KDDI's Privacy Policy

1. Privacy Policy

KDDI CORPORATION (hereinafter referred to as "KDDI") may acquire and use your personal data to contribute to improving the value of our customers' experience and to the sustainable development of society through our business activities, which include the provision of various services and products. "Personal data" refers to personal information as defined in the Act on the Protection of Personal Information (hereinafter referred to as "Personal Information Protection Act"), as well as specified user information prescribed in Article 27-5 of the Telecommunications Business Act, and other data related to individual customers.
In recognition of the importance of personal data, KDDI has established the "Basic Policy for Data Utilization" as clear guiding principles for our course of action to ensure the protection of personal data. KDDI sets forth this privacy policy as our guidelines for handling personal data based on the "Basic Policy for Data Utilization."
KDDI's Privacy Portal is also available for your reference to help understand the specifics and details of how KDDI handles data.

2. Appropriate Handling

KDDI handles personal data appropriately based on this Privacy Policy, in compliance with all applicable international and domestic laws and regulations, the Guidelines Concerning Protection of Personal Information, and other relevant guidelines. KDDI also has established an internal management system and regulations for handling personal data.

3. Obtainment of Data

KDDI handles the following personal data obtained through lawful, fair means. The personal data handled by KDDI include personal data of users collected through the User Registration System of each telecommunications service in addition to that of subscribers, etc.
For major services, access https://www.kddi.com/corporate/kddi/public/conditions/ to read the terms and conditions of agreement. For specific examples of data used, read 5. Data Used below.

  • [1]

    Information collected from written sources such as application forms filled out by customers, or a company website, or verbally collected in order for KDDI to provide services

  • [2]

    Information collected by KDDI for customers' use of KDDI's services, etc.

  • [3]

    Information obtained from an external party

    • Information obtained through inquiries with public agencies (e.g. Certificate of Residence)
    • Information obtained from public information sources such as official government gazettes and telephone directories
    • Information obtained from credit bureaus, etc.
    • Information lawfully obtained from a partner company, etc.
    • Other information lawfully obtained from a third party

4. Purpose of Use

  • (1)

    KDDI uses collected personal data in the scope necessary to achieve the following purposes of use. For specific examples of purposes of use, see Appendix 1. The use of personal data by KDDI includes mutual use of such personal data between services in addition to using such personal data for services provided to customers in KDDI's business areas.

    • [1]

      To provide announcements and other information about services and products to customers

    • [2]

      To provide services and products

    • [3]

      To survey and analyze the usage of services and products

    • [4]

      To continue delivering services and products in a stable manner

    • [5]

      To respond to inquiries from customers

  • (2)

    KDDI may obtain agreement from customers in advance when using personal data, providing personal data to a third party, or handling personal data otherwise. Furthermore, KDDI may use personal data or provide personal data to a third party to the extent permitted by laws and regulations without prior consent from customers for a purpose other than those specified in (1) above. In such cases, KDDI uses due care in protecting the rights and interests of customers.

  • (3)

    When the purpose of use is changed, the updated purpose of use will be published on KDDI's website, etc. or communicated to the individual customers.

  • (4)

    KDDI may use personal information in the scope of the purpose of use specified in (1) above even after the termination or expiry of contract with a customer.

5. Data Used

KDDI uses personal data for the purpose of achieving the purpose of use as specified in 4. Purpose of Use above. As an example, personal data used by KDDI includes the following information. For more specific examples, see Appendix 2.

  • [1]

    Basic information

  • [2]

    Information on usage

  • [3]

    Location information

  • [4]

    Information obtained through business and agency

  • [5]

    Information obtained from an external party

  • [6]

    Terminal information

  • [7]

    Other information obtained based on customer's consent

For the use of location information, KDDI may obtain a separate consent from customers.

When KDDI collects information specified as "Special Care-required Personal Information" under the Personal Information Protection Act, KDDI will obtain a separate consent from the customer prior to collecting such information.

6. Collaboration with a Third Party

  • (1)

    KDDI may obtain consent from a customer in advance to provide personal data to a third party based on the particulars agreed upon.

  • (2)

    As described in Appendix 3, KDDI shares personal data.

