Data Privacy

NTT DATA address data privacy protection in accordance with the NTT DATA Group Data Protection Policy (DP Policy) while ensuring compliance with various international and national personal data protection regulations, such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection Law (PIPL) in China, and the Act on the Protection of Personal Information (APPI) in Japan.
Specifically, we establish guidelines such as a privacy policy, which requires the proper handling of personal information in accordance with these rules, ensuring that personal data is appropriately protected across the entire Group. These standards of conduct also apply to partner companies that we outsource operations to, enabling the proper management of information assets.
NTT DATA recognizes the importance of protecting personal information and ensures the protection and safeguarding of its customers' personal information as a fundamental principle of its business and its responsibility to society. Accordingly, we have established the Personal Information Protection Policy described below and ensure that all our officers, employees, and business partners thoroughly understand and fully comply with the Policy.

• Privacy Statement (Personal Information Protection Policy) : Privacy Statement | NTT DATA Group

The NTT DATA Group Corporation's Personal Information Protection Policy states that we will clarify the purpose of use of personal information to the individual and obtain consent, except in cases where there is a risk of harming the rights and interests of the individual or a third party. The personal information obtained will not be used for any purpose other than the one for which consent was given. Furthermore, unless mandated by laws or regulations, we will not provide the obtained personal information to third parties without obtaining prior consent from the individual.
We collect personal information only to the extent necessary to achieve the purpose of use, and after the designated retention period for its use or storage has elapsed, we will promptly dispose of, or return, it. We implement appropriate safety management measures to protect the personal information obtained from our customers. These measures include organizational measures, technical measures (such as encryption, pseudonymization, de-identification, anonymization, access control, etc.), and physical measures.
In the event that a request is made by an individual regarding their personal data held by us (such as a request for disclosure, correction, addition or removal, suspension of use, or deletion), we will respond in accordance with the prescribed procedures.

• * The content of "Protect Data Privacy" was latest updated on Apr 25, 2025

We revised the Supplier Code of Conduct in October 2022 to clarify the matters that our suppliers are expected to comply with, in order to promote sustainability and ESG-related initiatives throughout our entire supply chain, and established the NTT DATA Group Supply Chain Sustainability Guidelines. These guidelines have been deployed to all companies, including overseas Group companies. Based on these guidelines, we will continue to inform our suppliers about the items they should comply with in seven sustainability areas: human rights and labor, occupational health and safety, environment, fair business and ethics, quality and safety, information security, and business continuity planning. We will also continue our efforts to enhance suppliers' understanding of NTT DATA's initiatives in these areas.
The guidelines include five items related to information security, which suppliers are required to comply with:

1. Provision of products or services that consider information security and data privacy
2. Prevention of leakage of confidential information
3. Protection of personal information
4. Measures against cyber attacks within their own company
5. Response to security incidents

We use our own Self-Assessment Questionnaire (SAQ) to check the compliance status of major suppliers with the guideline items, including information security. If a supplier is judged to be insufficient in their efforts based on the SAQ results, we conduct on-site inspections through direct dialogue, such as company visits. The target suppliers and items to be checked are reviewed annually.
During these inspections, our aim is to engage in dialogues with suppliers to request the establishment of sustainability management systems and to confirm the identified risk items through the SAQ. In addition, during on-site inspections, we confirm each supplier's initiatives including information and data security, identify areas of concern, and promote the understanding and adoption of our guidelines.