Privacy policy

Policy on the Protection of Personal Information

At All Nippon Airways Trading Co., Ltd. (hereinafter referred to as the Company), we recognize the importance of our customers’ personal information received through their inquiries on our business or via our online shops or physical shops, as it is essential in order for us to provide fully satisfactory services to them. Thus, we consider it our social responsibility to protect such information.
The Company sets forth the policy on personal information protection as follows and will follow and maintain it.
Chapter 1 describes the handling of personal information as it applies to all customers. Chapter 2, Chapter 3, Chapter 4, and Chapter 5 provide region-specific information for customers who are located or reside in the European Economic Area/the United Kingdom, the People’s Republic of China, the state of California of the United States, and the Kingdom of Thailand, respectively.

Collection and Use of Personal Information

In collecting personal information, the Company clarifies the purpose and acquires such information to the extent of such purpose. In addition, the Company will use such personal information only for the intended purpose.

Management and Protection of Personal Information

The Company will manage personal information carefully and will not disclose or provide personal customer information to any third parties except for cases where consent is obtained from customers. In addition, the Company will take appropriate preventive and correction measures to prevent unauthorized access to or loss, destruction, alteration, or leakage of personal information.

Governing Laws and Others

The Company will comply with laws and other regulations applicable to personal information.

Continuous Improvement in the System and Functions for Management of the Protection of Personal Information

The Company will strive to continuously improve the system and functions for management concerning the protection of personal information.

Chapter 1. Handling of personal information of all customers

1. Introduction

The Privacy Policy explains the handling of customers’ personal information which the Company receives from customers. Carefully read through the Privacy Policy before providing personal information to the Company or using the Company’s services and products.
Chapter 1 of the Privacy Policy provides an overview of how the Company uses customers’ personal information. Chapters 2 through 4 provide regional information for customers who reside in the European Economic Area or the United Kingdom (Chapter 2), the People’s Republic of China (Chapter 3), and the State of California in the United States (Chapter 4).
If a product or service of the Company is covered by another policy, refer to the service’s terms for further information.

2. Scope of application

The Privacy Policy shall apply when a customer provides the Company with personal information or when the customer uses a service or product of the Company.

3. Purpose of using personal information

The Company utilizes personal information obtained from customers for the following purposes.However, even within the intended scope, the Company will not use customers’ personal information in a way that may encourage or induce illegal or improper conduct:

  1. Sales, reservations, shipment of products, settlement service and documents handled at the Company’s online shops
  2. Sales, reservations, shipment of products, settlement service and documents handled at the Company’s physical shops
  3. Provision of services through the ANA Mileage Club
  4. Guidance, provision, and management concerning other services and products handled by the Company
  5. Survey and analysis of the usage of other services and products handled by the Company
  6. Company operations incidental or related to the above (1) – (5)
  7. Implementation of questionnaires concerning services and products, etc., offered by the Company
  8. Development of the Company’s new products/services
  9. Guidance, operation, management, and notification relating to services, products, events, and campaigns of Group companies and partner companies
  10. Contact concerning provision of the Company’s services and products
  11. Guidance, operation and management relating to services, products, events, and campaigns of Group companies and partner companies that utilize analytical data on the usage of the Company’s services/products and browsing history on the Company’s online store, etc. so as to be in line with the customer’s interests and preferences, as well as provision of various pieces of information through methods including direct e-mail, e-mail newsletters, notices, and advertisements
  12. Recruitment activities on the recruitment page
  13. Response to inquiries or requests

*Otherwise, the personal information is used for purposes as provided in “8. Data-sharing concerning personal information.”

4. Acquisition of personal information

The Company will obtain customers’ personal information by fair and appropriate means.

  • Customer information, contact information, payment information, etc.
    The customer’s name, address, telephone number, fax number, email address, business contact information (company, department, section, position, address, telephone number, fax number), mailing address, passport information, payment information including credit/debit card or other details on means of payment, etc.
  • Information on ANA Mileage Club membership and information related to the usage of applicable services, etc.
    The customer’s ANA Mileage Club membership number, member card type, member service qualification, membership area, mileage status, credit card number, expiration date, credit card usage history and related information and need for wheelchair or other special arrangements, flight reservation and cancelation information, boarding status, etc.
  • Information on the content of inquiries and opinions provided to the Company and on communications with the customer, as well as the content of inquiries, requests, and opinions (including their cause and method of resolution), etc.*The Company monitors, records, and stores communications with customers, including telephone calls and emails, to confirm instructions from the customer, conduct training, prevent crime, and improve the quality of customer services.
  • Information such as that on how the customer uses the Company’s website and mobile app, including, for example, website activity logs and IT system data cookies.
    The Company shall never obtain or use information of a sensitive nature to the customer (hereinafter, “sensitive information”), such as information on race, creed, social status, history of illness, criminal record, or history of being a victim of crime, unless otherwise required by laws and regulations or by the consent of the customer.

5. Choice by the customer

As a rule, the Company obtains personal information with the consent of the customer. Customers may experience disadvantages if they refuse to provide their personal information, such as being unable to make use of the various services provided by Company, or being unable to receive campaign notices or other Company information because some Company system functions become inoperable and thereby unavailable. Please note that customers may change their contact information as well as email newsletter settings at any time they wish, in a manner designated separately by the Company.

