Global Site

Displaying present location in the site.

Personal Information Protection and Privacy

Governance
Strategy
Metrics and Targets
Main Initiatives

Governance

Implementation Framework for Personal Information Protection and Privacy

NEC has appointed a Chief Legal Officer (CLO) as the corporate officer in charge of personal information protection, and has established the position of Personal Information Protection Administrator as well as the Personal Information Protection Promotion Office to promote personal information protection at the corporate level.

The head of the department responsible for protecting personal information serves as the Personal Information Protection Administrator, and is the person in charge of implementing the personal information protection management system. This person is also responsible for protecting specific personal information related to the numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number).

The Risk Management and Compliance Department plays a central role in promoting the protection of personal information within the NEC Group under the leadership of the Personal Information Protection Promotion Office Manager appointed by the Personal Information Protection Administrator.

In the Group Internal Audit Division, this is handled by the Chief Personal Information Protection Auditor, who conducts regular audits of privacy protection in conformance with Japanese Industrial Standard JIS Q 15001 (Personal information protection management systems—Requirements).

The general managers of each department are responsible for directing personal information protection in their respective departments. Each general manager appoints a Personal Information Protection Administrator, who is responsible for carrying out personal information protection management for the department, and a Personal Information Protection Professional, who possesses expert insight regarding personal information protection. The personal information protection management system operates based on each division’s inspection of the status of personal information handling to identify risks, including human rights and privacy issues, and improvement in handling rules based on the inspection results.

The person responsible for each project ensures that persons who handle personal information undertake thorough personal information protection measures.

Privacy Mark

In October 2005, NEC Corporation received Privacy Mark certification, recognizing it as a business operator with systems in place to ensure appropriate protection measures for personal information in conformance with JIS Q 15001.

Consolidated Subsidiary Management Framework

Our consolidated subsidiaries in Japan have built systems to comply with the Act on the Protection of Personal Information and the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (also known as the My Number Act). In addition, just as with NEC Corporation, they have built a personal information protection management system to conform with JIS Q 15001. As of the end of March 2024, 27 NEC Group companies (in Japan) have obtained Privacy Mark certification.

At our consolidated subsidiaries outside Japan, we have appointed a Personal Information Protection Administrator at each major subsidiary to promote the protection of personal information. In addition, we have established common personal information protection guidelines and introduced personal information protection rules that comply with the laws and regulations of each country and region applicable to each company, such as personal information protection laws.

Strategy

Policy on Personal Information Protection and Privacy

The NEC Group Code of Conduct stipulates respect for human rights and privacy and the management of personal information, and NEC has positioned “Provision and Utilization of AI with Respect for Human Rights as the Highest Priority (AI and Human Rights),” including personal information protection initiatives, as a priority management theme from an ESG perspective—materiality. From this perspective, we are tackling prevention of any privacy-related issues stemming from the handling of personal information, in addition to undertaking other personal information protection measures.

The NEC Privacy Policy stipulates that personal information must be handled in accordance with JIS Q 15001.
Consolidated subsidiaries in Japan set their personal information protection policies using NEC Corporation’s Privacy Policy as the standard.
Consolidated subsidiaries outside Japan set their policies to conform with the applicable local laws of their respective countries, and those policies are then checked by NEC Corporation.

Metrics and Targets

Medium- to Long-term Goals, Priority Activities and Progress, Achievements, and Issues

Medium- to Long-term Goals, and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers

FY2025 Goals, Progress, Achievements and Issues, and FY2026 Goals

FY2025 Goals

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
    • Introduce the new personal information protection management ledger system at major consolidated subsidiaries outside Japan that have not yet implemented it
    • Enhance monitoring of personal information protection at consolidated subsidiaries outside Japan, and supplement rules
    • Continue to provide training for employees of consolidated subsidiaries outside Japan
    • Continue to establish management systems equivalent to those of NEC by appointing Personal Information Protection Administrators and Personal Information Protection Professionals at all consolidated subsidiaries in Japan, and enhance monitoring
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Continue the training and education of Personal Information Protection Administrators and Personal Information Protection Professionals assigned to all departments

Progress, Achievement, and Issues

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
    • Completed introduction of the Personal Identifiable Information Control System at 45 major consolidated subsidiaries outside Japan
    • Implemented inspections of the status of implementation of laws and regulations of each country and data privacy and compliance systems of consolidated subsidiaries outside Japan, and provided guidance on improvements
    • Provided data privacy training for employees of consolidated subsidiaries outside Japan
    • Newly introduced management systems equivalent to those of NEC in consolidated subsidiaries in Japan (21 subsidiaries and 7 sub-subsidiaries)
    • Implemented inspections of data privacy and compliance systems of consolidated subsidiaries in Japan
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Provided education for Personal Information Protection Administrators and Personal Information Protection Professionals
    • Issued a monthly e-mail newsletter introducing topics and practical tools related to the protection of personal information for Personal Information Protection Administrators and Personal Information Protection Professionals

