Privacy Policy: Identity theft prevention measures

Our aim is to establish a relationship with our customers firmly built on trust by providing high-quality service that meets a myriad of requests. By fully utilizing the ORIX Group's comprehensive power as a member, we deem our customers' privacy as a critically important information asset, and will accumulate it through fair and legal practices, ensuring that it is appropriately used, controlled and protected in accordance with the following policies. The purpose of this document is to publicize our uses and explain our handling measures, pursuant to the provisions of the Act on Identity theft prevention measures.

Purpose behind personal information use

We will only use customer personal information for the following purposes. We will not use any personal information of customers beyond the scope of necessity for achievement of the following purposes without consent of the customer:

  1. In order to respond in a suitable fashion to business discussions with customers, including inquiries from customers and proposals made by the company to customers, in regard to the work performed by the company and which includes real estate transactions (apartment and residential property sales, buying and selling (including buying and selling of real estate trust beneficiary rights), exchange, leasing, and acting as intermediary or agent for any of the above), investigations (preparations) into the implementation of real estate transactions, after service related to real estate transactions, consulting relating to real estate transactions, management and operation services for such facilities as hotels and training centers, real estate related services for health care businesses, and the retail of insurance and other financial products (for full details of the work that we do, please see "Introduction to Business and Services"(,Real Estate-Related Services).
  2. For the purposes of assessment in credit transactions or transactions in which customers have investments, i.e. (investment transactions,) and making appropriate decisions and responses in confirming customers' identity.
  3. For the purposes of appropriate administration and management of contracts with customers and being responsible for management required by law or in order to respond to inquiries after termination of said contracts;
  4. For the purposes of introducing company information, various products and services of our company and ORIX Group companies, and other companies through direct mailing, e-mail, over the phone, and so forth;
  5. For the purposes of utilization in marketing analysis in order to provide customers with better products, services and satisfaction;
  6. For the purposes of conducting various administrational and managerial tasks necessary for company management.
  7. For the purposes of sharing with ORIX Group companies.

If we intend to use any personal information for any purposes other than those listed above, we will specify the purpose of such usage and obtain prior consent from the relevant customer.

Sharing of Personal Data

The ORIX Group responds and meets the various needs of its customers by fully utilizing its comprehensive power under its consolidated management; therefore, we may share personal information of customers held by us with ORIX Group companies. Please refer to the following:

  1. Parties that share personal information
    Companies of the ORIX Group in Japan
    (ORIX Corporation and all companies that based in law have consolidated accounts with ORIX Corporation or are accounted for by the equity-method)
    Among these companies, there are some that have “ORIX” in their name and some that do not. For details on the latter kind, please check the "List of Co-Users".(
    * Companies that share and use personal information are subject to change.
  2. Purposes for sharing personal information
    Co-users use customers’ personal data for the following purposes.
    1. (1) In order for the company and the companies of the ORIX group to perform various management tasks as required as part of management, including understanding of the state of claims and assets and risks.
    2. (2)In order to perform marketing analysis and product & services development in order to provide our customers with better products and services, and greater satisfaction as a result.
    3. (3) In order to introduce and propose the products and services offered by the companies of the ORIX Group (for full details of the work that we do, please see "Introduction to Business and Services"(
  3. Shareable personal data items
    Items required within the scope of the above 2 “Purpose for sharing personal information”, including name, address, date of birth, telephone number, e-mail address, credit-related information (including the customer’s assets, liabilities and other accounts related information, details of collateral, details of payments made in the past, and other items which may be used to determine the customer’s ability to pay), and transaction details (including type of transaction, target property for the transaction, cost, remaining amount to pay and state of payment).
  4. Party responsible for controlling personal data
    ORIX Real Estate Corporation
    2-14-5 Shiba, Minato-ku, Tokyo 105-0014

Compliance with laws

We recognize that for the purposes of identity theft protection, it is necessary that all directors and employees adequately understand laws and regulations and other norms on the handling of personal information and comply with them, and will ensure that said understanding and compliance is thoroughly realized.

Continuous improvement of the compliance program

The company will create a compliance program that includes items on the handling of personal information; and periodically review, maintain and improve it.

