JAL Group's Basic Policies on Information Security and the Protection of Personal Information
In light of the importance of information security and the protection of personal information in an advanced information society, the JAL Group manages and protects information that the company possesses under the following Group policies.
1. Compliance with Regulations
JAL complies with laws, regulations and guidelines stipulated by administrative bodies.
2. Establishment of management system
JAL has established an internal management system and clearly specifies division of responsibilities.
3. Compliance with internal policies, regulations and guidelines
JAL has established and complies with internal policies, regulations and guidelines.
4. Implementation of safety measures
JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.
5. Implementation of education and awareness programs
JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.
6. Affiliation with external vendors
When entrusting operations related to information management to other companies, JAL selects companies with strong experience and abilities. The contract mandates confidentiality and guarantees that the information will be properly managed.
7. Efforts to improve operations
JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.
8. Response in event of accident
In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.
9. Designation of contact
JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.
JAL will disclose its policies on information security and the protection of personal information, including this policy, by posting them on its website.
Handling of Personal Information by JAL Group Airlines
Japan Airlines Co., Ltd., Japan Transocean Air Co., Ltd., J-Air Co., Ltd., Japan Air Commuter Co., Ltd., and Ryuku Air Commuter Co., Ltd. (hereinafter "JAL Group Airlines") shall handle and protect the customers' personal information in accordance with the "Act on the Protection of Personal Information" of Japan and "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."
1. Obtaining Personal Information and Purpose of Use
JAL Group Airlines shall acquire the customers' personal information through appropriate and fair means and use it for the purposes below.
- To provide air transportation services (Reservations, sales, check-in, airport handling, cabin services, etc. Including cases of interline transportations,joint operations, code-sharing, contract operations, etc. in addition to normal transportation services)
- To provide services relating to JAL Mileage Bank (hereinafter "JMB")
- To provide other products and services
- To provide information and communications; to conduct questionnaires relating to products, services, various events, campaigns, and such
- To conduct sales analysis, investigations and research; to develop new services and products
- To conduct operations relating to 1-5 above; to respond to inquires, etc.
2. Management and Protection of Personal Information
JAL Group Airlines shall appropriately manage and protect the customers' personal information, in accordance with "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."
- Safety Management Measures
- Organizational safety management measures
Japan Airlines has established the Risk Management and Information Security Committee, which decides policies and measures relating to information security and personal information protection of the JAL Group. We have also introduced a system that strictly separates the management of Personally Identifiable Information from Non Personally Identifiable Information in order to reduce risks and respond promptly to incidents.
- Human safety management measures
We conduct Information Security Training regularly for all JAL Group employees and obtain a Written Confirmation concerning the handling of personal data.
- Physical safety management measures
In areas where Personally Identifiable Information is handled, the entry and exit of employees is controlled to prevent unauthorized access to personal data. Measures are implemented to restrict internet access of devices over internal systems that handle Personally Identifiable Information.
- Technical safety management measures
Anti-virus measures and anti-leakage measures are implemented to protect systems that handle personal data from unauthorized external access and unauthorized software. We also conduct cyber threat monitoring 24 hours a day, 365 days a year to prevent unauthorized access and virus infection.
- Understanding of the external environment
When providing personal data to an overseas third party, we implement necessary safety management measures with an understanding of personal information protection laws of that country.
* Please refer to 6. (1) below for major personal information protection laws of other countries.
3. Provision of Personal Data to a Third Party
JAL Group Airlines shall not disclose or provide the customers' personal data to a third party, except in cases described below. The provision of personal information to service providers and the joint use of personal information shall be implemented in accordance with Articles 4. and 5. below.
- Cases in which the customer personally gives his/her consent
- Cases in which the provision of personal data is based on laws
- Cases in which the provision of personal data is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person
- Cases in which the provision of personal data is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person
- Cases in which the provision of personal data is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned
4. Provision of Personal Information to Service Providers and Relevant Management
JAL Group Airlines may entrust the handling of personal information, within the scope required to achieve the purpose of use, to a third party other than the company itself. In this case, the JAL Group Airlines shall conduct appropriate management and supervision in accordance with item 6 of "JAL Group's Basic Policies on Information Security and the Protection of Personal Information."
5. Joint Use of Personal Information
JAL Group Airlines shall jointly use the customers' personal information as follows.
- Purpose of joint use
To provide air transportation services; to provide services closely related to air travel such as tours, hotels and baggage home delivery; to accumulate mileage and manage mileage awards; to provide information, e.g. sales promotion materials including those of partner companies, questionnaires, product development, ; and to conduct other operations relating to those
- Data to be used jointly
Membership number, customer's name, birthday, gender, address, TEL/FAX numbers, e-mail address, information on employment (company name, department, job title, address, TEL/FAX numbers), mailing address of items sent to customers, e.g. ticket, itinerary, type of member's card, member's service qualifications, membership region, accumulated mileage, reservations/boarding information, need for arrangement of wheelchair, health and medical information related to boarding, meal restrictions, passport information, service usage records, payment information such as credit card billing information, details on travel itineraries and arrangements such as flight information and destinations of JAL and other airlines, other transportation arrangements, information included in communications with customers, details of inquiries, requests and comments from customers, information on usage of JAL’s website and mobile app including cookies and activity logging, etc.