6. Disclosure and provision of information to a third party

The Company shall not disclose or provide personal customer information to any third parties except under the following circumstances. Also, personal information of customers that includes sensitive information shall not be disclosed or provided to third parties under any circumstances, unless allowed by laws and regulations or with the consent of the customer. Note that provision of information to data-sharing partners and contractors is not deemed to constitute disclosure or provision to third parties.

  • Customer consent has been obtained in advance.
  • Disclosure or provision is required by laws or regulations.
  • Disclosure is required to protect human life, body, or property in cases where obtaining customer consent is difficult.
  • Disclosure is required to cooperate with the public affairs of national or local governments, and when obtaining customer consent is likely to hinder the administration of public affairs.
  • Statistical data (i.e. anonymized information on the customer) is disclosed or provided.
  • Information is provided in a business succession via a merger, company split, transfer of business, or other means.
  • Provision through procedures in accordance with laws and regulations, on the condition that the customer can easily confirm the following items on the Company’s website or elsewhere, and that the customer has not expressed intent to refuse provision:
    1. 1) purpose of use includes provision to third parties;

    2. 2) personal data provided to third parties;

    3. 3) means or method of provision to third parties;

    4. 4) suspension of provision to a third party upon the customer’s request; and

    5. 5) method for receiving customer requests.

7. Entrusted handling of personal information

In providing products and services to customers, the Company may entrust a part of its business operations, and may provide personal information to contractors within the extent required to achieve the purpose of use. In these cases, the Company shall implement all appropriate measures in managing and supervising such third parties to safeguard the handling of customers’ personal information, including establishing agreements with these third parties on the handling of such personal information.

8. Data-sharing concerning personal information

The Company share customer information as follows.

Scope of Data Sharing ANA Group Companies Open in a new window
Purpose of use by the user
  • For the provision of air transport services, travel services such as tours and hotels, and other goods and services handled by the Company or its affiliate companies
  • In order for the Company or its affiliate companies to send direct mail, provide information on products and services, and conduct surveys, etc.
  • In order for the Company or its affiliate companies to analyze sales, conduct other surveys and research, and develop new products and services, etc.
  • In order to inform and hand over to the company in charge of products and services provided by the Company or its affiliate companies in the event of an inquiry, application or other request from a customer
  • In order for the Company or its affiliate companies to properly and smoothly execute other transactions with customers
  • For ANA Group management and internal management
Personal information items to be shared The customer’s ANA Mileage Club membership number, name, address, telephone number, fax number, email address, business contact information (company, department, section, position, address, telephone number, fax number), mailing address, member card type, member service qualification, membership area, mileage status, credit card number, expiration date, credit card usage history and related information, need for a wheelchair or other special arrangements, flight reservation and cancellation information, and boarding status and service use; information in communications with customers; contents of inquiries, requests, and opinions; information on how the customer uses the Company’s website and mobile app, including cookies and website activity logs; etc.
Name, address, and representative of the party responsible for management of personal information ANA HOLDINGS INC.
Shiodome City Center, 1-5-2, Higashi-Shimbashi, Minato-ku, Tokyo, Japan 105-7140
Koji Shibata, President & Chief Executive Officer

9. Transfer to outside of Japan

If the Company provides customers’ personal information to third party business operators outside of Japan, including contractors and data-sharing partners, it will take necessary and appropriate measures in keeping with laws and regulations.

10. Management of personal information

In receiving customers’ personal information, the Company will manage such information according to the strictest standards and take necessary safety management measures to prevent leaks, loss, or alterations. The Company ensures that the board members and employees are properly trained regarding appropriate handling to safeguard the security of information identifying individual customers. An appropriate retention period for personal information will be established in accordance with the purpose for which such information is used. After the purpose of the information has been achieved, the Company will dispose of the information in question by appropriate methods. If you wish to know the details of the safety management measures, please make a request in accordance with “11. Requests concerning the handling of personal information”.

11. Requests concerning the handling of personal information

If the Company receives a request from a customer, submitted in the manner specified, for the disclosure, correction, deletion, addition, discontinuance of use, or erasure, or information provision concerning the personal information protection measures referred to in “9. Transfer to outside of Japan” and “10. Management of personal information” (“disclosure, etc.”) with regard to the customer’s personal information stored in a database held by the Company, the request shall be handled according to the laws and regulations as follows, within a reasonable timeframe and scope, after confirming that the request was personally submitted by the customer.

  • Request for disclosure
    The purpose of use, or personal information requested by the customer, or records on the provision of personal data to third parties, shall be disclosed.
  • Request for correction, deletion, or addition
    Personal information shall be corrected, deleted, or added in accordance with the customer’s request, wherever possible and appropriate, after a due review of the request.
  • Request for discontinuance or erasure
    Use of the personal information specified by the customer shall be discontinued in accordance with the customer’s request, and shall be erased if desired, wherever possible and appropriate. Please note that discontinuance and/or erasure may prevent the customer from receiving previously available services or may impede the provision of services the customer wishes to receive.
  • Request for information provision concerning personal information protection measures
    The following information will be provided in accordance with the customer’s request.
    1. 1) Details of the safety management measures taken by the Company in receiving customers’ personal information
    2. 2) Details of the measures taken by the Company when providing customers’ personal information to third parties outside of Japan (in the case of “9. Transfer to outside of Japan”)

The Company may not be able to fulfill the customers’ requests if compliance with such requests would seriously impact the Company’s business operations, or result in a violation of laws and regulations.

