Handling of Personal Information

Personal Information Protection Policy

SUGI Holdings Co., Ltd. and all other SUGI Pharmacy Group companies (hereinafter collectively referred to as the “Company”) strongly recognize the importance of protection of personal information. When the Company is provided with personal information, the Company’s social responsibility is to carefully handle and properly manage it. In order not to undermine your confidence in us as a community-oriented family pharmacy, the Company protects personal information received from you by complying with laws, regulations, and other norms concerning the protection of personal information and establishing voluntary rules and systems, in accordance with the policy stipulated below.

  1. 1 Acquisition, Use, and Provision of Personal Information
    The Company will properly acquire and use personal information and will not use personal information in a manner that goes beyond the extent necessary to achieve the purpose of use unless it obtains the consent of its owner. The Company will not provide personal information to a third party (including a third party residing in a foreign state) unless it obtains the consent of the owner or the provision is legitimate under applicable laws, regulations, etc.

  2. 2 Compliance with Laws, Regulations, and Norms Concerning the Handling of Personal Information
    The Company complies with laws, regulations, and guidelines stipulated by the national government as well as other norms concerning the handling of personal information.

  3. 3 Preventing and Remediating Leakage of, Destruction of, or Damage to Personal Information
    In order to prevent leakage of, destruction of, or damage to personal information, the Company will develop necessary systems and implement appropriate information security measures, such as measures against unauthorized access and computer viruses.

  4. 4 Handling of Complaints and Concerns
    Subject to the confirmation of rights to demand disclosure, correction, deletion, suspension of use, etc., of personal information, the Company will promptly take an appropriate action based on its internal procedures.

  5. 5 Continual Improvement of Personal Information Protection Management System
    The Company will continually review and improve its personal information protection management system in order to maintain it in the best condition.

Established: October 9, 2018

SUGI Holdings Co., Ltd.
Katsunori Sugiura, Representative Director & President

Handling of Personal Information

In order not to undermine your confidence in us, SUGI Holdings Co., Ltd. and all other SUGI Pharmacy Group companies (hereinafter collectively referred to as the “Company”) thoroughly protect personal information received from you by complying with laws, regulations, and other norms concerning the protection of personal information and establishing voluntary rules and systems, in accordance with the Personal Information Protection Policy.
The Company handles any personal information held by the Company in the manner stipulated below. If there are any SUGI Pharmacy Group companies not subject to this Handling of Personal Information, they are disclosed here. In this case, the handling of personal information by such a company is governed by privacy policies established by the company.
The addresses and the representatives of SUGI Pharmacy Group companies are listed here.
The Company will continually revise and improve the Personal Information Protection Policy, the Handling of Personal Information, and other voluntary rules and systems. Revision of these policies and rules will be notified on the website of the Company.

  1. 1 Obtaining Personal Information
    In principle, the Company publishes the purpose of use of personal information on its website and obtains personal information from its owner only after obtaining the owner’s consent.

  2. 2 Purpose of Use of Personal Information
    The Company uses personal information held by the Company of its customers, business partners, job applicants, employees and their families, and other related persons, such as ex-employees, for the purposes listed below.

    1. 1 Customer information (excluding personal information obtained in the course of pharmacy services unless noted otherwise)