  • (3)

    KDDI may outsource personal data handling operations in whole or in part. In such cases, KDDI will select service providers that are recognized for proper handling of such information, properly set forth conditions for security management measures, confidentiality, subcontracting, returning of personal data upon termination or expiry of service agreement, and other matters pertaining to the handling of personal data upon contracting, and supervise the service providers as necessary and appropriately.

  • (4)

    When providing personal data to a foreign third party, KDDI will take necessary measures, including acquisition of consent and information provision, in compliance with laws and regulations. In addition, when a business operator located outside Japan handles specified user information in accordance with the Telecommunications Business Act, KDDI will announce this circumstance in compliance with laws and regulations, as described in Appendix 7-2.

  • (5)

    KDDI uses personal data received from third parties to cross-check, link, or add to the personal data held by KDDI, in order to achieve the purposes described in 4. Purpose of Use above.
    The personal information provided by third parties includes various types of information related to customers that cannot identify individuals, such as cookies, advertising identifiers and other IDs, IP addresses, location information, browsing history of websites operated by KDDI and third parties, advertisement viewing history, information related to activity during other Internet usage, information related to activity when using applications and services provided by KDDI and third parties, information related to answers to questionnaires, interest and preference categories, and demographic information (including attributes such as gender, age, family composition, occupation, and area of residence).

  • (6)

    KDDI may provide personal data in the possession of KDDI to a third party as described in Appendix 4.

  • (7)

    In addition to the above, KDDI may provide personal data held by KDDI to a third party in a form where individuals cannot be identified (anonymous-masked information or statistical information).

7. Security Management Measures

KDDI takes measures to control access to personal data, restrict means of carrying out personal data, and prevent unauthorized external access, as well as takes necessary and appropriate measures for the security management of personal data (hereinafter referred to as "Security Management Measures"), including those to prevent leakage, loss, and destruction of personal data.
KDDI complies with the relevant laws and regulations and utilizes the guidelines and framework of the information security management system (ISMS) to properly implement security protections for the personal data in KDDI's possession as follows:

  • (1)

    Formulation of basic policy

    KDDI has formulated a basic policy to ensure proper handling of personal data throughout the organization (See 1. Privacy Policy).

  • (2)

    Development of discipline for the handling of personal data

    KDDI has established rules for handling personal data regarding the way it should be handled, managers and staff, and their duties.

  • (3)

    Technical and physical security management measures

    KDDI implements access control for personal data (including limitation of access right holders (including measures such as an immediate invalidation of former employee accounts), access monitoring (including long-term retention of access logs), periodic password changes, and room access management).
    KDDI restricts personal data from being carried out (including prohibition of unnecessary recording on external storage media and internal regulations on the monitoring of e-mails sent between internal and external sites).
    KDDI takes measures to prevent unauthorized access from external entities (including the installation of firewalls).

  • (4)

    Organizational security management measures

    KDDI assigns an Information Security Manager as the person responsible for personal data management, and clearly defines the responsibilities and authority of employees regarding the security management of personal data.
    In addition to supervising employees (including temporary staff), KDDI establishes a reporting and liaison system for informing the manager of any fact or signs of violation of law or handling regulations.
    Any violation of the handling regulations will be dealt with strictly, including disciplinary action, based on internal regulations.
    KDDI formulates internal regulations and manuals for security management and promotes the employees' compliance with them as well as conducts appropriate audits to check the state of compliance.

  • (5)

    Personal security management measures

    KDDI provides periodic educational training regarding the security management of personal data to its employees.

8. Inquiries About the Handling of Personal Data

If you have any inquiries regarding the handling of personal data by KDDI, refer to the following for procedures and other details.

  • (1)

    Suspension of direct mails and receipt of other forms of advertising When a customer does not wish to receive advertising material via direct mail (including information via e-mail and SMS), they may request us to stop delivery.
    However, delivery of information such as e-mail related to confirmation of an application or order concerning services, e-mail of important notification related to services used by the customer, and other e-mail provided by KDDI necessary for operation of services is excluded from this opt-out provision. To request suspension of direct mails, etc., contact us at the following locations:

    KDDI Customer Service Center

    • au mobile phone users
      From au phones: Free Call157 with no prefix (toll-free)
      From general phones: Free Call0077-7-111 (toll-free)
      Hours: 9:00 to 20:00 (including weekends and holidays)

      Internet and telephone service users
      Free Call 0077-777 (toll-free)
      Hours: 9:00 to 18:00 (including weekends and holidays)

    • povo1.0 users
      Open link in a new windowpovo1.0 Customer Support (chat window) (in Japanese only)

    • povo2.0 users
      Open link in a new windowpovo Support (chat window) (in Japanese only)
      Hours: 9:00 to 21:00 (including weekends and holidays)

      • Changes can also be made from "Settings" in the "povo2.0 app".