12. How and where to submit a request for disclosure, etc.

The following provides information on how to request disclosure concerning personal information received by the Company from the customer, how to request notification on the purpose of use, as well as where to submit inquiries.

Requests for disclosure, etc.

  • Contact information
    The customer may inquire about your personal information in the following ways I or II.

    1. I.Use the contact information below concerning the personal information of a customer stored in a database held by ANA Shopping A-style.

      A-style Customer Support Desk Toll-free: 0120-283-250

      From an IP phone 03-6253-7280 (charge)
      Reception hours: Monday – Friday 9: 00 – 18: 00 Sat/Sun/Holiday 9:00 – 17:00
      (Closed: January 1 to January 3)

    2. II.Check “(2) Submitting a request” below with regard to personal information of a customer stored in a database held by the Company but not by ANA Shopping A-style.

  • Submitting a request
    Fill out an inquiry form at the Company’s website (https://www7.webcas.net/form/pub/anatchp/form Opens in a new window. ) to contact the controller of the personal data.

    Controller of personal data: ALL NIPPON AIRWAYS TRADING CO., LTD.
    Shiodome City Center, 1-5-2 Higashi-Shimbashi, Minato-ku, Tokyo, Japan
    The Company’s data protection officer: ml_notice_privacy @ anatc.com (Please delete the spaces before and after the @ symbol.)

13. Modification of the Privacy Policy

The Company may make modifications to this Privacy Policy at any time. If modifications are made, details will be posted on the Company’s website, so please be sure to read carefully the contents of any changes that have been made.

Chapter 2. Handling of personal information of EEA and U.K. residents

1. Introduction

Chapter 2 explains the handling of personal information belonging to customers who reside in the European Economic Area (EEA) and United Kingdom in accordance with the following data protection laws (hereinafter “data protection laws”): the General Data Protection Regulation 2016/679 (GDPR), the Data Protection Act 2018 (DPA 2018) in the U.K., and U.K. laws and regulations concerning domestic and international data protection and privacy.
Note that the U.K. act is similar to the EEA regulation and that the customer retains very similar rights in both places. Accordingly, the reader should consider the parts of this chapter that mention the GDPR as applying likewise to the U.K.
A guardian’s consent or permission must be obtained in the event that a customer under the age of 16 uses the Company’s service and others and consents to this Privacy Policy. The data subject’s consent to this Privacy Policy must be obtained in the event that a person such as family member applies for the Company’s service on behalf of the data subject.
In the event that any provisions of this chapter contradict those of Chapter 1, the provisions of Chapter 2 shall prevail.

2. Controller of personal information

The Company is the controller of the customer’s personal information.
In accordance with data protection laws, the Company safeguards the personal information that is collected and used via controllers (i.e. those who decide the method and purpose for handling the customer’s personal information) and handlers (those who act according to the written directions of controllers).

3. Legal basis for handling personal information

In accordance with data protection laws, the Company safeguards the customer’s personal information by handling it only within the scope required for a specific purpose of use (as provided in Chapter 1, “3. Purpose of using personal information”).
The Company handles the customer’s personal information according to the following legal bases.

  • If the customer consents to the handling (GDPR, Article 6 (1) (a))
    Consent normally only applies to handling related to promotions and marketing, as well as, depending on the situation, handling related to sensitive information.
  • When necessary to take measures for the purpose of performing or concluding a contract (GDPR, Article 6 (1) (b))
    This normally serves as a basis for handling customer information (such as the customer’s identity, contact information, payment information, or itinerary) that is absolutely essential for the Company to provide a service.
  • If the Company must handle the information to comply with a legal obligation (GDRP, Article 6 (1) (c))
    This includes the sharing of personal information with bodies such as customs authorities, immigration agencies, and law enforcement agencies, legal obligations to customers or employees of the Company, etc.
  • If there is a medical emergency or other need to safeguard the life of the customer or a third party (GDPR, Article 6 (1) (d)).
  • If the Company or a third party must handle personal data for the purpose of legitimate interests, and the rights of the customer under data protection laws do not supersede these interests.
    (GDPR, Article 6 (1) (f))
    This includes the use of personal information necessary for operating the Company’s business, as well as the use of personal information necessary to maintain, develop, and improve the Company’s products and services and to provide the customer with the best experience.

4. Requests concerning the handling of personal information

Data protection laws recognize the following legal rights for the customer.

  1. 1) Requests for disclosure
    The customer may request a copy of the customer’s personal information in the possession of the Company and details on its handling.

  2. 2) Requests for corrections and updates
    After reviewing the request, corrections and updates shall be performed, if possible.

  3. 3) Requests for deletion
    The customer may request the full or partial deletion of the customer’s personal information in the possession of the Company. Upon reviewing the request, the Company shall delete the information if the information is unnecessary or the law precludes the continued storage of the information.