      • To sell and deliver products and provide after-sale services, such as repair
      • To offer information on products and services
      • To answer inquiries
      • For customer identification when a customer exchanges points, returns a product sold by the Company, uses an application, etc.
      • To send shareholder benefits, promotional gifts, items exchanged for points, etc.
      • To offer information on products and services by sending direct mails or emails or via SNS, applications, or the Internet, and to grant benefits such as points and deliver coupons in accordance with usage
      • To confirm and manage event invitations and applications
      • To request cooperation with questionnaire surveys and report results
      • To enable registration with services for members, such as point services, and to provide such services
      • To improve convenience of services for members and offer information to members
      • To provide payment services, such as credit card payment
      • For credit card issuers to conduct detection and prevention of unauthorized use
      • To conduct research and development and sales promotion for new products and services
      • To conduct research and development and sales promotion for products and services, such as efficiency improvement of in-store planogram, to examine measures to increase operating efficiency of the Company and its business partners and measures to stimulate markets, and to conduct marketing research and analysis, based on study and analysis of customers’ purchase history information, coupon use history information, footage of surveillance cameras installed in stores, etc.
      • To provide services (including the grant of benefits, such as coupons, and the provision of information on stores, products, and services that are suited to each customer’s location information) using location information obtained through the use of terminal devices by customers or from third parties (e.g., GPS information), to improve products and services based on study and analysis of location information and service usage, and to conduct research and development and other marketing research and analysis.
      • To provide information about clinical trials, public lectures, and promotional campaigns, distribute advertisements on products and services of the Company and third parties, and provide other various kinds of information (This includes provision of information mentioned above, advertisement distribution, and provision of other various kinds of information about pharmaceuticals that are tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on the analysis of each customer’s browsing history, purchase history, behavior history, history of consultation concerning cosmetics and health consultation, use of services, questionnaire responses, etc., obtained (hereinafter referred to as “Browsing History, etc.”), and prescription dispensing history and other information on customers who have used pharmacy services listed in (2) below. Advertisement distribution and provision of other various kinds of information about pharmaceuticals that are tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on such analysis are subject to the consent of each customer as prescribed in the following paragraph. Information about clinical trials is provided only when pharmacy services are used. However, when browsing history and other customer information obtained is compared to prescription dispensing history and other information on customers who have used pharmacy services listed in (2) below for analysis purposes, the Company obtains the consent of each customer separately in advance.)
      • To distribute advertisements and provide various kinds of information about pharmaceuticals (However, when the Company distributes advertisements or provides other various kinds of information mentioned above tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on the analysis of Browsing History, etc. of customers obtained and prescription dispensing history and other information on customers who have used pharmacy services listed in (2) below, the Company obtains the consent of each customer separately in advance. In addition, when browsing history and other customer information obtained is compared to prescription dispensing history and other information on customers who have used pharmacy services listed in (2) below for analysis purposes, the Company obtains the consent of each customer separately in advance.)
      • To provide personal information to third parties, such as advertisement distributors, data analysis service providers, and business alliance partners
      • To use information related to personal information of customers obtained from third parties, such as advertisement distributors, marketing companies, and DMP business operators, in combination with personal information of customers that is already held by the Company, for the purposes listed in this item
        Information related to personal information that is to be obtained by the Company may include the following items:
        • Cookie data and information collected using a technology similar to cookies
        • Advertising IDs
        • Identifiers on the Internet
        • URLs of subject websites browsed by customers and time of day of such browsing
        • Informational about the terminal device and the browser used by customers to browse subject websites (including IP address, OS, and browser type)
        • Referrer information (URLs of external websites browsed by customers immediately before customers browse subject websites)
        • Browsing history, search history, purchase history, etc., and other information on attributes, taste, etc., available on websites and mobile applications that are linked to various identifiers, such as cookie IDs and advertising IDs
      • To conduct case studies on pharmaceuticals
      • To enable visits and deliveries for home-visit product sales (including home-visit prescription dispensing)
      • To conduct and manage health consultation and conduct health checkups, and to provide health guidance and conduct research and development and sales promotion for products and services based on their results
      • To conduct beauty counseling services and to provide beauty advice and conduct research and development and sales promotion for products and services based on their results
      • To conduct physical measurements and manage their results, prepare risk reports, conduct academic research, and provide health guidance
      • For consultation with insurance companies and claim procedures with them concerning various liability insurance policies
      • For communication and interaction with customers that are necessary for business purposes
    2. 2 Information on customers (patients) who have used pharmacy services

      • To provide prescription dispensing services
      • To sell pharmaceuticals, medical equipment, etc.
      • To monitor matters necessary to ensure safe use of pharmaceuticals (such as history of adverse reactions, medical history, allergy, constitution, concomitant medications, and contact information for neighbors and in case of emergency)
      • To provide family members with explanation about drugs
      • Provide answers to inquiries from hospitals, clinics, etc.
      • To coordinate with other medical institutions and seek opinions and advice from doctors and other professionals
      • To carry out medical insurance administration work (submission of prescription dispensing fee statements to examination and payment agencies, making inquiries to examination and payment agencies and payers, providing answers to inquiries from examination and payment agencies and payers, etc.)
      • To consult with or notify insurance companies about accidents or other matters
      • To prepare basic materials for the maintenance and improvement of prescription dispensing services and pharmacy services (including those based on camera footage obtained from security cameras installed inside pharmacies)
      • To conduct case studies
      • To provide information about clinical trials, public lectures, and promotional campaigns, distribute advertisements on products and services of the Company and third parties, and provide other various kinds of information (This includes provision of information mentioned above, advertisement distribution, and provision of other various kinds of information about pharmaceuticals that are tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on the analysis of prescription dispensing history and other customer information and each customer’s Browsing History, etc. listed in (1) above. Advertisement distribution and provision of other various kinds of information about pharmaceuticals that are tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on such analysis are subject to the consent of each customer as prescribed in the following paragraph. However, when prescription dispensing history and other customer information is compared to each customer’s Browsing History, etc. listed in (1) above for analysis purposes, the Company obtains the consent of each customer separately in advance.)
      • To distribute advertisements and provide various kinds of information about pharmaceuticals (However, when the Company distributes advertisements or provides other various kinds of information mentioned above tailored to each customer’s interests, concerns, hobbies, preferences, tendencies, etc., based on the analysis of prescription dispensing history and other customer information and each customer’s Browsing History, etc. listed in (1) above, the Company obtains the consent of each customer separately in advance. In addition, when prescription dispensing history and other customer information is compared to each customer’s Browsing History, etc. listed in (1) above for analysis purposes, the Company obtains the consent of each customer separately in advance.)
      • To conduct practical training for pharmacy students on pharmacy operation
      • To prepare and analyze statistical materials obtained from prescription dispensing history and other information
      • To provide information to government agencies and external audit agencies
    3. 3 Information on Business Partners

