MOL Group Global Privacy Policy

Enacted: 26 May, 2025

With the rapid improvement of information technology and the development of global business activities involving the utilization of personal data, Mitsui O.S.K. Lines, Ltd. and its group companies (hereinafter referred to as "our group" (click the link)) believe that the appropriate protection of personal data^* is a most important matter, even more so from the viewpoint of compliance, which is a major prerequisite for corporate activities.

Our group strives to protect personal data in a necessary and appropriate manner, taking into account the characteristics of our company business, such as international transportation, and the characteristics of the personal data it processes. In order to do so, our group complies with laws, regulations, and other standards concerning the protection of personal data of individuals such as customers, business partners (suppliers, outsourcees, subcontractors, cooperating companies, dispatching companies, government agencies, etc.), shareholders, our group employees (including employees, directors, Audit & Supervisory Board members, executive managing officers, dispatch employees, part-time staff, temporary employees, and prospective employees), and candidates for employment, etc., and establishes an organizational system for protecting personal data. Our group has established the following Personal Data Protection Policy (Privacy Policy) (hereinafter referred to as "this Policy"). In addition, our group employees comply with this Policy when processing and managing personal data.

In principle, this Policy applies to all processing of personal data at our group. However, some of our group companies may have their own privacy policies. If they are stricter or there are additional provisions in those companies’ privacy policy, their privacy policy shall take precedence over this Policy.

This Policy is written in Japanese and translated into other languages. In case of any discrepancies or inconsistencies between the Japanese and other languages, the Japanese version shall prevail.

If the privacy policy of your country/region is set forth in Chapter 13, "Privacy Policies by Country/Region," below, please review it together with this Policy. Please note that Chapter 13, "Privacy Policies by Country/Region," does not necessarily apply to all our group companies.

If you choose not to provide personal data to our group after reviewing this Policy, our group may not be able to provide products and services, you may not be able to use some functions of our group websites, or the quality of the products and services provided may be affected.

^*Personal data refers to any information relating to a data subject (the person to whom the personal data

is attributed) that can directly or indirectly identify the data subject.

1.     Personal Data Management General Administrator or Data Protection Officer (DPO)

The Personal Data Management General Administrators who oversee the protection and management of personal data collected within the scope of this Policy are as follows:

Click here for details

2.     Types of Personal Data Processed

Our group may receive personal data, including the following, by exchanging business cards, sending and receiving emails, entering data on websites, mailing, or in person, or from our group companies and related third parties. We do not collect all of the following personal data from each individual, but only to the extent necessary.

• Individuals’ information: Name, contact information, gender, date of birth, face photo,
• Occupation and employment information: Workplace and job information,
• Information collected using websites and systems operated by our group: Online identifiers (cookies, IP addresses, etc.), etc.
• Official identification information: Individual numbers and identification cards issued by the government,
• Payment information: Bank account information,
• Other information: Information such as usage history of products and services provided by our group, biometric information, etc.

• Individuals’ information: Name, contact information, gender, date of birth, face photo,
• Occupation and employment information: Workplace and job information,
• Information collected using websites and systems operated by our group: Online identifiers (cookies, IP addresses, etc.), etc.
• Official identification information: Individual numbers and identification cards issued by the government,
• Payment information: Bank account information,
• Other information: Biometric information,

• Individuals’ information: Name, contact information, gender, date of birth,
• Occupation and employment information: Workplace and job information,
• Official identification information: Individual numbers and identification cards issued by the government,
• Other information: Shareholder number, number of shares held,

• Individuals’ information: Name, contact information, gender, date of birth, face photo,
• Occupation and employment information: Workplace and job information, employment details,
• Career information: Work experience, educational background,
• Skill and qualification information: Language, qualification information,
• Information collected using websites and systems operated by our group: Online identifiers (Mac addresses, IP addresses, etc.), etc.
• Family information: Name, gender, date of birth, income information, emergency contact information,
• Medical and health information of employees and their families: Medical examination information, medical care information, etc.
• Official identification information of employees and their families: Individual numbers and identification cards issued by the government, etc.
• Payment information: Bank account information, income information,
• Other information: Biometric information,

• Individuals’ information: Name, contact information, gender, date of birth, face photo,
• Career information: Work experience, educational background,
• Skill and qualification information: Language, qualification information, aptitude test results,
• Information collected using websites and systems operated by our group: Online identifiers (cookies, IP addresses, etc.), etc.
• Family information: Emergency contact information,
• Medical and health information: Medical examination information, medical care information,
• Information necessary for reimbursing and transferring transportation expenses during the selection process: Bank account information, etc.