  4. 4) Forwarding personal information
    The customer may request a copy of personal information that is structured and in a generally machine-readable format. The forwarding of personal information may be performed with personal information obtained from the customer by the Company and with the customer’s consent, and only with regard to individuals who are handled by automated means for the purpose of performing a contract.

  5. 5) Formal objections to handling
    The customer may voice an objection to handling that is for the legitimate interests of the Company or a third party, or handling that is for the purpose of direct marketing. The Company shall discontinue the handling of the customer’s information, provided that the handling for the legitimate interests of the Company or a third party does not have a provable legitimate basis that prioritizes the interests of the customer. If the customer’s objection is against direct marketing, the Company shall discontinue handling.

  6. 6) Limitations on methods of using personal information
    The customer may limit the use of the customer’s personal information by the Company under specific circumstances. If a limitation is applied, the handling of the customer’s personal information (excluding storage) shall be performed legitimately, provided that the customer’s consent is obtained or that doing so is necessary for a legal claim, protecting specified rights, or for the sake of an important public good.

  7. 7) Right to withdraw consent
    If the customer’s personal information is handled with consent, the customer possesses the right to withdraw consent at any time.
    Note that the aforementioned right is not absolute and that it does not necessarily apply to all situations. In addition, depending on the circumstances, if a legal exception applies, then a request may be refused. If a request is refused, the reason therefore shall be provided with the response.
    Records of requests to the Company shall be kept so as to enable confirmation of the Company’s compliance with legal obligations.

  • Submitting a request
    The customer may exercise rights at no cost (unless a fee is charged or a request is refused in the event of an unreasonable, excessive, or repeated request). Below is the method for submitting a request.
    (Online)
    Fill out an inquiry form at the Company’s website (https://www7.webcas.net/form/pub/anatchp/form Opens in a new window. ) to contact the controller of the personal data (see Chapter 1, “12. How and where to submit a request for disclosure, etc.,” “(2) Submitting a request”).
  • Responses to a request
    After receiving a request from the customer, the Company shall normally respond within one month. In addition, the Company may, as necessary, request identity verification or proof of authority to submit a request as a representative (in the event that the customer makes the request through a third-party representative). If the request is especially complex or there are multiple requests, a detailed response may take time. In addition, please note that there are exceptions to the aforementioned rights and there may be cases in which rights cannot be exercised.
    If the customer is not satisfied with the Company’s response to a request, or if it is believed that personal information has been handled inappropriately, the customer possesses the right to file a complaint with the competent authorities. For further details, see Chapter 2, “9. Lodging a complaint with an authority.”

5. Data sharing necessary to provide products and services

The Company’s products and services may be provided with the cooperation of other companies or organizations, and may involve the sharing of personal information with third parties in order to carry out operations. These third parties include the following:

  • ANA Group companies
  • Bodies with which the sharing of personal information is obligatory under laws and regulations
    Governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
  • Service providers
    Companies contracted for handling for ANA flights, partner airports and airlines, service providers, marketing partner companies, etc.
    If the Company entrusts a service provider with handling data, personal information shall be handled in accordance with an agreement that fulfills the requirements of applicable data protection laws.

6. Marketing communication

The Company sends marketing information as needed in order to inform customers who wish to receive news and details about products and services. Information is only sent to customers who consent to receiving marketing information, as well as customers who have purchased a product or service of the Company and have not selected to opt out of marketing despite having the opportunity to do so.

7. Retention and transfer of personal information

The Company is located in Japan. Many of the service providers and other organizations with whom the personal information of customers is shared are located within jurisdictions outside of the EEA and U.K. The European Commission has recognized that Japan has an adequate level of protection for personal information.
When the Company provides personal information to a third party, it occurs in compliance with the requirements of data protection laws, including the EU-Japan adequacy decision and the laws and regulations of Japan. However, note that in countries outside the EEA and U.K., the personal information of customers may not be protected under domestic law. If a customer wants further information on where their personal information is retained or to whom it is transferred, the customer should use the contact information provided in Chapter 1, “12. How and where to submit a request for disclosure, etc.”

8. Retention of personal information

The Company retains customer’s personal information until the Company achieves the purpose for which it is used, and has established the following retention periods for personal information. With regard to other personal information, the retention period is determined according to the information’s properties and the purpose of retention, with consideration given to such matters as legal and accounting requirements and the operational needs of the Company.

  • Personal information on ANA Mileage Club members
    Until the member leaves the ANA Mileage Club
  • Other personal information
    The period necessary for the agreed purpose of use

9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of their personal data with the data protection authority having jurisdiction over their residence.
EEA residents: Contact the supervisory authority in your country of residence.
Details are on the European Data Protection Board’s website (https://edpb.europa.eu/about-edpb/board/members_en Opens in a new window. ).
U.K. residents should contact the Information Commissioner (www.ico.org.uk Opens in a new window. ).

10. The contact information of Controller of personal data and data protection officer

Controller of personal data: ALL NIPPON AIRWAYS TRADIG CO., LTD.
Address: Shiodome City Center, 1-5-2 Higashi-Shimbashi, Minato-ku, Tokyo, Japan
The Company’s data protection officer: ml_notice_privacy @ anatc.com (Please delete the spaces before and after the @ symbol.)