      • To execute and perform contracts with business partners
      • To answer inquiries
      • To inform of products and services, request cooperation with questionnaire surveys, and report their results
      • To register and manage information on other parties in real estate lease agreements
      • Request lecturers at seminars
      • For other communication and interaction with business partners that are necessary for business purposes
    4. 4 Information on Job Applicants

      • To inform and manage recruitment activities (events, such as information sessions, seminars, internship programs, and job interviews)
      • To notify applicants of selection results (pass/fail)
      • To execute and manage employment contracts with the Company
      • To contact applicants for the provision of relevant information in paid employment placement services and worker dispatching services
      • To inform of products and services, request cooperation with questionnaire surveys, and report their results
      • To prepare various statistical materials concerning recruitment
      • To receive and answer inquiries
      • To perform services incidental to the purposes listed above
    5. 5 Information on Employees, Their Families, and Other Related Persons, Such as Ex-employees

      • For personnel management and labor management of employees
      • Information on families, etc. is used for various procedures required by laws and regulations, as well as for the provision of various allowances, emergency communication, and the processing of fidelity guarantee contracts under internal regulations
      • To prepare an internal contact network
      • To request cooperation with questionnaire surveys and report results
      • To conduct training and prepare a roster of training participants
      • To manage entrance/exit records for offices and stores
      • To send information on and conduct specific health guidance
      • Manage the qualifications of qualified persons, such as pharmacists and registered dietitians
      • To confirm eligibility for employee discount programs
      • To submit applications to administrative agencies
      • To contact to offer various kinds of information (including requests for cooperation with questionnaire surveys) after retirement
      • To perform services incidental to the purposes listed above
      • For other communication and interaction that are necessary for business purposes
  3. 3 Cookie and Similar Technologies
    The website of the Company uses cookies and other similar technologies (hereinafter collectively referred to as “Cookies”) in order to identify customers and other users of the website of the Company. This is useful for the Company to offer information that meets the needs of customers as they search on and browse the website of the Company. In addition, the Company uses Cookies to improve its website and deliver content and advertisements that meet the needs of customers.
    Customers who wish to reject or delete Cookies are advised to refer to help information and other support information on Internet browsers. Customers who have deleted or disabled Cookies may not be able to use some or all of the functions of the website of the Company.
    The Company uses Google Analytics and Firebase provided by Google. The Company may, based on Cookies set by Google or the Company, collect the browsing history of customers, receive analysis results, and use them to monitor use by customers or in the Company’s services. For the mechanism of information collection and processing in the services of Google and its privacy policy, please visit the following URLs:
    Use of collected information by Google
    Reference:https://policies.google.com/technologies/partner-sites?hl=en Google’s privacy policy: Reference:https://policies.google.com/privacy?hl=en

  4. 4 External transmission regulations
    In providing its own services, the Company uses services provided by the service providers listed in Appendix (hereinafter referred to as “External Services”). As the Company uses these services, customer information necessary for the use of External Services is transmitted externally to the service providers of these External Services (i.e., transmitting user information from a customer's device to a server of a person other than the customer using cookie or similar technologies). The Company discloses in Appendix certain matters concerning External Services that it is using for external transmission purposes pursuant to the external transmission regulations under the Telecommunications Business Act. For the purpose of use of transmitted customer information by recipients, please refer to the information available for your inspection from the links provided in Appendix.