Protection and control of personal data

Based on established company rules etc., the personal data of customers is appropriately controlled under the custody of a compliance officer, who is appointed to each department, taking the utmost care to prevent such information from being leaked to the outside. Furthermore, we have taken security measures in an adequate and reasonable level against risks such as unauthorized access from outside, loss, destruction, and falsification.

Commission of handling of personal data

In order to provide better services for customers, we may commission outside persons to perform our business. In this case, we may also commission these persons to perform all or part of our handling of personal data. In selecting such persons to be commissioned, we carefully make evaluations based on our standards for appropriate handling, which have been established in terms of the control of personal data, confidentiality, and restriction on re-commission, prevention of identity theft, etc. Upon contracting these services, we supervise and control such commissioned persons.
Examples of commissioned persons:

  1. (1) In the business of sales for lots and development, construction companies, design firms, management companies, sales companies, interior work companies, companies commissioned to hold previews, moving companies and the like;
  2. (2) In the leasing business, real-estate leasing companies, management companies, and the like;
  3. (3) In real-estate transactions, judicial scriveners, land and house investigators, survey companies, and the like; and
  4. (4) Information processing companies, direct mail posting companies and other companies which are necessary for our business operation.

Provision of personal data to a third party

We will not disclose or provide any personal data of customers held by us to or for any third party without consent of the customer; except, however, in the following events:

  1. It is necessary based on any provision of laws or regulations;
  2. It is necessary for the protection of a person's life, physical safety or property (including a corporation's property) and it is difficult or impractical to obtain the consent of the customer;
  3. It is especially necessary for the improvement of public health or promotion of sound development of children and it is difficult or impractical to obtain the consent of the customer; or
  4. It is required in order to cooperate with a national or local authority or a person appointed by such an authority in its execution of affairs required by law or regulation, within which seeking the consent of the relevant customer may hinder the execution of said affairs.

Notification of purpose of use, disclosure, correction etc. and termination of use etc. of held personal data

  1. Notification of purpose of use of held personal data
    A customer may request that the company provide notification of the purpose of use of any personal data relating to them that is held by the company (hereafter “held personal data”). If a customer requests notification of the purpose of use of any held personal data relating to them then the company shall respond promptly and in accordance with all applicable laws.
  2. Disclosure of personal data held by us
    Any customer is entitled to request us to disclose his/her personal data (held by us) to him/her. If a customer requests us to disclose his/her personal data to him/her, we will appropriately respond without delay according to laws and regulations.
  3. Amendment, etc. of personal data held by us
    If as a result of the disclosure under the above article it is determined that there is an error in the held personal data in question, then the customer may request of the company that the held personal data in question may be corrected, added to or deleted (hereafter “correction etc.”). If a customer requests correction etc. of any held personal data relating to them then the company shall respond promptly and in accordance with all applicable laws.
  4. Suspension of use of personal data held by us
    If a customer requests that the company stop making use of or delete held personal data related to them for the reasons (1) or (2) below, or requests that provision to a third party be stopped for the reason (3) below (hereafter “termination of use etc.”), in the case that it is determined that the reasons behind the request are valid the company shall respond promptly and in accordance with all applicable laws.
    1. (1) If the company uses personal data on a customer for a purpose other than that stated.
    2. (2) If personal data on a customer is obtained in a manner that is not fair and appropriate.
    3. (3) If the personal data on a customer is presented in violation of the abovementioned “provision of personal data to a third party”

In the case that a customer requests notification of purpose of use, disclosure, correction etc. and termination of use etc. of held personal data, it will be necessary to perform identity verification procedures as stipulated by the company and then perform application procedures as stipulated by the company. Furthermore, a processing fee may also be charged. For details of the procedures and fees required, please contact the “Personal Information Inquiry Service” as shown below.

Personal Information Inquiry Service

Personal Information Inquiry Service
ORIX Real Estate Corporation
Service Hours: Monday to Friday, 9:00 am to 5:00 pm (except national holidays and year-end and new year holidays)
Risk Management Department

Phone: +81-80-8904-4241

Update of Privacy Policy

This privacy policy is subject to updates. Please check the date of latest update.
(Date of latest update: May 30, 2017)

Privacy Policy
(Applicable to Processing of Personal Data of Data Subjects in EEA)

This Privacy Policy applies to the processing of Personal Data concerning data subjects in the European Economic Area (“EEA”) by ORIX Real Estate Corporation in accordance with the General Data Protection Regulation (“GDPR”).

