Personal Information Protection

The JAL Group provides various services, including air transportation, to our customers and handles a large amount of Personal Information daily. Therefore, we regard the protection of Personal Information and Privacy as our top priority. We regularly conduct training on Personal Information and Information Security for all group employees to raise awareness. Additionally, we have established a robust detection and monitoring system to counter increasingly sophisticated and complex external attacks, ensuring comprehensive measures for system defense.

To ensure that our customers can continue to use the JAL Group services with peace of mind, we will continuously evolve our preventive measures from both software and hardware perspectives. All employees will always maintain the awareness that they are entrusted with our valued customers' information and will remain committed to protecting Personal Information and Privacy.

In order to ensure the provision of air transportation services for passengers and cargo, to name a few, the JAL Group considers the importance of information security and the protection of personal information in an advanced information and telecommunications society, as well as the increasing risk of information security affecting flight safety. The JAL Group manages and protects information that the company possesses under the following Group policies.

Information held by the JAL Group refers to all information, including financial , sales , personal, and technical know-how, regardless of the storage medium, such as electronic or paper.

• JAL complies with laws, regulations and guidelines stipulated by administrative bodies.

• JAL will appoint an administrator responsible for information security and personal information protection within the Group, establish a management system, and clarify the division of responsibilities.

• JAL has established and complies with internal policies, regulations and guidelines.

• JAL has implemented information security measures (protection of information assets).
• JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.
• The confidentiality, integrity, and availability of information will be protected within JAL.

• JAL clarifies the roles and responsibilities of employees to ensure information security and personal information protection.
• JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.
• JAL fosters a culture of fair information security and ensure that information is properly managed.

• JAL has selected parties with sufficient experience and competency will be selected when outsourcing information management services to other companies or dealing with suppliers who handle information.
• The contract will stipulate confidentiality obligations and other matters necessary to maintain the JAL Group's information security and personal information protection standards and will require compliance with this policy to ensure that information is properly managed.

• JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.
• JAL has implemented initiatives to improve our operations, including continuous investment in information security systems.

• JAL monitors information security threats. In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.

• JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.

• JAL will be reviewed at regular intervals and disclose its policies on information security and the protection of personal information, including this policy, by posting them on its website.

The management system for Personal Information Protection across the entire JAL Group is overseen by the Group Risk Management Council, chaired by President and CEO Mitsuko Tottori, and its subordinate organization, the Information Security and Personal Information Protection Committee. These bodies manage and promote the risks associated with Personal Information throughout the JAL Group.

Additionally, the Chief Officer responsible for overseeing Personal Information Protection of the JAL Group is the Managing Executive Officer and Senior Vice President - General Affairs. The Risk Management Department serves as the central operational unit for Ppersonal Information Protection, overseeing the entire group. Each department that handles Personal Information appoints a Personal Information Manager to clearly define the responsibility for Personal Information and promote necessary measures to strengthen Personal Information Protection.

To ensure the safety of the valuable Personal Information entrusted to us by our customers, the JAL Group implements various safety management measures, including Organizational safety management measures, Human safety management measures, Physical safety management measures and Technical safety management measures.
In particular, to prepare for cyber attacks from external sources, we collaborate with multiple external specialized agencies to monitor threats such as unauthorized access and virus infections 24 hours a day, 365 days a year. Additionally, we take measures such as restricting internet access for terminals that can access systems handling Personal Information.
Furthermore, since much of the Personal Information is handled by systems, the departments responsible for the JAL Group's overall system infrastructure and business systems have obtained ISO 27001 certification to ensure the safety of Personal Information.

* Any unauthorized use or reproduction of this certificate is strictly prohibited.

In the event of incidents such as Personal Information leaks, we have established a system to promptly set up a response headquarters according to the level of the incident, in accordance with the Risk Management Manual. Additionally, to prepare for cyber incidents, including cyber attacks, we have established the JAL Group CSIRT (Cyber Security Incident Response Team) system, with the Information Security Department's specialized organization serving as the secretariat. This system ensures swift responses and prevents recurrence. Furthermore, to prepare for cyber incidents, we plan and conduct JAL Group CSIRT training sessions at least twice a year.

To enhance employees' awareness of Personal Information Protection and prevent incidents such as Personal Information leaks, we conduct compliance training and information security training for all executives and employees at least twice a year. (These training sessions include content related to Personal Information Protection.) We aiso conduct targeted email training multiple times each year to prevent damage from virus e-mails and business e-mail compromise(BEC).

Personal Information Protection is part of the employee performance evaluation as disciplinary actions will be taken against any violation of Personal Information Protection Regulation which all the employees must comply with.

Face-to-face inspections are conducted for JAL Group companies by the organization responsible for Personal Iinformation to check the status of Personal Iinformation asset management and compliance with Personal Information Protection Regulations. In addition, Internal audits are conducted by the Audit Department from a fair and objective standpoint.