  5. 5 Security Control Measures for Personal Data
    The Company has implemented technically and systematically strict security measures in order to prevent the leakage of, destruction of, damage to, and unauthorized access to the personal data held by the Company.
    Security control measures for personal data are specifically stipulated by internal regulations, and their main features are described bellows.

    1. 1

      Establishment of a Basic Policy
      In order to ensure that personal data are handled properly, the Company has established the “Personal Information Protection Policy” and the “Handling of Personal Information” to prescribe compliance with applicable laws, regulations, guidelines, etc., and the contact for accepting inquiries and handling complaints, among other things.

    2. 2

      Establishment of Regulations Concerning the Handling of Personal Information
      The Company has stipulated handling methods for each stage of processing of personal information, such as acquisition, use, storage, provision, disclosure, suspension of use, and disposal, and has established personal information protection regulations that provide for the assignment and duties of responsible persons, managers, and persons in charge.

    3. 3

      Systematic security control measures
      The Company has appointed a person responsible for the handling of personal information and clarified the employees who handle personal information and the scope of personal data handled by them. The Company has also established a reporting system to ensure that any violation of laws and regulations or personal information handling regulations or indication of such violation that is detected will be reported to the responsible person and regularly conducts self-checks on the status of handling of personal data.

    4. 4

      Human security control measures
      The Company regularly provides education to employees on points to be considered in handling personal data. The Company has also prescribed, in its Employment Rules, matters concerning the confidentiality of personal data.

    5. 5

      Physical security control measures
      The Company has imposed restrictions on equipment to be taken in the areas where personal information is handled and has implemented measures to prevent unauthorized persons from browsing personal data held by the Company.

    6. 6

      Technical security control measures
      The Company has implemented access control to limit those employees who handle personal information databases, etc. and the scope of personal information handled by them. The Company has introduced a mechanism to protect information systems that handle personal data from unauthorized access or unauthorized software from outside.

    7. 7

      Monitoring of the external environment
      When handling personal data in a foreign country, the Company takes necessary and appropriate measures to ensure the same management of personal data after understanding, among other things, local requirements of that country concerning the protection of personal information.

  6. 6 Provision of Personal Information to Third Parties

    1. 1 The Company will not provide any personal data of customers without obtaining their consent except as part of shared use and outsourcing unless the provision of personal data falls under any of the cases listed in 6.(2) above or any of the cases listed below:

      • A. Where the provision of personal data is required or permitted by laws and regulations.
      • B. Where such provision is necessary for the protection of the life, body, or property of a person, and it is difficult to obtain the consent of the owner of the personal data.
      • C. Where such provision is particularly necessary for the improvement of public hygiene or the promotion of the sound growth of children, and it is difficult to obtain the consent of the owner of the personal data.
      • D. Where there is a need to cooperate with a national government organization, a local government, or a person entrusted by them in performing affairs prescribed by laws and regulations, and there is a possibility that obtaining the consent of the owner of the personal data will interfere with the performance of such affairs.
      • E. Where personal data are provided to a third party that is an academic research institute or a similar organization that needs to handle such personal data for the purpose of academic research (including cases where one of the purposes of handling such personal data is academic research, but excluding cases where the provision of such personal data may wrongfully infringe the rights and interests of an individual).
    2. 2 The Company may provide personal data to other SUGI Pharmacy Group companies, advertisement distributors, or data analysis service providers. The Company may also provide the following personal data on customers that have been provided to the Company and statistical information that is not linked to specific individuals to a third party that is its business alliance partner, subject to the customer’s consent to the “Handling of Personal Information.” However, information on customers who have used pharmacy services is not provided as the following personal data, except in the form of statistical information that is not linked to specific individuals, and may be provided to third parties only to the extent necessary for the achievement of the purpose of use listed in “2. Purpose of Use of Personal Information” “2. Information on customers who have used pharmacy services” above.

