EU Data Privacy Notice
(“European Privacy Notice”)
Last Updated: January 1, 2025
This EU Privacy Notice is incorporated into and supplements the information contained in our US Privacy Policy and applies to the processing of personal data collected from the European Economic Area (“EEA”) or the UK (collectively, “European Personal Data”) or otherwise within the scope of the General Data Protection Regulation (“GDPR”) or the UK version of the GDPR (“UK GDPR”). It does not apply to personal data collected in other territories.
You can refer to Section 10 (Glossary) for a description of the terms used in this European Privacy Notice.
If you have obtained your JCB card from a third party issuer, then you should also consult their website for their privacy notice which will apply to their processing of your personal data.
JCB International Credit Card Co., Ltd. (“JCB USA”) acknowledges that the protection of personal data is one of our most significant legal obligations.
As described below, this European Privacy Notice applies to the activities of JCB USA in relation to European Personal Data.
This European Privacy Notice sets out what European Personal Data we collect, how we collect it, how we use it, and your rights in connection with how we process your European Personal Data. We and our group companies that process European Personal Data are committed to protecting your European Personal Data as data controllers in accordance with our duties under the GDPR and/or the UK GDPR. This European Privacy Notice applies to all of us and for your convenience you may exercise any of your rights against any of us, and we will ensure it is routed to the correct department.
1. Collection, Use and Legal Basis of European Personal Data
We have set out below, in a table format, a description of the types of European Personal Data we collect, the sources we collect it from, how we plan to use your European Personal Data, which are the legal basis we rely on to do so.
| Categories of European Personal Data | Source of European Personal Data | Use | Legal Basis |
| Payment transaction data relating to card payment by cardholders including card data (card number, expiry date and security information), transaction information (time, date, currency and amount), and merchant data (name and location). | Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Merchants and acquirers. |
Authorize, settle and process transactions for JCB proprietary cards and franchised issuer cards. | Contract for JCB proprietary card and franchised issuer card.
Legitimate interests for third party issuer card. |
| Support the operations of affinity partners of JCB proprietary cards and franchised issuer cards. | |||
| Process data related to managing merchants, acquirers, franchised issuers, third party issuers and deal with queries. | |||
| Support the acquirer’soperations. | |||
| Develop new products and services for our business. | |||
| Data on dispute resolution including card number, cardholder data (name, email address, phone number, etc.), transactional data (time, date, and amount), merchant-related data (name and location), and sales slips. | Cardholder.
Use of a JCB proprietary card, franchised issuer card and third party issuer card. Franchised issuers, third party issuers, acquirers and merchants. |
Mediate or arbitrate disputes among JCB cardholders, issuers, acquirers or merchants for resolution. | Contract for disputes with JCB proprietary card and franchised issuer cardholder.
Legitimate interests for disputes with third party issuer cardholder. |
| Monitoring and/or protecting against fraudulent transactions. | Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Franchised issuers, third party issuers, acquirers, risk based authentication solution providers and merchants. |
Monitor and/or protect fraudulent transactions. | Legitimate interest of complying with laws and regulations that apply to us or other legal obligations. |
| Authentication of transaction data relating to identifying cardholders through J/Secure authentication service including purchase information (card number, date, time, currency, amount, cardholder’ billing address, shipping address, cardholder’s name, cardholder’s email address and cardholder’s phone number), merchant data (name and location) and cardholder’s internet-connected device information (IP address, location data, OS type, OS language, device ID, SIM information, and hardware serial number) (collectively, ‘Attribute Information’)
Location data and IP address relating to providing merchants and ATMs locator services.*1 |
Use of a JCB proprietary card, franchised issuer card and third party issuer card.
Merchants. Cardholder’s internet-connected devices. Use of JCB websites and mobile applications. |
Provide acquirers with J/Secure authentication service | For JCB proprietary cards and franchised issuer cards: contract and legitimate interests of complying with laws and regulations that apply to us, though for example: Detection, investigation, assessment, monitoring and prevention of fraud and other crime; mitigation of financial and business risk; and/or compliance with anti-money laundering (AML), counter-terrorism financing (CTF), anti-bribery and corruption (ABC) and similar laws.
