Preface
NICHIDENBO CORPORATION (hereinafter referred to as the “Company”) values the protection of personal data belonging to customers, employees, and all stakeholders. The Company establishes management mechanisms in accordance with the Personal Data Protection Act (“PDPA”) to ensure the confidentiality, integrity, and availability of personal data.
To implement personal data governance, strengthen internal controls, and protect the rights of data subjects, this Policy is enacted as the basis for the Company’s collection, processing, and use of personal data.
Article 1 Scope of Application
This Policy applies to the collection, processing, and use of personal data conducted by the Company, its subsidiaries, and its affiliates in the course of business operations. It covers customers, employees, job applicants, suppliers, shareholders, and other business contacts.
Employees who violate this Policy shall be handled in accordance with internal company regulations. This Policy may be amended from time to time depending on changes in laws, business needs, or operational requirements. Any amendments will be publicly announced on the Company website.
Article 2 Collection of Personal Data
The Company may collect or obtain personal data under the following circumstances:
- When personal data is voluntarily provided by the data subject, including resumes, orders, contracts, or contact information.
- When personal data is obtained based on contractual or business relationships.
- When personal data is lawfully obtained from publicly available information or third parties.
- When personal data is generated from the data subject’s use of the Company’s website, participation in activities, or use of services.
When collecting personal data, the Company will clearly inform the data subject of the purpose of collection, the categories of data, the period, area, recipients, and methods of use, the rights that may be exercised by the data subject and the means for exercising such rights, and any impact on the data subject’s rights if the data is not provided.
If the collected personal data is not supplied by the data subject, the Company will inform the data subject of the data source and other relevant matters before processing or using the data.
Article 3 Personal Data Established by the Company
The Company may establish records related to business interactions with the data subject, including transaction records, interaction records, customer service records, and contract performance documents, and may use such data within a reasonable scope in accordance with applicable laws and business needs.
The Company values the accuracy of personal data. If incorrect data is identified, the Company will proactively correct or supplement the data, or make corrections upon request by the data subject.
Article 4 Categories of Personal Data
The personal data the Company may collect includes: name, date of birth, national identification number, passport number, contact information, website usage data, and other information that may directly or indirectly identify an individual.
If sensitive or special categories of data are involved (e.g., health examination results, medical records, or criminal records), such data will only be collected or processed within the necessary scope after obtaining the explicit written consent of the data subject or when permitted by law. Enhanced security measures will be applied for such data.
Article 5 Processing of Special Categories of Personal Data
In principle, the Company does not proactively collect, process, or use special categories of personal data.
If such collection, processing, or use is required by law or consented to by the data subject, the Company will follow lawful procedures and adopt management measures to prevent unauthorized alteration, disclosure, or misuse of such data.
Article 6 Purposes and Principles of Use of Personal Data
The Company collects and uses personal data for the following purposes:
- Personnel administration.
- Business and technical information management.
- Planning, management, and performance evaluation.
- Statistical analysis and research
- Education and training.
- Other necessary purposes related to the Company’s business operations.
- When necessary to protect the Company’s legal rights or interests, investigate suspected violations of laws or Company policies, or respond to requests from administrative or judicial authorities.
The Company will use personal data only within the scope of the collection purpose. If the Company intends to use personal data for purposes other than those originally specified, prior consent from the data subject will be obtained, and the data subject will be provided with an option to refuse. Upon refusal, the Company will cease to use the personal data.
Article 7 Provision, Entrustment, and Cross-border Transfer of Personal Data
The Company may provide personal data to the following recipients within the scope of the purposes listed in this Policy:
- Administrative or judicial authorities that have the legal right to request such information.
- Third parties necessary for the performance of contracts.
- Business partners with the consent of the data subject.
If the Company entrusts a third party with the processing of personal data, the Company will ensure that the entrusted party complies with this Policy.
If personal data must be transmitted or stored abroad due to business needs, the Company will adopt appropriate protective measures.
Article 8 Personal Data Security
To ensure the security of personal data, the Company has established a dedicated information security unit, formulated information security policies, and implemented relevant management measures.
If personal data is stolen, leaked, tampered with, or otherwise compromised, the Company will investigate the incident, notify the affected data subjects in an appropriate manner, and promptly implement remedial and preventive measures.
Article 9 Exercising Rights of Data Subjects
The Company respects the rights of data subjects to control their personal data. Data subjects may request access, review, correction, deletion, or cessation of processing or use of their personal data in accordance with applicable procedures.
The Company will respond within the statutory period and may confirm the identity of the requester as necessary to ensure data security.
Article 10 Responsibility and Contact Information
The Legal Department is responsible for overall coordination of personal data protection and legal compliance matters, while the Information Security Department is responsible for information security.
For any questions regarding this Policy, please contact us at:
Legal Department Email: legal@ndb-group.com
Appendix – 2025 Disclosure of Personal Data Protection Implementation Status
Item
Measures and Outcomes
Employee Personal Data & Information Security Training
One personal data and information security training session was conducted in 2025.
Information Security Audit
One information security audit was completed in 2025.
Information Security Incidents
No major information security incidents involving customer information leakage or regulatory penalties occurred in 2025.
Personal Data Incident Management
No customer complaints or legal actions arising from violations of personal data protection occurred in 2025.
Item
Measures and Outcomes
Employee Personal Data & Information Security Training
One personal data and information security training session was conducted in 2025.
Information Security Audit
One information security audit was completed in 2025.
Information Security Incidents
No major information security incidents involving customer information leakage or regulatory penalties occurred in 2025.
Personal Data Incident Management
No customer complaints or legal actions arising from violations of personal data protection occurred in 2025.