      • A. The items of personal data provided to third parties are limited to the following items (hereinafter referred to as “Provided Data”):

        • Member code (including member code at business alliance partners)
        • Name
        • Year and month of birth
        • Sex
        • Email address
        • Telephone number
        • Zip code and area of residence (prefecture and municipality)
        • Purchase history (including purchase date and time, store of purchase, purchased product (JAN code), purchase quantity, and purchase amount , and payment method)
        • Terminal identifier
        • Advertising IDs
        • Answers to various questionnaire surveys
      • B. The purposes of use by the third-party recipients are as follows:

        • To analyze Provided Data and prepare statistical information on Provided Data
        • To place ads, deliver coupons, and evaluate the effectiveness of sales promotion measures
        • To plan and implement marketing measures
        • To provide data to external companies, such as manufacturing companies, other advertisement distributors, and data analysis service providers
        • To enable the third-party recipient to develop and provide various products and services
        • To offer information on products and services by sending direct mails or emails or via SNS, applications, or the Internet
        • To improve the convenience of the services of the Company and to perform them smoothly
      • C. The methods of provision of personal data listed above to third-party recipients are as follows:

        • Transmission by email
        • Sending of external storage media, such as CD-ROM
        • Upload to a server
      • D. The Company will implement security control measures, such as the encryption of the method of provision and data access restrictions, for the personal data listed above.

    3. 3 When a customer makes a credit card payment on the Company's website or application, the Company provides the customer's personal information (name, telephone number, email address, IP address of the terminal device used, information on the Internet usage environment, etc.) to the credit card issuer used by the customer for the credit card issuer to conduct detection and prevention of unauthorized use. If the credit card issuer used by the customer is located in a foreign country, the information may be transferred to the country where the issuer is located. As the Company can neither identify the card issuer nor the country in which it is located based on the information the Company obtains from a customer, the Company is unable to provide the name of the country in which the card issuer is located, information on the personal information protection system in that country, or information on the measures the card issuer takes to protect personal information. The website of the Personal Information Protection Commission (https://www.ppc.go.jp/) provides information on personal information protection systems in various countries.

  7. 7 Shared Use of Personal Data
    The Company may share use of personal data with the shared users listed below.

    1. 1 Items of Personal Data Subject to Shared Use

      • Name, address, telephone number, date of birth, sex, email address, purchase history, and other information registered with the Company through a questionnaire or by other means.
    2. 2 Scope of Shared Users

      • SUGI Holdings Co., Ltd. and SUGI Pharmacy Group companies. If there are any SUGI Pharmacy Group companies not included in the scope of shared users, they are disclosed here.
    3. 3 Purpose of Use of Shared Users

      • To the extent necessary for the achievement of the purposes of use listed in 2 above.
    4. 4 Persons Responsible for Managing the Shared Use of Personal Data

      • SUGI Holdings Co., Ltd.
        The address and the representative of SUGI Holdings Co., Ltd. are available here for your inspection.
  8. 8 Outsourcing of the Handling of Personal Information
    The Company may outsource the handling of personal information to a party that has implemented sufficient measures to protect personal information. The Company will execute an agreement on the protection of personal information with such outsourcee and provide necessary and appropriate supervision on it.

  9. 9 Handling of Anonymized Personal Information
    For the handling of anonymized personal information, please visit here.

  10. 10 Procedure for Disclosure of Personal Data
    When the Company receives a request at the contact indicated below for the disclosure, correction, addition, deletion, suspension of use, or suspension of provision to third parties of personal data held by the Company or for the disclosure of record of provision of such data to third parties, the Company will respond appropriately based on its internal procedures after confirming that the person who requested such an action is the rightful owner of the personal data.

  11. 11 Inquiries about the Handling of Personal Information
    Any inquiries about the handling of personal information by the Company are accepted at the contact indicated below.
    Inquiries about personal information are accepted at the following:
    Customer Support Office, Sugi Pharmacy Co., Ltd.
    Telephone: 81-120-921-771
    Business hours: 10:00 a.m. to 7:00 p.m.
    Such inquiries are recorded and used by the Company to improve its customer services and customer satisfaction. It should be noted that you may be directly contacted by and receive an answer to your inquiry from an external party as requested by the Company depending on the nature of your inquiry if the Company determines that it is appropriate for the inquiry to be answered by such an external party.

Revised: June 1, 2024
Revised: March 1, 2025

SUGI Holdings Co., Ltd.
Katsunori Sugiura, Representative Director & President
Company information is available here.