To run our business, we process information about you (referred to as “Personal Data”), as prospective and current customers, representatives of our prospects, customers and suppliers, and visitors to our websites.

The protection of Personal Data is important to us. We therefore process any Personal Data entrusted to us, as data controller or data processor, in full compliance with applicable law, in particular, GDPR.

1.Types of Personal Data We May Process
In this Privacy Policy, “Personal Data” means any data relating to an identified or identifiable natural person. We may process Personal Data such as your name, gender, telephone number, email and/or postal address and fixed and/or mobile phone number, date of birth, passport information, information collected through the use of closed circuit television systems and other security systems, information necessary to fulfil special requests (e.g., health conditions that require specific accommodation or services) and any other Personal Data you choose to provide to us.

2.Collection, Use and Disclosure of Personal Data
(1) Purposes of use of Personal Data
We process your Personal Data to achieve the purposes set forth below.

A) Respond in a suitable fashion to customers’ reservations and inquiries and provide various services in our business, which includes accommodation, dining, weddings and product sales (for details, please refer to our website at ,Real Estate-Related Services).

B) Introduce company information, various products and services of our company and ORIX Group companies (ORIX Corporation and all companies that based in law have consolidated accounts with ORIX Corporation or are accounted for by the equity-method), and other companies through direct mailing, e-mail, by phone, and so forth.

C) Conduct marketing analysis to improve customer satisfaction by seeking to provide better products and services for customers.

D) Perform management activities necessary for our operation.

E) In order for us and other companies of the ORIX Group to perform various required management tasks, including understanding the state of claims and assets and risks.

F) Perform marketing analysis and product and services development in order to provide our customers with better products and services, and greater satisfaction as a result.

G) Introduce and propose the products and services offered by the companies of the ORIX Group (for full details of the work that we do, please see "Introduction to Business and Services" (

We may also obtain personal data from our third party service providers and from public sources and combine that with information we collect from you where we believe that it is necessary to help manage our relationship with you.

(2) Legal Grounds for Processing your Personal Data
We may process your Personal Data based on the following legal grounds:

  • To perform your instructions or fulfil the obligations under contracts with you;
  • Based upon your consent expressly given to us, to process the Personal Data in such manner. You may withdraw the consent to this processing at any time; however, this will not affect the lawfulness of any processing activity carried out by us before such withdrawal of your consent.
  • To comply with legal and regulatory obligations; and
  • To further our legitimate interests or those of any third-party recipients of the Personal Data, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
    In relation to the processing of your Personal Data, our legitimate interests include:
  • To benefit from cost-effective services (e.g. using cloud platforms operated by third party suppliers);
  • To offer our products and services to our customers (e.g. by communicating through a newsletter or other marketing materials, in which case we will also comply with applicable rules governing direct marketing);
  • To prevent fraud or criminal activity, misuse of our products or services as well as the security of our IT systems, architecture and networks; and
  • To meet our corporate and social responsibility objectives.

(3) Additional Processing
In the case of processing your Personal Data for purposes other than the foregoing, we will notify you in advance of such purposes and other matters as required by applicable law.

(4) Necessity of providing Personal Data
The Personal Data that you are to provide is necessary for us to provide our services to you. Therefore, without the Personal Data, there may be cases where we will not be able to provide the services to you, in whole or in part.

(5) Retention Period
We will only retain your Personal Data for as long as such Data is necessary to fulfil the purpose for which it was collected to provide the services to you and for any period thereafter as legally required or permitted by applicable law. We will promptly delete your Personal Data when such Data is no longer needed.

(6) Transfer of Personal Data
A) Within ORIX Group
We may transfer your Personal Data to personnel within our Company and to other ORIX Group companies.. Such other ORIX Group companies will either act as another independent controller or will process your Personal Data on our behalf and upon our request (thereby acting as “data processor”). In all cases, the Personal Data will be processed only for the purposes set out above.
For clarity, such affiliate companies within the ORIX Group may or may not “ORIX” in their company name. For details regarding affiliate companies not including “ORIX” in their names, please refer to the "List of Co-Users". (
* Affiliate companies are subject to change.