For JCB proprietary cards and franchised issuer cards: contract. For the risk based authentication solution provider’s use please see their data privacy notice. |
*1 Where noted the processing of certain categories of European Personal Data may not be subject to GDPR or UK GDPR when the cardholder’s internet-connected device is physically used in territories other than the EEA or UK.Other European data protection laws such as the e-Privacy Directive (2002/58/EC) may apply when the cardholder’sinternet-connected device, the merchant and JCB are all within the EEA or UK.
Please note that depending on the purpose for which we use your European Personal Data, we may rely on more than one legal basis for processing. When we rely on legitimate interest, we do so because we have determined that this processing is required to be performed by us or a third party controller to ensure the safe and effective working of your JCB card and the settlement of transactions or it is in our legitimate business interest. In making this determination we have considered your rights under European data protection law and balanced them against our legitimate interests. If you have any queries, you can contact us at the email address listed in Section 11 (Contact Us) of this European Privacy Notice.
Generally we don’t rely on your consent as a legal basis for processing other than in relation to sending direct marketing communications to you or collecting your location data through interaction with JCB websites and mobile applications. You have the right to withdraw your consent at any time (for more information on this see Section 6(4) (Right to stop your European Personal Data being used for direct marketing purposes below)).
We may use your European Personal Data for purposes other than the ones listed above. Should this be the case, we will inform you of the purpose in accordance with applicable laws and regulations.
2. Recipients
In order to achieve our purposes set out in the table above, we may share your European Personal Data with the following categories of recipients:
(1) franchised issuers;
(2) third party issuers;
(3) affinity partners;
(4) merchants;
(5) acquirers;
(6) service providers;
(7) risk based authentication solution providers; and
(8) public bodies.
We require all third parties who process European Personal Data on our behalf to respect the security of your European Personal Data and to treat it in accordance with their contractual or legal obligations.
We may need to share your European Personal Data with more recipients than the ones listed above. Should this be the case, we will inform you of the change in accordance with applicable laws and regulations.
3. Automated decision making
Automated decision making takes place when our electronic systems process European Personal Data to make a decision about you or your business without human intervention. We are allowed to use automated decision making in the following circumstances:
(1) authorizing transactions; *4;
(2) authenticating transactions; *4;
(3) detecting suspicious transactions *5; and
(4) preventing and monitoring fraudulent transactions. *5.
*4 For the JCB proprietary cards and franchised issuer cards only.
*5 For the JCB proprietary cards, franchised issuer cards and third party issuer cards.
You will not be subject to decisions that will have a legal or significant impact on you based solely on automated processing, unless we have a lawful basis for doing so and we have notified you. For more information on your rights in connection with automated decision making, please see Section 6(8) (Right not to be subject to decisions based solely on automated processing below).
4. If you fail to provide European Personal Data
Where we need to collect European Personal Data by law, or under the terms of a contract we have with you, and you fail to provide the data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with card services). If that is the case, we may have to cancel a product or service you have with us.
5. International Transfer of European Personal Data
JCB USA is a USA company, and in order to provide you with our services we will process data in the USA and Japan. Transferring European Personal Data to the USA and Japan is necessary for the purposes of use set out in Sections 1 and 2 above. You should be aware that data protection law in the USA or Japan may differ from the data protection law applicable to you in the EEA or UK. However, we have adequate safeguards in place based on valid legal grounds, such as standard data protection provisions approved by the European Commission and the European Commission adequacy decision adopted between the EEA and Japan on 23 January 2019, for transferring European Personal Data to Japan.