FY2026 Goals

  1. Strengthen governance in the fields of data privacy and compliance
    • Continue to implement monitoring of personal information protection at consolidated subsidiaries in and outside Japan
    • Continue to provide training for all employees including those of consolidated subsidiaries in and outside Japan
    • Continue to establish management systems equivalent to those of NEC by appointing Personal Information Protection Administrators and Personal Information Protection Professionals at all consolidated subsidiaries in Japan
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Continue the training and education of Personal Information Protection Administrators and Personal Information Protection Professionals assigned to all departments
    • Implement training for staff in charge of personal information protection at consolidated subsidiaries in and outside Japan

Main Initiatives

Personal Information Protection Initiatives

Personal Information Protection and Management Initiatives

Personal Information Protection Management System

We have documented standard procedures and operate a personal information protection management system at NEC Corporation and its consolidated subsidiaries in Japan. As necessary, operational rules are created at the individual company and department level and by type of personal information, and strict adherence is enforced.

In addition, the personal information management manual for our personal information protection management system stipulates the following:

  • When obtaining personal information from sources including documents, email, and websites, the person to whom the information pertains must be notified in advance in writing and the person’s consent must be obtained in writing.
  • When providing personal information, the consent of the person to whom the information pertains must be obtained, except in cases required by law.
  • Security control measures of personal information must be taken.
  • Secondary use of personal information without the prior consent of the person to whom the information pertains is prohibited.
  • The rights of the person to whom the information pertains, including the rights to access, amend and delete their personal information, must be respected.

In addition, we also enter into agreements with third parties with whom we share or to whom we entrust the handling of data, stipulating that the above rules must be observed. We have established escalation rules and emergency response procedures in the event of a leak or inappropriate handling of personal information.

Management of Personal Information

  • NEC Corporation runs the Personal Identifiable Information Control System, a ledger-based system to manage personal information and make its management more transparent.
    We create personal information management ledgers at each consolidated subsidiary outside Japan to gain an understanding of the information being handled by each company and the risks involved. We also work to ensure that the procedures to manage these risks, as well as common security control measures that need to be observed, are thoroughly disseminated.

Initiatives to Address Cross-border Transfers of Personal Information

  • We require consolidated subsidiaries outside Japan to obtain individual consent based on the laws and regulations in each country or region to facilitate any cross-border transfer of personal information for employees or otherwise and enter into any required data transfer contracts to enable cross-border transfer and processing of personal information between Group companies in and outside Japan.

Initiatives for Customers and Business Partners

  • When outsourcing personal information, NEC Corporation and its consolidated subsidiaries in Japan establish security control measures for contractors according to the risk involved, stipulate in agreements with contractors with which data is shared that they must comply with these measures, requiring privacy management equivalent to that of the NEC Group.
  • We request the contractors engaged in work for NEC Corporation or its consolidated subsidiaries in Japan submit a pledge on the Basic Rules for Customer-Related Work and trade secrets to help ensure rigorous management of personal information throughout the supply chain.
  • We make sure to handle Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number) carefully and securely, as it is classed as Specific Personal Information in compliance with personal information protection laws in Japan. We deploy technical measures such as controlling access, blocking unauthorized external access, and preventing information leaks, while moving forward with initiatives to maintain sufficient privacy protection levels in each system.

Monitoring and Improvement

NEC Corporation appropriately manages personal information by executing plan–do–check–act (PDCA) cycles on an autonomous basis through various inspection activities.

Also, NEC Corporation and its consolidated subsidiaries in Japan conduct regular internal audits based on internal audit check items stipulated in JIS Q 15001.
Furthermore, for operations related to the handling of Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number), we use security control measure checklists prepared based on Japan’s guidelines for the My Number Act and self-checklists during re-entrustment in order to monitor divisions and subcontractors handling Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number)

Verification of the Operation of Security Control Measures

  • The implementation status of security control measures carried out by all employees is verified once a year. If there are cases of non-compliance, improvement plans are formulated and carried out at the organization level.

Verification of the Status of Personal Information Management

  • Control forms registered in the Personal Identifiable Information Control System are reviewed at least once a year to confirm the status of personal information management.
  • In addition, once a year the general managers of each division implement management reviews to confirm the status of personal information management, enabling corrective action to be taken as needed, and to maintain appropriate management conditions.