3.     Legal Basis and Purpose of Personal Data Processing

Unless otherwise notified, our group will process^* your personal data to the minimum extent necessary for the following purposes and based on processing prescribed by laws and regulations in each country/region: your consent, performance of contracts, compliance with legal obligations, protection of our group's legitimate interests, performance of duties in the public interest or exercise of our group’s official authority, etc. In doing so, we will comply with the MOL Group Human Rights Policies.

^*Processing means the collection, acquisition, recording, storage, correction, use, disclosure and/or transfer, alignment, combination, restriction, erasure, destruction, etc., of personal data.

• Conclusion and performance of contracts with our group and other transaction management
• Communication and information exchange with our group and notices and greetings based on social customs
• Providing information and guidance on our group’s products and services
• Confirming your eligibility to use our group’s products and services and verifying your identity
• Compliance with legal obligations
• Research, analysis, and auditing for marketing activities related to our group's business
• Generation of statistical information and processing and analysis of personal data for our group’s use
• Responding to inquiries and comments
• Response and communication in case of emergency
• Performing transactions with our group appropriately and smoothly

• Management of shareholder information and necessary communication
• Provision of various lawful benefits to shareholders
• Implementation of various measures and provision of information for shareholders

• Determination of assignment
• Determination of salary increase, promotion,
• Determination and payment of wages, bonuses, retirement allowance,
• Personnel transfer (including secondment)
• Attendance management
• Education and training
• Health management (including assessment of the capability of the role)
• Awards and sanctions
• Retirement and dismissal

• Accident compensation
• Benefits
• Crisis & business continuity management
• Compliance with legal obligations
• Procedures and communication at the time of various ceremonial occasions
• Business communication between our group companies
• Planning management policies and measures,
• Guidance and other procedures related to onboarding for prospective employees
• Personnel and labor management after onboarding for prospective employees
• Other matters necessary to perform business activities or to enforce our group's rules and regulations

• Recruitment activities and selection as well as necessary communication and provision of information
• Necessary communication with recruitment agencies during recruitment activities and selection
• Reimbursement and transfer of transportation expenses incurred during recruitment
• Management and examination of recruitment procedures, methods, measures,
• Compliance with legal obligations

4.     Transfer of Personal Data

In accordance with laws and regulations, our group may transfer^* the personal data of the individuals described in Chapter 2 to the following third parties. Please refer to Chapter 5 for the measures implemented by our group in the event of an international transfer.

^*Transfer means sharing (making available) personal data to a third party, i.e., any entities other than the company concerned.

①     Sharing among our group companies

Our group may transfer your personal data to our group companies only to the extent necessary to achieve the purposes described in Chapter

3.

②     Transfer to outsourcees that provide information system services, data processing services, and other services

Our group may transfer your personal data to various businesses only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

• Transfer to service vendors, , in countries/regions where our group is located
• Transfer to customers, business partners, sales agents, travel agents, accommodation operators, financial institutions, transportation companies, and administrators of Shareholders' Ledger, etc., located in countries/regions where our group operates

③     Transfer to supervisory authorities, public institutions, attorneys, etc.

Our group may transfer your personal data to supervisory authorities, public institutions, attorneys, Labor and Social Security Attorneys, tax accountants, audit firms and other third parties in each country/region only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

Regardless of the purposes described in Chapter 3, we may transfer your personal data to supervisory authorities, public institutions, attorneys, etc., when we receive inquiries from supervisory authorities, public institutions, attorneys, etc., in each country/region based on the laws and regulations of the respective country or region, when we receive requests for cooperation in investigations or lawsuits, or when it is difficult to obtain your consent in times of disaster or emergency in order to protect your life, body, or property.