If your JCB Card has been issued by a third party issuer, and you use your JCB card at merchants in the EEA or UK, it is necessary for JCB USA to transfer your European Personal Data to the relevant third party issuer in order to authenticate, authorize or settle your card transaction. Such third party issuer may be located in a country with different data protection standards. Please note that you can object to this transfer, at any time, by contacting us at the contact details set out at Section 11(Contact Us) below but this will limit your further use of the JCB Card in certain circumstances but not affect your obligations to us and the third party issuer.
6. Your rights in relation to European Personal Data
You have the following rights regarding your European Personal Data that we hold:
(1) Right of access
You can request details of your European Personal Data that we hold. We will confirm whether we are processing your European Personal Data and we will disclose supplementary information including the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding data transfers to non-EEA countries, subject to the limitations set out in applicable laws and regulations. We will provide you free of charge with a copy of your European Personal Data, but we may charge you a fee to cover our administrative costs if you request further copies of the same information.
(2) Right of correction
We will comply with your request to correct incomplete or inaccurate parts of your European Personal Data, although we may need to verify the accuracy of the new information you provide us.
(3) Right to be forgotten
At your request, we will delete your European Personal Data promptly if:
・ it is no longer necessary to retain your European Personal Data;
・ you withdraw the consent which formed the basis of your European Personal Data processing;
・ you object to the processing of your European Personal Data and there are no overriding legitimate grounds for such processing;
・ the European Personal Data was processed illegally; or
・ the European Personal Data must be deleted for us to comply with our legal obligations.
We will decline your request for deletion if processing of your European Personal Data is necessary:
・ to comply with our legal obligations;
・ in pursuit of a legal action;
・ to detect, predict and monitor fraud; or
・ for the performance of a task in the public interest
(4) Right to stop your European Personal Data being used for direct marketing purposes.
At your request, we will stop using your European Personal Data for the purpose of direct marketing. If you want to stop us from calling, emailing you in connection with marketing communications, please email us at the email address listed in Section 11 (Contact Us) of this European Privacy Notice.
Please note that even if we stop all marketing communications, you may still receive administrative communications from us.
(5) Right to restrict processing of your European Personal Data
At your request, we will limit the processing of your European Personal Data if:
・ you dispute the accuracy of your European Personal Data;
・ your European Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your European Personal Data;
・ we no longer need to process your European Personal Data, but you require your European Personal Data in connection with a legal claim; or
・ you object to the processing pending verification as to whether an overriding legitimate ground for such processing exists.
We may continue to store your European Personal Data to the extent required to ensure that your request to limit the processing is respected in the future.
(6) Right to data portability
At your request, we will provide you free of charge with your European Personal Data in a structured, commonly used and machine readable format, if:
・ you provided us with European Personal Data;
・ the processing of your European Personal Data is based on your consent or required for the performance of a contract; or
・ the processing is carried out by automated means.
(7) Right to object
Where we process your European Personal Data based upon our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims.
(8) Right not to be subject to decisions based solely on automated processing
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your European Personal Data, unless you have given us your explicit consent or where they are necessary for a contract with us.
(9) Right to withdraw consent
You have the right to withdraw any consent you may have previously given us at any time.
(10) Right to complain to a supervisory authority
If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.
If you wish to contact us in connection with the exercise of your rights listed above, please email us at the email address listed in Section 11 (Contact Us) of this European Privacy Notice. We will respond to your written request as soon as possible from receiving it.
Unless stated otherwise, we will not charge you any fee in connection with the exercise of your rights. In so far as it is practicable, we will notify the recipients of your European Personal Data of any correction, deletion, and/or limitation on processing of your European Personal Data.
Please note that if you decide to exercise your rights under Section 6 (Your rights in relation to European Personal Data), sub-sections (3), (4), (5), (7), (8) and (9) above, depending on our response, you may not be able to take full advantage of all of our benefits and services from that point on.
7. Retention Period
We will keep your European Personal Data on file for as long as is necessary to achieve our purposes listed in the table in Section 1 (Collection, Use and Legal Basis of European Personal Data) above.