Verification of Operations During Emergencies

  • In the event of an incident involving the loss, outflow or leak, etc., of personal information, operation of the above information security control measures is thoroughly reviewed as needed.

Details of Personal Information Protection-related Incidents, Accidents, or Complaints, and Measures Taken

In fiscal year 2025, there were no incidents involving the loss, outflow or leak, etc., of personal information at NEC, and no incidents involving secondary use of personal information without prior consent of the person to whom the information pertains.

There were no external complaints regarding personal information in fiscal year 2025.
We have not received any claims or complaints regarding invasion of the privacy of customers from any third-party organizations, including the Ministry of Economy, Trade and Industry, which is the competent government agency, and the Personal Information Protection Commission of Japan.

Response to Requests from National Governments for Personal Information Provision

If NEC Corporation’s departments are requested by a government or law enforcement agency of a country to provide personal information that the Company holds, the general manager of the department that receives the request reports to and consults with the Personal Information Protection Administrator as necessary. In such cases, the Personal Information Protection Administrator reports to and consults with the corporate officer in charge of personal information protection. Premised upon respect for the human rights of the person to whom the information pertains, the Company will then determine the necessity of providing such information and undertake the appropriate procedures and measures pursuant to the applicable laws. There were no requests from government or law enforcement agencies for personal information held by NEC in fiscal year 2025.

Privacy in Business Activities

PrivacyMark

Privacy protection laws and regulations such as the General Data Protection Regulation (GDPR), which came into effect in the European Economic Area in 2018, are being established in many countries and regions, and the roles and responsibilities required of companies to protect privacy are increasing as enforcement of these laws and regulations becomes more stringent.

NEC Corporation aims to maximize social value and minimize the adverse impact on society by developing and providing products and services with consideration for privacy issues, which may be perceived differently depending on the country, region or culture, and also with consideration for discrimination and other human rights issues that could be exacerbated by the use of AI. To clarify our stance, the NEC Group Code of Conduct and the NEC Group AI and Human Rights Principles (the Companywide principles) stipulate that business activities aimed at resolving social issues using ICT must not give rise to human rights issues, including invasion of privacy.

Furthermore, as stated in the description of management systems of consolidated subsidiaries, NEC Corporation and its 27 Group companies in Japan have acquired Privacy Mark certification. In principle, without the prior consent of the person to whom the information pertains, we forbid the acquisition of information that could have an economic impact such as bank account or credit card numbers, sensitive information such as one’s birthplace, or highly private information such as mobile telephone numbers.

Response in an Emergency Such as Leakage of Personal Information

NEC maintains systems for responding swiftly if an incident occurs involving the loss, outflow or leak, etc., of personal information. If an incident should occur, the response is coordinated quickly and systematically based on standardized procedures.

If an incident occurs related to personal information or an event takes place for which the occurrence of such an incident is a possibility, the discoverer or the employee involved in the incident contacts their manager and the NEC Group contact desk for information security incidents.

In coordination with the Personal Information Protection Promotion Office and relevant divisions, the person at the contact desk then takes necessary actions in accordance with applicable laws, ordinances, ministry guidelines, and other regulations, while considering the risk of infringing on the rights and interests of the people involved. These responses may include promptly notifying the people involved, making a public announcement, and taking corrective measures appropriate to the incident.

Personal Information Protection Training and Awareness-Raising

To raise awareness of personal information protection and information security in general among employees, the Basic Rules for Handling Customer-Related Work and Trade Secrets have been established, and NEC Corporation rigorously disseminates these rules.
Various training is also provided to all employees.

Training for All Officers and Employees Including Dispatched Workers (NEC Corporation)

The Company conducts web-based information security training once a year. The completion rate of companywide training was 94.3% in fiscal year 2025.

Education for Personal Information Protection Professionals (NEC Corporation, All Departments)

The following education is provided for Personal Information Protection Professionals.

  • Textbooks have been prepared on risk management in the handling of personal information, in addition to education through 15 lectures
  • Courses aimed at acquiring personal information protection qualifications
  • Held practical training course for business lines (3 times)
  • Conducted training (2 times) to improve practical skills for collective response based on actual cases

Training for Graduates and Mid-career Hires (NEC Corporation and Its Consolidated Subsidiaries in Japan)

  • In fiscal year 2025, we created a textbook on personal information protection as introductory training material, and conducted training.
  • When a request is received from a department, or when it is otherwise deemed necessary by the Personal Information Protection Promotion Office, awareness training is conducted at individual departments or consolidated subsidiaries in Japan.