B) Outside ORIX Group
We may also transfer Personal Data to third parties outside our Company and the ORIX Group, including our (IT) systems, cloud service and database providers, hotel management companies, outside contractors and professionals (including accounting firms, tax firms and law firms), to achieve the purposes set out above, to the extent they need it to carry out the instructions we have given to them or the agreements we have entered into with them.
As data processors or joint controllers, the above third parties enter into an agreement with us to process the Personal Data in compliance with applicable law (including GDPR).

Where required, we may also transfer your personal data to:

  • Any third party to whom we assign or novate any of our rights or obligations under a relevant agreement; and
  • Any national or international governmental or judicial authority, where we are required to do so by applicable law or regulation or at their request, in compliance with applicable law.

C) Outside the EEA
The Personal Data may be transferred to entities in countries or jurisdictions outside the EEA, such as Japan, if required for the purposes described above. Please note that such countries or jurisdictions may not have the same data protection laws as the EEA and that they may not afford many of the rights conferred upon you in the EEA. We will ensure that any such international transfers are made subject to appropriate and suitable safeguards as required by GDPR or other relevant laws. When doing so, we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of the Personal Data. This may include entry into the relevant EU standard contractual clauses as approved by the EU Commission prior to such transfer to ensure the required level of protection for the transferred Personal Data. You may request additional information in this respect.

3. Your Rights as a Data Subject

Within the limits and under the conditions set forth in the law (including GDPR), you have the following rights:

  • To access your Personal Data as processed by us and obtain a copy thereof;
  • To request any correction or update thereof;
  • To request the erasure of your Personal Data;
  • To request the restriction of the processing of your Personal Data;
  • To withdraw your consent where we based our processing of your Personal Data on your consent (without such withdrawal affecting the lawfulness of processing prior thereto);
  • To object to the processing of your Personal Data;
  • To request the portability of your Personal Data (i.e. to obtain the Personal Data you have provided to us in a structured, commonly used and machine-readable format and/or to request the transmission of such Personal Data to a third party, without hindrance from us and subject to your own confidentiality obligations).
When we receive a request based on the rights specified above, we will conduct any necessary investigation without undue delay and provide you or a nominated third party with the Personal Data or respond to such rights without undue delay.
Please note that you may raise an objection to the competent data protection authorities having jurisdiction over us or in the location of your usual residence or place of work with regard to the processing of your Personal Data or of an alleged infringement of GDPR.

4. A minor’s consent
Your guardian’s consent or permission must be obtained in the event that you are under the age of 16 and use our service and consent to this Privacy Policy.

5. Inquiries
If you have any questions or concerns regarding this Privacy Policy or our processing of Personal Data, or any requests concerning the exercise of your rights as a Data Subject described in Section 3 above, please contact us at the following:
ORIX Real Estate Corporation
 Risk Management Department
 Orix Shiba 2-chome Building
 2-14-5, Minatoku, Tokyo,
 105-0014, Japan
 [Email address]
 [Phone number]
 Service Hours: Monday to Friday, 9:00 am to 5:00 pm (except national holidays and year-end and new year holidays)

 The contact information for our representative is as follows:
 [Representative’s Name] ORIX Corporation Europe N.V.
 Attn. Secretariat/Privacy matters
 [Address] Weena 850, 3014 DA Rotterdam, The Netherlands
 [Email Address] privacy

6. Revision of this Privacy Policy
We may modify this Privacy Policy when necessary. We will announce the revised Privacy Policy on our website when a revision is made. Please make sure to regularly check the contents of this Privacy Policy. After the Policy is revised, you shall be deemed to have agreed to the revised Policy when you use our services or view this Privacy Policy.

This Privacy Policy is written in the English language and may be translated into other languages. In the event of any inconsistency between the English version and the translated version of this Privacy Policy, the English version shall prevail.

Effective date: 2019.1.1
 ORIX Real Estate Corporation /CEO:Toyonori Takahashi