Text Size

A
A

JALUX Group: Processing of Personal Data
in GDPR

JALUX Inc. and its affiliated companies (hereinafter referred to as "JALUX Group") process and protect customers' personal data as follows, pursuant to the General Data Protection Regulation (hereinafter referred to as "GDPR") and the JALUX Group's Policies for Protection of Privacy. Refer to the following website for a list on JALUX Group companies. (However, the list may be changed from time to time).

1. Protection and Management of Personal Data

JALUX Group properly manages and protects customers' personal data pursuant to the JALUX Group's Policies for Protection of Privacy.

2. Personal Data Controller and Data Protection Officer

1. Personal Data Controller

JALUX Inc.
Address: Shinagawa Season Terrace 1-2-70 Konan, Minato-ku, Tokyo, 108-8209

2. Data Protection Officer

Address: Shinagawa Season Terrace 1-2-70 Konan, Minato-ku, Tokyo, 108-8209
E-mail: dpo@jalux.com

3. Purpose and Legal Basis for Processing Personal Data

JALUX Group properly processes customers' personal data within the scope of the following purposes:

  Purpose of Processing Legal Basis
1 To provide JALUX ’s products and services Contract performance
2 To provide services relating to JAL Mileage Bank (hereinafter referred to as "JMB") services Contract performance
3 To provide information and communications regarding products, services, various events and campaigns, to conduct questionnaires, and to send prizes Legitimate interests
4 To process registrations for events and seminars held or sponsored by JALUX Group Legitimate interests
5 To conduct sales analysis, investigations and research; to develop new services and products Legitimate interests
6 To perform JALUX Group’s contracted services Contract performance
7 To conduct operations relating to 1 - 6 above; to respond to inquiries, etc. Contract performance
Legal Obligations
Legitimate interests

4. Personal Data Categories

JALUX Group processes customers' personal data necessary for the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Such personal data includes:

  • Basic Data
    Name, address, contact details (TEL/FAX numbers, e-mail address), gender, date of birth, country/region of residence, passport number, credit card number, information on employment (company name, department, job title, address, TEL/FAX numbers), donation information, etc.
  • JMB Membership Data
    Membership number, member's service qualifications, membership region, accumulated mileage, data-related mileage awards, etc.
  • Communications Data
    Records of communications with JALUX Group (recordings of phone calls to the call center, records of responses to questions submitted via e-mail or web inquiry forms, etc. Where necessary, records of questions or complaints, etc. received at airport counters or shops may be kept)
  • Data Collected from Websites and Apps, etc.
    Website access logs (IP address, Cookies, etc.) and data collected by apps, etc.

Collection and Use of Sensitive Personal Data
JALUX Group may collect and use sensitive personal data on customers when providing services. The collection and use of such sensitive personal data is limited to cases in which customers request insurance and other financial related services, and such data is not used for any other purpose.

Example of Processing Sensitive Personal Data
When buying insurance policies via JAL Insurance Navi

Customers have the right to withdraw consent for the processing of sensitive personal data. Customers wishing to withdraw consent should contact the location where he or she applied for the service. It may not be possible to provide all or some services if consent is withdrawn.

5. Refusal to Provide Personal Data

The provision of personal data on customers is necessary for customers to be provided with services by JALUX Group. JALUX Group may not be able to provide a service in whole or in part if personal data is not provided.

6. Legitimate Interests of JALUX Group

JALUX Group has a legitimate business interest in the use of personal data they collect to provide effective services.

7. Disclosure and Provision of Personal Data to other Companies

  • 1. JALUX Group discloses and provides customers' personal data to Japan Airlines Co., Ltd. and JALUX Group companies to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".
  • 2. JALUX Group may conduct surveys relating to our services, etc. using an external web service. When a customer participates in a survey, some personal data on customers will be disclosed or provided to the operator that provides the web service. When requesting to participate in a survey, JALUX Group will indicate the name of the operator and matters concerning the processing of personal data by the operator.
  • 3. JALUX Group uses Google Analytics, a web analytics service provided by Google, Inc. (hereinafter referred to as "Google") on their websites to grasp the situation surrounding access to the sites. Cookies, web beacons, and other similar technology may be used to provide services. Cookies and web beacons, etc. are used to statistically analyze anonymous information and, as part of membership services, etc. may also be used to associate information that identifies customers so as to provide more customized services. JALUX Group may use user attribute and interest category reporting functions that respond to Google's advertising functions. Customers can opt-out of these (suspend functions) at their discretion. Visit the following sites for an explanation of how to opt-out:
  • 4. Where JMB member customers request exchange of awards, etc., customer data necessary to provide awards (address, etc.) is disclosed and provided to related corporations (award providers, delivery companies, etc.).
  • 5. Customers' personal data may be disclosed or provided to authorities or recipients specified in laws and regulations where necessary to comply with EU law or the laws and regulations of members of the EU/EEA.

8. Transfer of Personal Data to Non-EU Third Countries

JALUX Group may transfer customers' personal data from within the EU/EEA to non-EU/EEA countries and regions where there are JALUX Group establishments or airports serviced by JALUX Group in order to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data".
In such case, except when the European Commission determines that the country or region has secured data protection at an adequate level, in principle, customers' personal data is transferred after executing standard data protection clauses as an appropriate protection measure in accordance with the provisions of the GDPR and the laws and regulations of EU/EEA member states.
Contact the inquiries section stated in "12. Inquiries" with questions, etc. regarding the above stated protection measures.