We only keep European Personal Data as permitted by law applicable to us, which is typically for a period of 7 years but may be up to 10 years.
Please note, JCB is subject to a number of applicable laws and regulations globally which may require European Personal Data to be kept for longer periods such as in relation to tax filings, government investigations, the investigation of fraud and transaction monitoring and litigation and dispute resolution in accordance with our data retention policy. Your data will be kept securely. If you have any queries about how and for how long your European Personal Data is kept, you may contact us at the email address listed in Section 11 (Contact Us) of this European Privacy Notice.
8. Security
We have a management system to correct and prevent unauthorized access, loss, destruction, falsification, and leakage of European Personal Data, as well as the appropriate technical and organizational measures to address such risks, as further detailed below. The goal of these measures is to maintain our data protection standards and to ensure we have the necessary safeguards for the processing of European Personal Data.
(1) We limit access to European Personal Data to authorized executives and employees only.
(2) We limit our collection and use of European Personal Data to the extent necessary for providing our services and managing operations.
(3) If we outsource the processing of European Personal Data to third parties, we base our selection on said third parties having adequate safeguards in place that meet our European Personal Data protection standards, and we regularly audit their compliance with applicable data protection policies, laws and regulations.
(4) We strive to manage European Personal Data accurately and efficiently.
(5) We pseudonymize and encrypt European Personal Data where necessary.
(6) We strive to ensure our system and service’s confidentiality, integrity, availability, and recoverability.
(7) We have systems in place to ensure we can restore the availability and access to European Personal Data in a timely manner in the event of a physical or technical incident.
(8) We periodically inspect, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the security of our processing.
9. Updates
This European Privacy Notice was published on the date “Last Updated” above. This European Privacy Notice may be updated to reflect changes to our European Personal Data processing policy. In the event there is material change to this European Privacy Notice we will inform you by updating this page. Please visit this European Privacy Notice regularly to read the current version.
10. Glossary
Some of the words in this European Privacy Notice have the meanings set out below:
- acquirers: these are financial institutions or other parties that contract with merchants for JCB card transactions;
- affinity partners: third parties that are authorized to offer co-branded JCB Cards;
- consent: when you have explicitly given us your consent for processing of your European Personal Data;
- contract: to allow us to perform our contract with you;
- franchised issuers: these are companies who can issue JCB branded cards jointly with us in Japan;
- J/Secure authentication service: JCB’s authentication program to verify the authenticity of a cardholder that enables the secure processing of payment card transactions in the remote environment;
- legitimate interest: where it is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not outweigh those interests;
- legal obligation: where we need to comply with a legal obligation (for example compliance with anti-money laundering and fraud laws or compliance with a court order);
- merchants: these are merchants where JCB cards are transacted.
- public bodies: they refer to supervisory authorities, government agencies and public entities that deal with European Personal Data. We may provide your European Personal Data to public bodies to comply with our legal and regulatory duties;
- service providers: we may engage service providers including financial institutions that issue cards, financial institutions that acquire merchants and process card transactions, subcontractors for card transactions and provision of services and service providers that facilitate card transactions and monitor unauthorized card access. These third parties may come to access or otherwise process your personal data in the course of providing these services and may not process your European Personal Data unless there are adequate legal reasons for them to do so. All third party service providers and subcontractors are required by contract to comply with all relevant data protection laws and security requirements in relation to your European Personal Data;
- risk based authentication solution provider: we may engage specialist service providers that assist us in authenticating cardholders and transactions by analyzing transaction data and related information from a wide range of sources; and
- third party issuers: these are companies who can independently issue by license JCB branded cards.
11. Contact Us
If you have any questions or opinions regarding this European Privacy Notice, or if you have a request regarding information you provided us, you may either email us or send us a letter to the address below:
JCB USA
JCB International Credit Card Co., Ltd.
800 W. 6th St., Suite 200.
Los Angeles,
CA 90017
In addition, our EU Data Protection Officer may be contacted at eu-dpo@info.jcb.co.jp.