    UQ mobile Customer Service Center

    • UQ mobile telecommunications service users
      Free Call 0120-929-818 (toll-free)
      Hours: 10:00 to 19:00 (including weekends and holidays)

  • (2)

    Requests for the disclosure of personal data, etc.

    KDDI will respond to requests from a customer or their agent for disclosure of their personal data or records on third-party provisions, based on laws and regulations, except in the following cases. Please note that "customers" includes all users registered with the User Registration System for au Telecommunications Services, in addition to subscribers.

    • [1]

      The disclosure has a risk of harm to the customer's or a third party's life, physical well-being, property, or other rights or benefits

    • [2]

      The disclosure has a risk of causing significant problems to the proper implementation of KDDI's business operations

    • [3]

      The disclosure constitutes a violation of a law or regulation

    Please direct any inquiries regarding requests for disclosure of personal data, etc. to the following:
    [KDDI Corporation Personal Data Disclosure Consultation Office]
    Postal code: 163-8509
    KDDI Bldg. 2-3-2 Nishi-shinjuku, Shinjuku-ku, Tokyo
    03-6670-6684 (9:00 to 17:00 excluding weekends, national holidays, and Year End/New Year holidays)

    For information on the procedure for making a request for disclosure of personal data, etc., see Appendix 6.

  • (3)

    Response to other matters concerning personal data

    • [1]

      Revision of personal data (correction of, addition to, or deletion of personal data; suspension of use of personal data; erasure of personal data; discontinuation of providing personal data to a third party)
      In response to any request for a revision of personal data from a customer or their agent, KDDI will conduct investigation based on laws and regulations. After confirming due reason for the request in light of the provisions of the Personal Information Protection Act, KDDI makes the revision in accordance with the provisions of the Act. To make a request for revision of personal information, contact the KDDI Corporation Personal Data Disclosure Consultation Office above (2). For other changes or revisions to customer subscription information, contact the KDDI Customer Service Center or the UQ mobile Customer Service Center, according to the telecommunications service you are using.

    • [2]

      Notification of the purpose of use

      KDDI will respond to requests from a customer or their agent for notification of the purpose of use, based on laws and regulations, except in the following cases:

      • The purpose of use of the personal information is clearly such that can identify the individual
      • The notification has a risk of harm to the individual's or a third party's life, physical well-being, property, or other rights or benefits
      • The notification has a risk of harming KDDI's rights and rightful benefits
      • When there is a need to cooperate with a national or local governmental agency performing a statutory operation, whereas the notification of the purpose of use has the risk of causing a problem for the performance of the operation

      To make a request for the notification of the purpose of use, contact the KDDI Corporation Personal Data Disclosure Consultation Office above (2).

  • (4)

    Opinions and requests regarding the handling of personal data and specified user information

    Please direct any opinions or requests regarding KDDI's use, provision, or other handling of personal data and specified user information to the KDDI Corporation Personal Data Disclosure Consultation Office above (2).
    Please note that we do not respond to requests in person at our office.

  • (5)

    Accredited Personal Information Protection Organization and other organizations that accept complaints

    The Accredited Personal Information Protection Organization and other organizations that accept complaints to which KDDI belongs are as follows:

9. Other Announcements

  • (1)

    Name and address of the business operator handling personal information and name of its representative KDDI Corporation

    Garden Air Tower, 3-10-10, Iidabashi, Chiyoda-ku,Tokyo 102-8460, Japan
    Makoto Takahashi
    President, Representative Director

Also, KDDI will announce any information regarding the handling of anonymous-masked information, processing of personal data, and other matters that need to be announced, in the Other Announcement section of Appendix 7 as it arises.