Chapter 3. Handling of personal information of residents of China at ANA

Besides Chapter 1, Chapter 3 also shall be applied to the handling of personal information of persons residing in People’s Republic of China (hereinafter, “China”) based on the Personal Information Protection Law of the People’s Republic of China (中华人民共和国个人信息保护法) and related regulations (hereinafter, “PIPL, etc.”) In the event that any provisions of this chapter contradict those of chapter 1, the provisions of this chapter shall prevail.

1. Introduction

A guardian’s consent or permission must be obtained in the event that a customer under the age of 18 uses the Company’s service and consents to this Privacy Policy. The data subject’s consent (or the consent of their guardian, in the case the data subject is a minor under the age of 14) to this Privacy Policy must be obtained in the event that a person such as family member apply for the Company’s service on behalf of the data subject.

2. Acquisition of sensitive personal information

The Company may handle personal information that could be classified as sensitive personal information in PIPL, etc., such as passport information, health information, payment information, accommodation information, etc. for the purpose of use. The Company recognizes that the leakage or illegal use of customers’ sensitive personal information may adversely affect their interests (e.g., It could easily bring about damage to personal dignity, or harm the safety of body or property), and will therefore strictly manage and legally handle such information in order to prevent its leakage or illegal use.

3. Retention period for personal information

The Company retains customer’s personal information until the Company achieve the purpose for which it is used, and has established the following retention periods for personal information.

  • ANA Shopping A-style member information
    Until the information provided when using ANA Shopping A-style is stopped or deleted by the following method (4) and the procedure is completed.
  • Other personal information
    The minimum period necessary for the agreed purpose of use
  • Personal information on ANA Mileage Club members
    Until the member leaves the ANA Mileage Club

4. Technology and measure to protect customers’ personal information

  • The Company takes security measures to protect customers’ personal information from leakage, loss or damage.Specifically, the Company takes the following measures to protect customers’ personal information.

    • The Company has established and is implementing an internal control system and operation rules regarding the protection of personal information.
    • The Company manages the classification of personal information.
    • The Company develops website with https and sets SSL encryption to secure important customers’ data (credit card information, etc.) communication between the customers’ web browser and the server.
    • The Company uses encryption technology for protecting personal information.
    • The Company sets reasonable access rights and controls access so that unauthorized persons cannot access personal information.
    • In order to raise employee awareness of the importance of protecting personal information, the Company provides education and training on security and privacy protection.
    • The Company has established and is making arrangements for the operation of an emergency response plan to respond to incidents involving personal information.
  • The Company will take all reasonable and practicable steps to ensure that no irrelevant personal information is collected. The Company will only retain customers’ personal information for the minimum period of time required to achieve the purposes stated in this Privacy Policy, unless an extension of the retention period is required or permitted by law.
  • In the event of personal information being at risk, the Company will promptly inform customers of the relevant circumstances of the incident in accordance with the requirements of the PIPL, etc. and report to the regulatory authorities.

5. Requests concerning the handling of personal information

In the event that the Company receives a request for personal information held by the Company on a customer who is a resident of China, the request shall be handled as follows according to the PIPL, etc. within a reasonable timeframe and manners, in addition to the provisions of Chapter 1, “11. Requests concerning the handling of personal information”. And when handling such a request, the Company may first confirm that the request was personally submitted by the customer.

  • Request for withdrawal
    If the Company is relying on consent to process your personal information, you have the right to withdraw that consent.
    The Company will erase the items of personal information specified by the customer in accordance with the customer’s request, wherever possible and appropriate.
    However, please note that such erasure may prevent customers from being provided with services that they had utilized, or may impede the provision of services in accordance with their wishes.
  • Request for interpretation and explanation of our Privacy Policy
    You have the right to request interpretation and explanation of this Privacy Policy.
  • Methods for submission of requests
    Customers may submit requests with the following method and contact information.
    • 1) Submission of requests
      (Online)
      Fill out an inquiry form at the Company’s website (https://www7.webcas.net/form/pub/anatchp/form Opens in a new window. ) to contact the controller of the personal data (see Chapter 1, “12. How and where to submit a request for disclosure, etc.,” “(2) Submitting a request”).

    • 2) Contact Us
      Email: ml_notice_privacy @ anatc.com (Please delete the spaces before and after the @ symbol.)
      Tel: Japan +81-3-6735-5011(charge)

6. Provision to third parties and transfer to outside of China

The Company will provide customers’ personal information to third parties (including provision to data sharing partners and to entrusted companies involving transfer outside of China) in accordance with the PIPL, etc.

7. Change of purposes of use of personal data

In the case of a change to the purposes of use of personal information, the Company will announce the revised Privacy Policy in advance on the Company website (https://www.anatc.com/privacy_policy/) and the Company will use personal information in accordance with the new purposes of personal information after obtaining consent from customers.

