effective and appropriate.

Contact for Inquiries and Complaints

Mizuho has established a customer service desk to respond to your inquiries, comments, and complaints regarding your Personal Data collected and kept by Mizuho.  After conducting the required verification of your identification or the identification of your agent, we will provide a response that we determine in good faith to be reasonably necessary. Please note that depending on the inquiry, comment, or complaint, it may take some time for us to provide a response.

Update of this Privacy Policy

Mizuho will update this Privacy Policy as it deems necessary. If CCPA applies, this Privacy Policy will be updated at least once every 12 months.