9. Management of Personal Data

JALUX Group retains customers' personal data for the period necessary to achieve the purposes stated in "3. Purpose and Legal Basis for Processing Personal Data". Records concerning boarding by customers, such as reservations records and ticket information, are normally retained after boarding for a maximum of three years.
For a JMB member, data is retained as membership data for a maximum 10 years after withdrawing membership, in addition to the period as a member. Furthermore, records concerning contracts and invoices are retained for the period necessary to meet legal obligations. If it is necessary for the establishment, exercise or defense of legal claims, we may keep personal data for a longer period.
Data collected during communication with customers (customer service records, records of e-mails received, etc.) is retained for the period necessary to provide even better services to customers.
Access logs, etc. recorded when the JALUX Group website is accessed are retained for the period necessary for analysis by JALUX Group.

10. How to Request Disclosure, etc. and Make Inquiries

When a data subject or his or her representative makes a request concerning personal data retained by JALUX Group, the company shall respond as follows in accordance with GDPR:

  • Disclosure
    The company discloses retained personal data that identifies the data subject. (The company will inform the data subject to such effect if there is no retained personal data that identifies the data subject.) However, where corresponding to any of the following, the company may notify the data subject of the reason and refuse to disclose data in whole or in part.
    • 1. Where the data subject's or a third party's life, health, property, or other rights or interests are likely to be harmed
    • 2. Where the proper implementation of JALUX's operations are likely to be hindered
    • 3. Where disclosure will violate laws and regulations
  • Rectification
    Where requested to rectify or make additions (hereinafter referred to as "Rectification, etc.") to retained personal data due to the retained personal data that identifies the data subject being incorrect, unless special procedures are specified in the provisions of laws and regulations regarding the Rectification, etc. of such details, the company shall conduct necessary investigations without delay within the scope necessary to achieve purpose of processing. The company shall give notice of details without delay when all or a part of the retained personal data is Rectified, etc. as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out Rectification, etc.
  • Erasure
    Where requested to erase retained personal data that identifies the data subject, the company shall conduct necessary checks without delay such as where personal data is necessary in light of the purpose of processing. The company shall notify of details without delay when all or a part of the retained personal data is erased as a result. The data subject shall be notified of such effect, outlining the grounds, if a decision is made not to carry out erasure.
  • Suspension of Use, etc.
    Where requested to suspend use, erase, or suspend provision to a third party (hereinafter referred to as "Suspension of Use, etc.") of retained personal data, and when there is discovered to be grounds for such a request, the company shall Suspend Use, etc. of such retained personal data without delay, to the extent necessary; provided, however, that where Suspension of Use, etc. of such retained personal data requires a considerable expense, or where Suspension of Use, etc. is otherwise difficult, the company may substitute Suspension of Use, etc. with alternative measures necessary to protect the rights and interest of the data subject. The company shall notify the data subject of such effect without delay when it has Suspended Use, etc. of all or a part of the retained personal data. The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc.
  • Data Portability
    Where legal requirements are fulfilled, the company shall provide personal data provided by data subjects that has been structured, generally used, and is in a machine readable format. Furthermore, where technically possible, personal data provided by data subjects shall be transmitted to other data controllers. The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to provide or transmit personal data.

Procedure for Making Requests

Send the applicable request form (*1) and the necessary documentation (*2) (when requesting “disclosure” or “data portability”) to the following address:
Personal Information Handling Desk
JALUX Inc.
Shinagawa Season Terrace 1-2-70 Konan, Minato-ku, Tokyo, 108-8209

*1 Download an application form from one of the following links:

*2 Necessary documentation

Attach the following documents to confirm the identity of the data subject. Where requests are made by a representative, attach documents to confirm the identity of the representative together with documents to confirm the right to represent.

[Data Subject Identify Confirmation Documents]
(Where requests are made by a representative, attach documents concerning the representative)
A copy of a driver's license, passport, health insurance card, or any other document issued by a public agency that can used to confirm the identity customer

[Address Confirmation Documents]
Where the above document (from a government or public office) does not include an address, in order to confirm the addressee, attach a document issued by a public agency that indicates a current address (issued within three months of making the request).

[Right of Representation Confirmation Documents]
Parental Authority:
Document that confirms the representative has parental authority

Guardian of Adult:
Document that confirms the representative is a guardian of an adult

Statutory Agent:
Document that proves the representative is a statutory agent

Voluntary Representative:
Letter of proxy (signed by data subject)
In the case of requests from voluntary representatives, the company may confirm delegation with the data subject or directly disclose, etc. personal data to the data subject.

In order to view PDF documents, you will need to install Adobe Reader on your computer.

11. Complaints Concerning Personal Data

  • 1. Customers have the right to lodge an objection to the processing of their personal data retained by JALUX Group if legal requirements are fulfilled concerning a particular situation. Where an objection is lodged and such objection fulfills legal requirements, JALUX Group shall delete or suspend use of retained personal data in whole or in part, and notify the data subject to such effect without delay.
    Where objections are lodged regarding direct marketing, JALUX Group shall promptly suspend such direct marketing and notify the data subject to such effect without delay.
    The data subject shall be notified to such effect, outlining the grounds, if a decision is made not to carry out Suspension of Use, etc. due to the lodging of an objection.
  • 2. Customers have the right to make complaints concerning the processing of their personal data, against the EU/EEA member country in which the customer lives or works, or EU/EEA member countries' supervisory authorities that have engaged in illegal conduct. Contact each supervisory authority concerning specific complaint procedures, etc.

12. Inquiries

If you have any inquiries regarding "JALUX Group : Processing of Personal Data in GDPR", please send your inquiry to the following address:

Personal Information Handling Desk
JALUX Inc.
Address: Shinagawa Season Terrace 1-2-70 Konan, Minato-ku, Tokyo, 108-8209