8. Basic information on the controller of personal information

ALL NIPPON AIRWAYS TRADING CO., LTD.
Address: Shiodome City Center, 1-5-2 Higashi-Shimbashi, Minato-ku, Tokyo, Japan

Chapter 4. Handling of personal information of California residents at the Company

In addition to the provisions of Chapter 1, those of Chapter 4 also apply to the handling of personal information of persons residing in the U.S. State of California, based on the California Consumer Privacy Act of 2018 (CCPA). In the event that any provisions of this chapter contradict those of Chapter 1, the provisions of Chapter 4 shall prevail.
Chapter 4 uses the terminology defined by the CCPA. In particular, “sale” refers to when the Company sells, lends, publicizes, discloses, disseminates, provides access to, transfers, or otherwise communicates by spoken, written, or digital means, the personal information of a customer to another enterprise or third party, in exchange for money or other item(s) of value. Note that under the CCPA, these acts do not qualify as a “sale” if the Company has concluded a proper agreement on the handling of personal information with an enterprise or third party.

1. Acquisition and use of personal information

The table below provides the established types of customers’ personal information that could be collected by the Company in the future or that has been so collected in the preceding 12 months. For the purpose established in Chapter 1, “3. Purpose of using personal information,” the Company shall acquire any type of personal information directly from customers.

Types of personal information acquired Examples of personal information
Identifiers (names, codes, etc. used to uniquely differentiate between specified persons) The customer’s name, address, telephone number, fax number, mailing address, email address, passport information, ANA Mileage Club membership number, etc.
Information on the customer’s body or illnesses in relation to boarding, credit card number, payment information including credit/debit card or other details on means of payment, etc.
Characteristics of classification under California state law and federal law Dietary restrictions, etc.
Commercial information ANA Mileage Club card type; member service qualification; membership area; mileage status; credit card expiration date; credit card usage history and related information; need for a wheelchair or other special arrangements; flight reservation and cancellation information; boarding status and service use; boarding information and destination from ANA and other airlines; itineraries and other arrangements and details on status of arrangements from other transportation systems; information in communications with customers; contents of inquiries, requests, and opinions; etc.
Information on activity on the internet and other digital networks Information such as that on how the customer uses the Company’s website and mobile app, including, for example, cookies and website activity logs
Information on occupation or employment The customer’s business contact information (company, department, section, position, address, telephone number, fax number), etc.

2. Sharing personal information

  • Sale of personal information
    The Company does not sell customers’ personal information (including the personal information of minors) to third parties and has not sold personal information in the past 12 months.
  • Disclosure of personal information for business purposes
    The table below provides the types of customers’ personal information disclosed for business purposes in the past 12 months and the third parties to whom it is disclosed.
Types of personal information acquired Examples of personal information Disclosures of personal information to third parties in the past 12 months
Identifiers (names, codes, etc. used to uniquely differentiate between specified persons) The customer’s name, address, telephone number, fax number, mailing address, email address, passport information, ANA Mileage Club membership number, etc. ANA Group companies, companies contracted for handling for ANA flights, partner airports and airlines, service providers, marketing partner companies, governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
All types of personal data subject to California Customer Records Act (Cal. Civ. Code Sec. 1798.80 (e)) Information on the customer’s body or illnesses in relation to boarding, credit card number, payment information including credit/debit card or other details on means of payment, etc. ANA Group companies, companies contracted for handling for ANA flights, partner airports and airlines, service providers, marketing partner companies, governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
Characteristics of classification under California state law and federal law Dietary restrictions, etc. ANA Group companies, companies contracted for handling for ANA flights
Commercial information ANA Mileage Club card type; member service qualification; membership area; mileage status; credit card expiration date; credit card usage history and related information; need for a wheelchair or other special arrangements; flight reservation and cancellation information; boarding status and service use; boarding information and destination from ANA and other airlines; itineraries and other arrangements and details on status of arrangements from other transportation systems; information in communications with customers; contents of inquiries, requests, and opinions; etc. ANA Group companies, companies contracted for handling for ANA flights, partner airports and airlines, service providers, marketing partner companies, governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
Information on activity on the internet and other digital networks Information such as that on how the customer uses the Company’s website and mobile app, including, for example, cookies and website activity logs ANA Group companies, service providers, marketing partner companies, governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
Information on occupation or employment The customer’s business contact information (company, department, section, position, address, telephone number, fax number), etc. ANA Group companies, service providers, marketing partner companies, governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.

3. Requests concerning the handling of personal information

Residents of California possess the following rights concerning their personal information.

  • Right to access
    The customer possesses the right to request from the Company the disclosure of the following information in relation to the Company’s acquisition, use, and disclosure of the customer’s personal information a maximum of two times within the 12 months preceding the request (hereinafter “right to access”).
    • The types of personal information on the customer which the Company obtained
    • Sources by which said personal information was obtained
    • The business or commercial purpose of acquiring said personal information
    • The types of third parties with whom said personal information was shared
    • The specific personal information on the customer obtained by the Company
    • The types of personal information on the customer which the Company has disclosed for business purposes
    • The types of third parties to whom each type of said personal information has been disclosed
  • Right to deletion
    The customer possesses the right to request the deletion of certain personal information obtained from the customer by the Company (hereinafter “right to deletion”).

