[Global Privacy Policy]

In compliance with applicable data protection laws and regulations (including, without limitation, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and the United Kingdom General Data Protection Regulation (the “UK-GDPR”)), NTT DOCOMO, INC., (the “Company” or “we”) hereby prescribes the following [Global Privacy Policy] (this “Policy”) to cover the processing of personal data of customers located outside of Japan in relation to the IG arena tickets (the “Service”).

1. Categories of Personal Data We Collect

The Company will collect and process the following personal data in relation to the Service:

<Basic Data>

Information about your identity, profile, and contact details, including, for example, name, address, country/region, date of birth, gender, phone number, email address, age, company name, department name, job title, company address, unique device identifier, d ACCOUNT Type, d ACCOUNT Number, d Point Card Number, and other customer IDs.

<Usage Data>

Information about the use of the Service, which includes, for example, IP address at the time of service use, behavioral information obtained through cookies, details of purchased tickets such as name, content, price, and order, ticket resale information, ticket status (whether issued or canceled), delivery details, billing information, coupon usage history, inquiry details, customer account information, transaction history, and other transaction-related interactions on the Service).

<Location Data>

Information about the location of mobile devices obtained within Japan (including, without limitation, location data measured via mobile phone base stations for customers using our mobile phone services, and location data measured via Wi-Fi or other short-range wireless communication technologies provided by Aichi International Arena Co., Ltd).

2. Purposes of Use of Personal Data and Lawful Basis for Processing

We have set out below, in a table format, the purposes of processing the personal data as well as the legal basis we rely on for the processing in connection with the Service. In cases where the basis of the use is for our legitimate interests, we will balance the impact on customers’ privacy against the relevant legitimate interests.

Please note that, with respect to EU and UK residents, we do not knowingly collect personal data relating to children under the age of 13 and only collect and process personal data relating to children under the age of 16 if and to the extent that consent is given or authorized by the person holding parental responsibility over the child.

In addition, we do not process any special categories of personal data about you as defined under section 9 of the GDPR, and we do not make decisions that may have legal or similar material effects on customers based solely on automated processing (including profiling) using customers’ personal data.

Purpose Type of Personal Data Lawful Basis
for Processing
For rendering the Services and for communications/notifications to customers that are necessary for the performance of contracts with customers.
  1. (i) Basic Data
  2. (ii) Usage Data
  • Performing contracts
  • Necessary in order to comply with legal obligations
    (To inform you of any changes to our terms and conditions etc.).

For promotions and offers of Services and for relevant communications/notifications.
  1. (i) Basic Data
  2. (ii) Usage Data
  • Legitimate interests:
    (To conduct marketing activities including various campaigns and promotions related to the Service, except for direct marketing activities that require explicit consent.)
For management of the Service and countermeasures against improper activities that are necessary for reliable and stable provision of the Service.
  1. (i) Basic Data
  2. (ii) Usage Data
  • Performing contracts
  • Necessary in order to comply with legal obligations
    (To implement security measures required under applicable laws)
  • Legitimate interests:
    (To keep records updated / To operate and manage the service)
For planning, developing and improving the Service, and performing various investigations and analyses relating thereto.
  1. (i) Basic Data
  2. (ii) Usage Data
  3. (iii) Location Data
  • Legitimate interests
    (To keep records updated / To analyze how customers use the Service / To improve the quality of the Service / To analyze how customers use the Service)

3. Disclosure of Personal Data

The Company may provide customers’ personal data to the following recipients:

  • The Company uses outsourcing companies such as payment processing companies, ticket system vendors, and app providers to provide the Service, and these contractors will access and process customers’ personal data to the extent necessary to provide the Service;
  • The Company discloses customers’ personal data to third parties, including our subsidiaries and business partners, with the customers’ consent and/or if otherwise permitted by applicable laws; and
  • The Company may disclose customers’ personal data to public authorities in order to comply with applicable laws and regulations (including ordinances, court rulings, and administrative orders and recommendations).

4. Sources of Personal Data

The Company primarily collects customers’ personal data directly from them, particularly during the registration and use of the Service. Additionally, the Company may obtain certain personal data from third parties, such as Aichi International Arena Co., Ltd., regarding customers' usage of its application.

5. Personal Data Required to Be Provided

The personal data that customers are required to provide in order to receive the provision of the Service is indicated in the form to be completed by the customers. Although customers are under no obligation to provide such personal data, the Company will not be able to offer the Service if such personal data is not provided.

6. International Transfers of Personal Data

The Company is established and headquartered in Tokyo, Japan, and may transfer customers’ personal data to countries outside the customers’ country of location (for customers located in the EEA, to outside of the EEA), including Japan (“International Transfer”), for the purposes described in Section “2. Purposes of Use of Personal Data and Lawful Basis for Data Processing”.

