2.2 ｜ Compliance and Risk Management 2.2.9 Privacy Protection 1. Basic policy In the Fujifilm Group Code of Conduct, which sets out how employees in Japan and other countries should conduct themselves, we recognize the protection of personal data as an important human rights issue. We require each of our Group companies to establish personal data protection policies and privacy policies that include provisions shared by the entire Group. The entire Group maintains a personal data protection policy based on OECD Privacy Principles. These policies are also being implemented at suppliers and contractors of the Fujifilm Group and cover the entire supply chain. 2. Promotion structure Based on the Privacy Policy, the Fujifilm Group established the Global Personal Information Protection Regulations and the Personal Information Management Regulations to specify the methods of handling personal data. The General Manager of the ESG Division is appointed as the officer responsible for building and maintaining the personal data protection structure. The policies and targets related to the group-wide personal data protection are determined by the ESG Committee, chaired by the president of FUJIFILM Holdings, and its report is submitted to the Board of Directors regularly. The Board of Directors is responsible for monitoring group-wide compliance and risk management, including protection of personal data, as one of the priority issues. In this way, we ensure the effectiveness of the process. After the ESG Committee has determined policies concerning personal data protection, the ESG Division of FUJIFILM Holdings takes responsibility for overall management of such policy implementation and other privacy protection. The ESG Division’s tasks include dissemination of the policies and targets, implementation of such policies, inspecting the implementation and management status, promoting details of the Personal Information Management Regulations among employees, and providing instructions and advice to managers of organizations that handle personal data. In the risks identified each year, protecting personal information is recognized as a priority risk for the entire Group, with action required by law, including development and implementation of a management system. In addition, the officers responsible for personal information management at each organization in our Group companies and organizations are continually instigating measures to protect personal information. The companies with ISMS certification or the Privacy Mark certification are implementing improvement activities with regular audits by external audit firms and audit results. 3. Employee training Please refer to 2.2.8-2 (4) Employee training. 4. Appropriate handling of personal data The Fujifilm Group has established the Policy on Personal Information Protection, Privacy Policy and internal regulations on the handling of personal data (such as the Global Personal Information Protection Regulations and the Personal Information Management Regulations and various guidelines) to implement appropriate safety management measures and protect personal data held by the Group. Updates on its Personal Information Protection Policy and Privacy Policy are disclosed on the Fujifilm website, acquiring the appropriate consent of the person in question where required by law. Also, secondary use of customer data is prohibited by our internal regulations. Once a year, each business division conducts an inventory of the personal data held by the division, to confirm and correct safety control measures and to perform other procedures, such as the deletion of personal data that is no longer necessary. The inventory status for each organization is audited by the ESG Division of FUJIFILM Holdings. In the work regulations, punitive action is imposed on any employee who takes company information outside of the company without authorization. At the same time, near-miss cases, including those that have occurred in other companies, are shared as a caution and to raise awareness. We take various measures to prevent information taken out of the company to assure protection of personal data. When a government organization requests disclosure in compliance with the law, we confirm the details of the request and the applicable law in deciding the most appropriate way to protect personal data. 44 FUJIFILM Holdings Corporation Sustainability Report 2023