[Appendix]

Service provider/service name Transmitted customer information Purpose of use by the Company Privacy policies of the recipient SUGIsapo Walk SUGI Pharmacy app
Google LLC/Google Analytics
  • Information that identifies the person who browsed or the device used for browsing (such as cookie identifiers, device identifiers (e.g., AAID, IDFA), and client identifiers)
  • Location information of devices used for browsing (IP address, etc.)
  • To analyze browsing trends and history
See here for details.
Google LLC/Google Tag Manager
  • Device information (device ID, device model, OS, and IP address)
  • Location information
  • Browser information (user agent, HTTP method, HTTP request header, cookie IDs, etc.)
  • Operation information (app information, access URL, referrer, data and time, session information, etc.)
  • History information (including history specific to an app)
  • To distribute and optimize advertisement
  • To measure advertising effectiveness and improve products
  • To investigate and analyze the use of services
  • To improve services and consider new services
  • To provide services suited to customers
See here for details.
Google LLC/Firebase
  • Device information (device ID, device model, OS, country/region information, locale (language), IP address, communication environment, etc.)
  • To distribute and optimize advertisement
  • To measure advertising effectiveness and improve products
See here for details.
AppsFlyer Ltd./AppsFlyer
  • Device information (advertising identifiers, OS, IP address, etc.)
  • Browser information (such as user agent)
  • Operation information (such as app information)
  • To distribute and optimize advertisement
  • To measure advertising effectiveness and improve products
See here for details.
Google LLC/Firebase Crashlytics
  • Device information (device ID, device model, OS, country/region information, locale (language), IP address, communication environment, etc.)
  • To analyze browsing trends and history
See here for details.
Google LLC/Google Advertising
  • Device information (device model, OS, etc.)
  • Browser information (cookie IDs, user agent, etc.)
  • Operation information (access URL, referrer, data and time, etc.)
  • Operation information on advertisement
  • To distribute and optimize advertisement
  • To measure advertising effectiveness and improve products
  • To investigate and analyze the use of services
See here for details.
Unerry Inc./Beacon Bank
  • Information on terminal devices, such as smartphones (model and manufacturer of the terminal device, the version of the OS on the terminal device)
  • Advertising IDs (IDFA, Google Advertising ID, etc.)
  • Location information on smartphones, etc.
  • Information on beacons in the neighborhood
  • IP address
  • Information on the use of this application (including whether the use of location information is permitted, on/off of Bluetooth, date and time of browsing and opening of push-time contents, and information on beacons that have responded)
  • Segment information on application users that are determined to be necessary by the operator (such as age group, sex, and profession, but excluding personal information)
  • As marketing information for improvements
  • To identify customers in providing services
  • To obtain information on beacons in the neighborhood and to provide information on the neighborhood
  • To provide information on the neighborhood based on the location information of customers (which does not identify individuals) and to register beacon information
  • To improve the accuracy of customer identification during the provision of a service
  • To monitor usage
  • To provide marketing information
See here for details.

Information Security Basic Policy

The SUGI Pharmacy Group (an enterprise group led by SUGI Holdings Co., Ltd.) has been engaging in management to contribute to society by effectively utilizing assets and resources borrowed from society (people, things, money, information, etc.) and continuing to provide profits to society. To realize this, the SUGI Pharmacy Group understands that it is its top priority management issue to strengthen the information security of the entire Group by protecting its customers’ personal information and other information assets owned by us from various threats, including unauthorized access and cyberattacks.

Based on this concept, the Group established the following “Information Security Basic Policy.” Going forward, we will endeavor to maintain and improve information security through compliance with and proper handling of this Policy, the separately documented “Handling of Personal Information (Privacy Policy),” and other internal rules by our officers and employees.

  1. 1 Purpose
    The purpose of this Policy is to protect the information assets of the SUGI Pharmacy Group and its customers from any and all internal and external threats that arise intentionally or accidentally for stable continuation of business activities by prescribing the structure of and measures to develop and operate an information security management system.

  2. 2 Basic Principles

    1. 1 The SUGI Pharmacy Group shall properly handle any information received from individuals and organizations in the course of its business to protect their rights and interests.

    2. 2 The SUGI Pharmacy Group shall properly handle any trade secrets, technical information, and other valuable information in the course of its business to protect its rights and interests.

    3. 3 The SUGI Pharmacy Group shall strive to ensure and improve information security of customers and ultimately to answer the trust of customers and the whole society by conducting studies and human resource development on information security measures.

  3. 3 Scope of Application
    This Policy applies to all officers and employees of the SUGI Pharmacy Group.

  4. 4 Information Security Structure
    The SUGI Pharmacy Group shall develop and implement the following information security structure by recognizing various threats to information security as risks in business execution:

    1. 1 (1) The SUGI Pharmacy Group shall establish an Information Security Committee to accurately monitor the status of information security and discus information security measures. The Information Security Committee shall develop the capability to promptly implement group-wide information security measures and report their activities to the Sustainability Committee.

    2. 2 Information security risk management of the whole SUGI Pharmacy Group shall be overseen by the Risk Committee, which is established within the Sustainability Committee.