- Range of users
JAL Group Companies (*1) and Okura Nikko Hotel Management
*1 Click here for the list of JAL Group Companies
- Administrator of personal information
Japan Airlines Co., Ltd.
6. Transfer of personal data to an overseas third party
When providing personal data to overseas business operators such as contractors and partner airlines, JAL Group airlines implement necessary and appropriate measures in accordance with applicable laws and regulations of said country.
When required under law, we may provide information about your reservations and itinerary including your passport, visa and API to the customs and immigration authorities of the countries of departure, arrival, transfer and/or transit.
1. Please refer to the following for major personal information protection laws of other countries
* External site and in Japanese only
Personal Information Protection Commission website:
2. Please refer to the following for our international destinations.
7. Request for Disclosure, etc. and Inquiries
(1)"Notification of purpose of use," "Disclosure," "Correction, etc." "Stopping the use, etc." of retained personal data
We will respond to requests by a customer or his/her representative as follows in accordance with the "Act on the Protection of Personal Information" of Japan.
- Notification of purpose of use
We will notify the purpose of use of such retained personal data as may lead to the identification of the person concerned. However, in the following cases, we may reject a request, in whole or in part, and give the reason why.
- Cases in which notifying the person of the purpose of use or publicly announcing it might harm the life, body, property, or other rights or interests of the person or a third party
- Cases in which notifying the person of the purpose of use or publicly announcing it might harm the rights or legitimate interests of the JAL Group Airlines
- Cases in which it is necessary to cooperate with a state institution or a local public body in executing the operations prescribed by laws and in which notifying the person of the Purpose of Use or publicly announcing it might impede the execution of the operations concerned
- Disclosure
We will disclose such retained personal data as may lead to the identification of the person concerned. (When the retained personal data does not exist, we will respond accordingly.) However, in the following cases, we may reject a request, in whole or in part, and give the reason why.
- Cases in which disclosure might harm the life, body, property, or other rights or interests of the person or a third party
- Cases in which disclosure might seriously impede the proper execution of the business of the entity concerned handling personal information
- Cases in which disclosure violates other laws
- Correction, etc.
When requested by a person to correct, add, or delete such retained personal data as may lead to the identification of the person concerned on the ground that the retained personal data is contrary to the fact (hereinafter "Correction, etc."), we will, except in cases in which special procedures are prescribed by any other laws for such correction, addition, or deletion, make a necessary investigation. As a result, when we have corrected, added, or deleted all or part of the retained personal data as requested, we will notify the effect without delay. When we have decided not to make such correction, addition, or deletion, we will notify and give the reason without delay.
- Stopping the use, etc.
When requested to stop using, erase or stop providing to a third party such retained personal data as may lead to the identification of the person concerned (hereinafter "Stopping the use, etc."), and where it is found that the request has a reason, we will stop using, erase or stop providing to a third party the retained personal data concerned without delay to the extent necessary for redressing the violation. However, if it costs a great deal or otherwise difficult to stop using or to erase the retained personal data concerned, we may take necessary alternative measures to protect the rights and interests of the person.
When we have stopped using, erased or stopped providing to a third party all or part of the retained personal data as requested, we will notify without delay. When we have decided not to stop using, not to erase or not to stop providing a third party the retained personal data, we will notify and give the reason without delay.
Procedures for Request
Please send the request form (*1), required documents (*2) and fee (*3) (when requesting "notification of purpose of use" and "disclosure") to the following address.
Personal Information Handling Desk
Japan Airlines Co., Ltd.
2-4-11 Higashishinagawa, Shinagawa-ku
Tokyo 140-8637, JAPAN
Please download and complete request forms from below.
- 2: Required Documents
Please attach the documents below to verify the identity of the individual. When a request is sent by a representative, please attach documents to verify the identity of the representative together with a power of attorney.
- Documents to identify the individual (In case the request is sent by a representative, please attach documents of the representative)
A copy of either one of the following; driver's license, passport, health insurance certificate, basic resident registration card with photo, pension book, disability book, foreign resident registration certificate, seal registration certificate (A certified copy of the seal registration issued by the municipality.)
- Documents to confirm address
In case the address is not written by a public entity on the documents above, please attach a certified copy of the residence certificate or the original copy of the foreign resident registration (issued within 3 months prior to the request).
- Documents to confirm power of attorney
(In case of legal representative)
Documents to verify legal representative, e.g. family register, guardian registration certificate
In case a request is sent by a voluntary representative, we will check whether he/she has been commissioned by the individual, we may disclose directly to the individual, or such.
- 3: Fee
In case of requesting "Notification of purpose of use" or "Disclosure," please enclose stamps worth 500 yen as a fee.
(2) Contact for Inquiries
If you have any inquiries regarding "Handling of Personal Information by JAL Group Airlines", please send your letter to the following address.
Personal Information Handling Desk
Japan Airlines Co., Ltd.
2-4-11 Higashishinagawa, Shinagawa-ku
Tokyo 140-8637, JAPAN