When the Company acquires personal information directly from customers, etc. in writing relating to the railway business, which mainly involves the operation of the Tokaido Shinkansen, and related businesses (such as real estate leasing and non-life insurance agency business) (hereinafter referred to as "Railway Business, etc."), the Company shall expressly indicate the purpose of use of the relevant personal information, in accordance with the Act, on each occasion. Personal information shall be handled within the scope of the following purpose of use when personal information is acquired directly or indirectly other than in written form:

1. For providing products and services related to the Railway Business, etc.;
2. For introducing products, services, various events, campaigns, etc., related to the Railway Business, etc., and providing various types of information;
3. For analyzing trends related to customers, etc., conducting research and analysis for product development, etc., and examining and developing software, systems, equipment, devices, etc. to ensure security, concerning the Railway Business, etc.;
4. For conducting questionnaires, sweepstakes, etc., and sending information or prizes, etc., to the winners;
5. For ensuring safety (such as ensuring the security of customers and employees, and managing the facilities and equipment) in the Railway Business, etc.;
6. For executing, maintaining, and managing contracts, and for giving notices and handling claims, etc. under contracts;
7. For confirming various terms and conditions for contracts (e.g., confirmation of whether a person is the principal, confirmation of qualifications for purchase, etc.);
8. For receiving and responding to opinions, requests, and inquiries, and visits from customers, etc.;
9. For sending various letters of information, seasonal greetings, etc., and for contacting customers, etc.;
10. For allowing the Company to contact customers, etc.;
11. For business analysis and other research and studies;
12. For social contribution activities;
13. For employment management, recruitment screening, and provision of Company information;
14. For medical practices; and
15. For performing acts based on the relationship between the Company and shareholders.

The purpose of use of Company’s retained personal data is as follows:

1. For providing products and services related to the Railway Business, etc.;
2. For introducing products, services, various events, campaigns, etc., related to the Railway Business, etc., and providing various types of information;
3. For analyzing trends related to customers, etc., conducting research and analysis for product development, etc., and examining and developing software, systems, equipment, devices, etc. to ensure security, concerning the Railway Business, etc.;
4. For conducting questionnaires, sweepstakes, etc., and sending information or prizes, etc. to the winners;
5. For ensuring safety (such as ensuring the security of customers and employees, and managing the facilities and equipment) in the Railway Business, etc.;
6. For executing, maintaining, and managing contracts, and for giving notices and handling claims, etc. under contracts;
7. For confirming various terms and conditions for contracts (e.g., confirmation of whether a person is the principal, confirmation of qualifications for purchase, etc.);
8. For receiving and responding to opinions, requests, and inquiries, and visits from customers, etc.;
9. For sending various letters of information, seasonal greetings, etc., and for contacting customers, etc.;
10. For allowing the Company to contact customers, etc.;
11. For business analysis and other research and studies;
12. For social contribution activities;
13. For employment management, recruitment screening, and provision of Company information;
14. For medical practices; and
15. For performing acts based on the relationship between the Company and shareholders.

• In situations where the Company indicates the purpose of use, etc. to the principal separately by notifying the principal or obtaining approval of the terms of use, etc., the details of such individually designated purpose of use, etc. shall take precedence over the descriptions in 1. and 2. above. We appreciate your understanding.

With respect to the request, etc. for disclosure, etc. concerning retained personal data of the Company, the Company shall respond to requests for disclosure, alteration, suspension of use, and similar requests to the extent required by applicable laws and regulations, after confirming that the relevant person is, or is acting on behalf of, the principal. Please submit your requests, etc. for disclosure, etc. to the following contact points, [1] through [9], depending on the purpose of the request:

1. Contact point concerning Express Reservation (Japanese only)
2. Contact point concerning smart EX (Japanese only)
3. Contact point concerning 50+ (Fifty Plus) (Japanese only)
4. Contact point concerning Zipangu Club (Japanese only)
   Name

   JR Central Zipangu Club Office

   Telephone

   052-581-0746

   Reception
   hours

   10:00–17:00 (excluding Saturdays, Sundays and holidays)
5. Contact point concerning recruitment (Japanese only)
6. Contact point concerning shareholders (Japanese only)
7. Contact concerning Nagoya Central Hospital (Japanese only)
8. Contact point concerning EXPRESS WORK (Japanese only)
9. Contact point concerning other matters (which do not fall within any of [1] through [8] above) (Japanese only)

• There may be a fee associated with some of the requests regarding disclosure, etc. In addition, the Company may not be able to provide requested services following a request for the suspension of use or deletion. We appreciate your understanding and cooperation.

The Company shall jointly use personal data, as an exception to provision of personal data to a third party, in the following cases:

1. Contact point concerning Express Reservation (Japanese only)
2. Contact point concerning smartEX (Japanese only)
3. Contact point concerning TOICA (Japanese only)
4. Contact point concerning 50+ (Fifty Plus) (Japanese only)
5. Contact point concerning EXPRESS WORK (Japanese only)

The measures that the Company takes to securely manage the retained personal data acquired from customers, etc. are as follows:

1. Formulation of a basic policy:
   Formulate a basic policy for compliance, etc. with the relevant laws and regulations, and guidelines to secure the proper handling of personal information;
2. Development of personal data handling rules:
   Formulate internal rules and manuals for the handling method, managers and responsible persons, and their duties, etc. for the respective stages of acquisition, use, storage, provision, deletion, destruction, etc.;
3. Organizational measures for secure management:
   • Appoint a chief privacy officer (CPO) as the manager responsible for the handling of personal data; clearly define the employees who handle personal data, and the scope of personal data handled by those employees; and develop a system to report to the CPO when any leakage, etc., or violation of internal rules occurs or is found to be likely to occur; and
   • Conduct internal audits to ensure that personal data are handled in compliance with the relevant laws and regulations, guidelines and internal rules;
4. Measures for secure management by human resources:
   Provide employees with regular training for consideration in handling personal data;
5. Physical measures for secure management:
   • Manage employees’ entries in and exits from the areas where personal data are handled, and restrict the devices, etc. used in those areas; and take measures to prevent unauthorized persons from accessing personal data; and
   • Take measures to prevent theft, loss, etc. of devices, electronic media, documents, etc., with, on or in which personal data are handled; and take measures to protect the confidentiality of personal data to ensure that they are not easily identified when carrying such devices, electronic media, etc., including moving within the Company premises; and
6. Technical measures for secure management:
   • Control access and restrict the scope of responsible persons, and the personal information databases, etc. handled by those persons; and
   • Implement a mechanism to protect the information systems used to handle personal data against unauthorized access by outsiders, or unauthorized software; and
7. Understanding the external environment:
   When handling personal data in a foreign country, implement measures for secure management by understanding the personal information protection system in the foreign country.