    3. 3 The SUGI Pharmacy Group shall appoint an Information Security Officer who is responsible for protecting and properly managing the information assets of the whole Group. The Information Security Officer shall chair the Information Security Committee. The Information Security Officer shall have the responsibility and authority over the execution of information security measures in the SUGI Pharmacy Group.

    4. 4 For the purpose of preventing and correcting systematic or individual violation of laws and regulations or misconduct, the SUGI Pharmacy Group has established an internal reporting system. This system is operated based on internal regulations. Reporting contacts are established at the Legal Affairs Office of SUGI Holdings Co., Ltd. and at an external law firm. It is also provided for by internal regulations that reporters shall not be treated in an disadvantageous manner.

  5. 5 Information Security Measures

    1. 1 Continual Improvement of Information Security Measures
      The SUGI Pharmacy Group shall formulate an implementation plan for information security measures by taking account of information security risks and shall evaluate whether the plan has been implemented steadily. The Group shall also develop a process for continual improvement (PDCA).

    2. 2 Establishment of Regulations and Legal Compliance
      The SUGI Pharmacy Group shall establish internal regulations for proper implementation of information security measures and make sure that its officers and employees fully understand them. The SUGI Pharmacy Group shall severely deal with any violation of laws and regulations or internal regulations concerning information security.

    3. 3 Securing Resources

      1. 1 The SUGI Pharmacy Group shall secure and deploy management resources necessary for the proper implementation of information security measures.

      2. 2 The SUGI Pharmacy Group shall systematically and continually develop and secure human resources necessary for the implementation of information security measures.

      3. 3 The SUGI Pharmacy Group shall enlighten and educate its officers and employees on information security to make them realize its importance and act accordingly.

      4. 4 The SUGI Pharmacy Group shall actively participate in information sharing activities outside the Group and reflect the results of such activities in its information security measures.

    4. 4 Sharing of Information Security with Business Partners
      The SUGI Pharmacy Group shall inform its business partners, such as customers and suppliers, affiliated companies, and external contractors, of the SUGI Pharmacy Group’s policies and regulations concerning information security and request that they ensure proper information security.

    5. 5 Information Disclosure
      The SUGI Pharmacy Group shall properly disclose information about its information security initiatives in order to increase the confidence of its stakeholders.

    6. 6 External Audits
      In order to ascertain that the SUGI Pharmacy Group complies with laws and regulations, norms established by administrative agencies and industrial associations, and internal regulations and rules, etc. concerning information security in the course of its business execution and ascertain that they function effectively, the SUGI Pharmacy Group shall conduct external audits of information security regularly and as necessary. The SUGI Pharmacy Group shall severely deal with any violation in order to manage information properly.

    7. 7 Realization of a System that Reflects Information Security Measures
      The SUGI Pharmacy Group shall realize a system that reflects information security measures in order to prevent accidents, such as unauthorized access, destruction, leakage, falsification, etc., of information assets.

    8. 8 Reinforcement of Cybersecurity Measures
      The SUGI Pharmacy Group recognizes the reinforcement of cybersecurity measures as one of its key measures and takes protection measures against the threats to such technologies. The SUGI Pharmacy Group shall, by using the latest digital and information technologies, work to improve cybersecurity measures, such as security review on application systems, security review during design and development processes, vulnerability diagnosis by a third-party organization, monitoring of unauthorized access after the start of operation, and responses to vulnerability.

    9. 9 Improving Information Security Literacy
      The SUGI Pharmacy Group shall work to improve the information security literacy of its officers and employees by continually conducting education and training for them to properly manage the information assets of the whole Group.

  6. 6 Protection of Personal Information of Customers
    The SUGI Pharmacy Group shall conduct personal information protection activities for any personal information that it handles in the course of all its business activities based on the “Handling of Personal Information (Privacy Policy)” and implement necessary protection and appropriate security measures.

  7. 7 Handling of Information Security Incidents
    The SUGI Pharmacy Group shall develop and implement the following structure and response plans in order to be prepared for the materialization of information security risk (hereinafter referred to as “Information Security Incidents”):

    1. 1 The SUGI Pharmacy Group shall develop a reporting system and an initial response manual for Information Security Incidents, make persons concerned fully aware of them, and regularly conduct practical training.

    2. 2 When a serious Information Security Incident occurs at the SUGI Pharmacy Group, the head of the department that has detected the incident shall promptly report it to the Information Security Officer. The Information Security Officer shall report the Information Security Incident to the Representative Director & President of SUGI Holdings Co., Ltd. as appropriate.