When the Company conducts an International Transfer of customers’ personal data, we will take necessary measures for the protection of such personal data, such as implementing an adequate level of protection and executing standard contractual clauses as set forth by the supervisory authority. If customers would like more information, such as obtaining a copy of the standard contractual clauses, etc., they are requested to contact us by mailing a letter or sending an e-mail to the relevant address listed in Section “13. Contact” below.

7. Personal Data Security Management

We have put in place appropriate and robust security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorized way, damaged, destroyed, altered or disclosed. We have adopted these measures to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services which process personal data and to ensure that we can restore availability and access to personal data in a timely manner in the event of a physical or technical incident. These measures are regularly tested, assessed and, where appropriate, updated to ensure they remain effective, and they will typically include:

  • Technical security measures:
    • multiple location, physically secure data centers designed to prevent single points of failure;
    • secure system firewalls and authentication controls;
    • back-ups and data recovery systems;
    • secure encryption technologies; and
    • state-of-the-art antivirus and intrusion protection.
  • Organizational security measures:
    • data system access controls, password controls and privilege management;
    • data center physical access controls;
    • security and compliance training for employees:
    • strict data security breach reporting procedures;
    • disaster recovery and business continuity (DRBC) procedures;
    • contractual confidentiality obligations for employees; and
    • background checks for employees where appropriate and permitted or required by law.

We have put reporting procedures in place to deal with any suspected data breaches and will notify you and any applicable supervisory authority of any breach when we are legally required to do so.
Whenever we engage third-party service providers to store and process personal data, we always ensure that these providers also implement appropriate technical and organizational security measures to keep personal data safe and require those providers to adhere to strict contractual requirements for this purpose, as required by the GDPR and the UK-GDPR.

8. Personal Data Retention Period

We will only retain personal data for as long as is necessary for the specific purposes it was collected for or, where relevant, for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements. For example, we are often required to retain basic information about our customers for a mandatory period of time after they cease being customers in order to comply with our tax law obligations.

Where there is no specific legal period for retaining the personal data, we will determine the appropriate retention period by considering the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorized use or disclosure, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and applicable legal requirements.

9. Rights to Disclosure, Correction, Addition, Deletion, etc., of Personal Data

Customers have certain rights regarding their personal data in accordance with applicable laws and regulations, some of which only apply in certain circumstances. These rights are:

  • the right to seek access to their personal data (including copies thereof);
  • the right to request correction of their personal data;
  • the right to seek removal of their personal data (the right to be forgotten);
  • the right to restrict (cease) the processing of their personal data; and
  • the right to receive their personal data in a structured, machine-readable form (the right to data portability).

These rights may be limited, on an exceptional basis, if complying with a customer’s request would infringe upon the rights of the Company or a third party, or if we are requested to delete information that we are required to retain in accordance with the laws and regulations. The exceptions to these rights are set out in the applicable laws and regulations.

If customers wish to exercise these rights, they are requested to contact us by mailing a letter or sending an e-mail to the relevant address listed in Section “13. Contact” below.

10. Right to Object to the Processing of Personal Data

Customers may have the right at any time to object to the processing of their personal data that is being processed on the basis of legitimate interests under applicable laws and regulations.

If customers wish to exercise this right, they are requested to contact us by mailing a letter or sending an e-mail to the relevant address listed in Section “13. Contact” below.

11. Right to Withdraw Consent

Customers have the right to withdraw their consent whenever the Company handles their personal data based on their consent under applicable laws and regulations. Even if a customer withdraws their consent, the legality of any treatment on the basis of the customer’s consent before the withdrawal of such consent will not be affected.

If customers wish to exercise this right, they are requested to contact us by mailing a letter or sending an e-mail to the relevant address listed in Section “13. Contact” below.

12. Right to File a Complaint with a Supervisory Authority

Customers may have the right to file a complaint with a supervisory authority under applicable laws and regulations. The supervisory authorities to which complaints can be filed may include the supervisory authorities where the customer locates.

13. Contact

We are the controller and is responsible for the processing of your personal data.

We have appointed a data protection representative in the EU and the UK to respond to inquiries regarding data protection and privacy.

If you have any questions about this Policy, or if you wish to exercise your legal rights as described in Sections 9, 10 and 11 above, please contact us or our EU or UK Data Protection Representative using the following details:

Our contact details are as follows:
Company Name: NTT DOCOMO, INC.
Address: Sanno Park Tower, 2-11-1 Nagatacho, Chiyoda-ku, Tokyo 100-6150, Japan
Phone Number: +81 3 5156 1111
E-mail: data-protection-ml@nttdocomo.com

The contact details of our EU Data Protection Representative are as follows:
Name: PLANIT//LEGAL Rechtsanwaltsgesellschaft mbH
Email address: docomo-gdpr-planit@planit.legal
Postal address: Jungfernstieg 1, 20095 Hamburg, Germany

The contact details of our UK Data Protection Representative are as follows:
Name: TMI Associates London LLP
Email address: docomo-ukgdpr-tmi@tmi.gr.jp
Postal address: CityPoint, One Ropemaker Street, London EC2Y 9SS, United Kingdom