When exercising the aforementioned right to access or right to deletion, submit your request or make contact as provided below. The Company shall respond to a customer request within a timeframe and manner in accordance with relevant laws and regulations. Requests shall be answered after verifying identity.

  1. 1) Submission of requests
    (Online)
    Fill out an inquiry form at the Company’s website (https://www7.webcas.net/form/pub/anatchp/form Opens in a new window. ) to contact the controller of the personal data (see Chapter 1, “12. How and where to submit a request for disclosure, etc.,” “(2) Submitting a Request”).

    (Tel)
    Japan +81-3-6735-5011
    (Please make a collect call)

  2. 2) Means of verifying identity

    <For the individual>
    If the customer exercises the right to access or right to deletion, the Company shall first request that sufficient information be provided to verify the customer’s identity (e.g. the customer’s name and email address), then compare the information provided by the customer with the information which the Company already possesses to verify the customer’s identity.

    <For a representative>
    In addition to the identity verification of the individual described under “<For the individual>,” power of attorney must be submitted. In addition, the Company may directly contact the customer for confirmation that the customer has granted the representative the authority to exercise the right to access or right to deletion.

As a rule, the Company does not discriminate in its handling of customers who make requests, such as by altering the provision of service. However, please note that the deletion of personal information may prevent customers from receiving services which customers have been provided with, or may impede the provision of services in accordance with such requests.

Chapter 5. Handling of personal information of Thai residents

1. Introduction

Chapter 5 explains the collection, use, or disclosure (hereinafter, collectively referred to as “handling” in this Chapter) of personal information belonging to customers who reside in the Kingdom of Thailand (“Thailand”) in accordance with the Personal Data Protection Act of Thailand B.E. 2562 (A.D. 2019) (“PDPA”).
If consent is required for handling of personal information relevant to the use of the Company’s services, etc. of a customer who is a minor, person with limited (qualified) legal capacity or legally incapacitated person under the law of Thailand and cannot lawfully give consent by themselves, consent or permission of the person exercising parental power, or the customer’s guardian or custodian (as the case may be), must also be obtained in addition to the consent of the customer. If the customer is under the age of 10, only the consent or permission of the person exercising parental power must be obtained.
If the Company is not aware that the customer is a minor, person with limited (qualified) legal capacity or legally incapacitated person prior to the collection of their personal information, upon learning that we have collected personal information of a minor without the consent of the person exercising parental power (when it is required and the minor cannot lawfully give consent by themselves), or from a person with limited (qualified) legal capacity or legally incapacitated person without the consent of their guardian and custodian, we will delete the personal information at the earliest convenience unless we can rely on other legal grounds apart from consent for such handling.
The customer’s consent to this Privacy Policy must be obtained even in the event that a family member of the customer, or an agent authorized to act on the customer’s behalf, applies for the Company’s service, etc. on behalf of the customer.
In the event that any provisions of this Chapter 5 contradict those of Chapter 1, the provisions of Chapter 5 shall prevail.

2. Controller of personal information

The Company is the controller of the customer’s personal information.
In accordance with the PDPA, the Company safeguards the personal information that is collected and used via controllers (i.e. those who decide the method and purpose for handling the customer’s personal information) and handlers (those who act according to the written directions of controllers).

3. Legal basis for handling personal information

In accordance with the PDPA, the Company safeguards the customer’s personal information by handling it only within the scope required for a specific purpose of use (as provided in Chapter 1, “3. Purpose of using personal information”).
The Company handles the customer’s personal information according to the following legal bases.

  • If the customer consents to the handling (PDPA, Article 19): Consent normally only applies to handling related to promotions and marketing, as well as, depending on the situation, handling related to sensitive information.
  • When necessary to take measures for the purpose of performing or concluding a contract (PDPA, Article 24 (3)): This normally serves as a basis for handling customer information (such as the customer’s identity, contact information, payment information, or itinerary) that is absolutely essential for the Company to provide a service, etc.
  • If the Company must handle the information to comply with a legal obligation (PDPA, Article 24 (6)): This includes the sharing of personal information with bodies such as customs authorities, immigration agencies, and law enforcement agencies, legal obligations to customers or employees of the Company, etc.
  • If there is a medical emergency or other need to safeguard the life of the customer or a third party (PDPA, Article 24 (2)).
  • If the Company or a third party must handle personal information for the purpose of legitimate interests, and the basic rights relating to the customer’s personal information under laws and regulations do not supersede these interests. (PDPA, Article 24 (5))

This includes the use of personal information necessary for operating the Company’s business, as well as the use of personal information necessary to maintain, develop, and improve the Company’s products and services and to provide the customer with the best experience, within the scope permitted by the PDPA.