    3. 3 When the Representative Director & President of SUGI Holdings Co., Ltd. has received a report of an emergency situation, the Representative Director & President shall promptly establish emergency headquarters as necessary. The emergency headquarters shall strive to resolve the issue as soon as possible through appropriate responses while striving to identify the cause and developing and implementing measures to prevent recurrence.

    4. 4 When an Information Security Incident occurs, it shall be reported to competent public authorities and notified to persons concerned appropriately depending on the situation.

  8. 8 Amendment/Abolition
    The amendment/abolition of this Policy is subject to a resolution of the Board of Directors of SUGI Holdings Co., Ltd.
    However, minor amendments, such as a change in the name of an organization, may be implemented at the discretion of the Information Security Officer.

  9. 9 Continual Improvement
    The SUGI Pharmacy Group regularly evaluates and reviews the initiatives mentioned above in order to continually improve information security management in response to the latest developments in information security inside and outside the Company and changes in information technologies.

Revised: June 1, 2021
SUGI Holdings Co., Ltd.
Information Security Committee
Kazuya Morinaga, Chairperson

Handling of My Number

Basic Policy on the Proper Handling of Specific Personal Information, etc.

  1. 1 Compliance with Applicable Laws, Regulations, Guidelines, etc.
    In handling Individual Numbers and Specific Personal Information (hereinafter referred to as “Specific Personal Information, etc.”), SUGI Pharmacy Group companies will comply with the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, the Act on the Protection of Personal Information, and other norms, including guidelines established by the Specific Personal Information Protection Commission or other competent bodies.

  2. 2 Purpose of Use
    SUGI Pharmacy Group companies use the obtained Specific Personal Information, etc. for the following purposes:

    1. 1 Specific Personal Information, etc. on business partners

      • For the preparation of payment records on real estate transactions
      • For the preparation of payment records on remuneration, fees, etc.
    2. 2 Specific Personal Information, etc. on shareholders

      • For the preparation of payment records on dividend and distribution of surplus
    3. 3 Specific Personal Information, etc. on employees and their family dependents

      • For the preparation of withholding receipts
      • For the preparation of return for (changes in) deduction for dependents, etc., and return for insurance premium deduction and special spousal deduction for salary income earners
      • For the preparation of return on retirement income
      • For the submission of returns, notices, and applications concerning asset-building housing savings and asset-building pension savings
      • For the provision to the Employees’ Shareholding Association for it to prepare payment records for those who are its members
      • For the submission of notices and applications and billing concerning health insurance and employees’ pension insurance
      • For the submission of notices and applications and billing concerning unemployment insurance and worker’s accident insurance
  3. 3 Matters Concerning Security Control Measures
    SUGI Pharmacy Group companies shall build systems that are necessary to realize proper management of Specific Personal Information, etc. and establish and comply with handling regulations on them.

  4. 4 Continual Improvement
    SUGI Pharmacy Group companies shall continually improve this Basic Policy and other internal regulations in order to ensure that Specific Personal Information, etc. is properly protected.

Preparation and Provision to Third Parties of Anonymized Persona Information

SUGI Holdings Co., Ltd. and all other SUGI Pharmacy Group companies (hereinafter collectively referred to as the “Company”) prepare as anonymized personal information the information items of customers listed below that are held by the Company and provide the anonymized personal information to third parties for the purpose of study and analysis for management improvement after implementing appropriate safeguards to prevent the anonymized personal information from being used to identify specific individuals and the personal information used to prepare the anonymized personal information from being restored. The Company also plans to prepare similar anonymized personal information repeatedly on an ongoing basis.

Personal Information Items

  • Year of birth (fixed at 1932 for those who are 90 years or older)
  • Sex
  • Prescription medical institution code (only for medical institutions with 100 beds or more and more than one doctors)
  • Pharmacy information (medical institution code, location, and name)
  • Special notes (applicable only in the cases falling under the codes of 07 “老併” 08 “老健” or 09 “施”)
  • Name of prescription drug
  • Usage and dosage
  • Claim points
  • Amount of co-payment

Method of Provision

Download by recipients from a secure server of the Company

Inquiries about Anonymized Personal Information

Any inquiries about the handling of anonymized personal information by the Company are accepted at the contact indicated below.

Inquiries about personal information are accepted at:
Customer Support Office, Sugi Pharmacy Co., Ltd.
Telephone: 81-120-921-771
Business hours: 10:00 a.m. to 7:00 p.m.