4. Requests concerning the handling of personal information

  • The PDPA recognizes the following legal rights for the customer.
    • A) Requests for disclosure
      The customer may request a copy of the customer’s personal information in the possession of the Company and details on its handling.
    • B) Requests for corrections and updates
      After reviewing the request, corrections and updates shall be performed, if possible.
    • C) Requests for deletion
      The customer may request the full or partial deletion, destruction or anonymization of the customer’s personal information in the possession of the Company. Upon reviewing the request, the Company shall delete the information if the information is unnecessary or the law precludes the continued storage of the information.
    • D) Forwarding personal information
      The customer may request a copy of personal information that is structured and in a generally machine-readable format. The request to forward personal information may be made only with respect to personal information obtained from the customer by the Company that is handled by automated means based on the consent of the customer or for the purpose of performing a contract.
    • E) Formal objections to handling
      The customer may voice an objection to handling that is for the legitimate interests of the Company or a third party, or handling that is for the purpose of direct marketing. The Company shall discontinue the handling of the customer’s information, provided that the handling for the legitimate interests of the Company or a third party does not have a provable legitimate basis that prioritizes the interests of the customer. If the customer’s objection is against direct marketing, the Company shall discontinue handling.
    • F) Limitations on methods of using personal information
      The customer may limit the use of the customer’s personal information by the Company under specific circumstances. If a limitation is applied, the handling of the customer’s personal information (excluding storage) shall be performed legitimately, provided that the customer’s consent is obtained or that doing so is necessary for a legal claim, protecting specified rights, or for the sake of an important public good.
    • G) Right to withdraw consent
      If the customer’s personal information is handled with consent, the customer possesses the right to withdraw consent at any time. However, the withdrawal of consent shall not retroactively affect the handling of the customer’s personal information for which they had already legally consented prior to the withdrawal of such consent.
    • Note that the aforementioned right is not absolute and that it does not necessarily apply to all situations. In addition, depending on the circumstances, if a legal exception applies, then a request may be refused. If a request is refused, the reason therefore shall be provided with the response.
      Records of requests to the Company shall be kept so as to enable confirmation of the Company’s compliance with legal obligations.

  • Submitting a request

    The customer may exercise rights at no cost (unless the Company is permitted under the PDPA to charge the customer a fee). Below are the method for submitting a request and contact information.
    (Web)
    Fill out an inquiry form at the Company’s website (https://www7.webcas.net/form/pub/anatchp/form Open in a new window ) to contact the controller of the personal data (see Chapter 1, “12. How and where to submit a request for disclosure, etc.,” “(2) Submitting a request”).

  • Responses to a request

    After receiving a request from the customer, the Company shall normally respond within one month. In addition, the Company may, as necessary, request identity verification or proof of authority to submit a request as a representative (in the event that the customer makes the request through a third-party representative). If the request is especially complex or there are multiple requests, a detailed response may take time. In addition, please note that there are exceptions to the aforementioned rights and there may be cases in which rights cannot be exercised.
    If the customer is not satisfied with the Company’s response to a request, or if it is believed that personal information has been handled inappropriately, the customer possesses the right to file a complaint with the Personal Data Protection Committee of Thailand. For further details, see Chapter 5, “9. Lodging a complaint with an authority.”

5. Data sharing necessary to provide products and services

The Company’s products and services may be provided with the cooperation of other companies or organizations, and may involve the sharing of personal information with third parties in order to carry out operations. These third parties include the following:

  • ANA Group companies
  • Bodies with which the sharing of personal information is obligatory under laws and regulations: Governmental organizations, law enforcement agencies, courts, customs authorities, immigration agencies, third-party bodies, etc.
  • Service providers: Companies contracted for handling for ANA flights, partner airports and airlines, service providers, marketing partner companies, etc.

If the Company entrusts a service provider with handling data, personal information shall be handled in accordance with an agreement that fulfills the requirements of the PDPA.

6. Marketing communication

The Company sends marketing information as needed in order to inform customers who wish to receive news and details about products and services. Information is only sent to customers who consent to receiving marketing information.

7. Retention and transfer of personal information

The Company is located in Japan. Many of the service providers and other organizations with whom the personal information of customers is shared are located within jurisdictions outside of Thailand.
When the Company provides personal information to a third party, it occurs in compliance with the requirements of the relevant laws and regulations of Japan and the PDPA. However, note that in countries outside Thailand, the personal information of customers may not be equally protected under domestic law. If a customer wants further information on where their personal information is retained or to whom it is transferred, the customer should use the contact information provided in Chapter 1, “12. How and where to submit a request for disclosure, etc.”

8. Retention of personal information

The Company retains customer’s personal information until the Company achieves the purpose for which it is used, and has established the following retention periods for personal information. With regard to other personal information, the retention period is determined according to the information’s properties and the purpose of retention, with consideration given to such matters as legal and accounting requirements and the operational needs of the Company.

  • Personal information on ANA Mileage Club members
    Until the member leaves the ANA Mileage Club
  • Other personal information
    The period necessary for the agreed purpose of use

Please note that the Company may retain the customer’s personal information for a longer period than mentioned above if it is for the purpose of filing legal claims or raising the defense of legal claims, or the purpose for compliance with laws and regulations.

9. Lodging a complaint with an authority

Customers have the right to lodge a complaint on the processing of their personal data with the Personal Data Protection Committee of Thailand.

10. The contact information of Controller of personal data and data protection officer

Controller of personal data: ALL NIPPON AIRWAYS TRADING CO., LTD.
Address: Shiodome City Center, 1-5-2 Higashi-Shimbashi, Minato-ku, Tokyo, Japan
The Company’s data protection officer: ml_notice_privacy @ anatc.com (Please delete the spaces before and after the @ symbol.)

(Current as of August 2022)