①     Sharing with our group companies, affiliated companies, external organizations, etc.

Our group may transfer your personal data to our group companies, affiliated companies, external organizations, etc., only to the extent necessary to achieve the purposes described in Chapter 3.

②     Transfer to outsourcees that provide information system services, data processing services, and other services

Our group may transfer your personal data to various businesses only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

• Transfer to service vendors in the countries/regions where our group is located
• Transfer to payroll vendors, financial institutions, insurance companies, medical service providers, etc., in the countries/regions where our group is located
• Transfer to customers, business partners, sales agents, travel agents, and accommodation operators in the countries/regions where our group is located

③     Transfer to supervisory authorities, public institutions, attorneys, etc.

Our group may transfer your personal data to supervisory authorities, public institutions, attorneys, Labor and Social Security Attorneys, tax accountants, audit firms and other third parties in each country/region only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

Regardless of the purposes described in Chapter 3, we may transfer your personal data to supervisory authorities, public institutions, attorneys, etc., when we receive inquiries from supervisory authorities, public institutions, attorneys, etc., in each country/region based on the laws and regulations of the respective country or region, when we receive requests for cooperation in investigations or lawsuits, or when it is difficult to obtain your consent in times of disaster or emergency in order to protect your life, body, or property.

①     Sharing among our group companies

Our group may transfer your personal data to our group companies only to the extent necessary to achieve the purposes described in Chapter 3.

②     Transfer to outsourcees that provide information system services, data processing services, and other services

Our group may transfer your personal data to various businesses only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

• Transfer to information system services vendors, data processing services vendors, , in the countries/regions where our group is located
• Transfer to recruitment agencies, , located in countries/regions where our group operates

③     Transfer to supervisory authorities, public institutions, lawyers, etc.

Our group may transfer your personal data to supervisory authorities, public institutions, attorneys, Labor and Social Security Attorneys, tax accountants, audit firms and other third parties in each country/region only to the extent necessary to achieve the purposes described in Chapter 3.

Details are as follows

Regardless of the purposes described in Chapter 3, we may transfer your personal data to supervisory authorities, public institutions, attorneys, etc., when we receive inquiries from

supervisory authorities, public institutions, attorneys, etc., in each country/region based on the laws and regulations of the respective country or region, when we receive requests for cooperation in investigations or lawsuits, or when it is difficult to obtain your consent in times of disaster or emergency in order to protect your life, body, or property.

5.     International Transfer of Personal Data

Our group may transfer your personal data described in Chapter 2 to a third party to process in a country/region that has different personal data protection laws and regulations from those of the country/region in which you reside, for the purposes described in Chapter 3.

In this case, our group will implement appropriate measures for such transfers. For details, please refer to Chapter 13, Privacy Policies by Country/Region.

6.     Processing of Personal Data of Minors

Our group may process the personal data of minors. In such cases, our group will obtain consent from the person who has parental authority, the guardian, or person responsible for the minor’s protection before collecting the personal data, if required by law.

7.     Security Measures

Our group takes appropriate technical and organizational measures, including the following, in order to securely process your personal data, taking into consideration the risks and other factors comprehensively.

• Implement access control and thorough account management, and limit the personnel in charge and the scope of the database of personal data processed by such personnel.
• Introduce a mechanism to protect the information systems that process personal data from unauthorized access from outside or unauthorized software.
• Implement security measures based on an understanding of the legal obligations and other systems related to the protection of personal data in foreign countries where personal data is processed.
• Implement access control and measures to prevent unauthorized persons from accessing personal data in areas where personal data is processed.

• Appoint a person responsible for the processing of personal data, identify the personnel in charge of processing personal data and the scope of personal data processed by such personnel, and establish an organizational system for reporting to the responsible person in the event of finding facts or signs of violation of laws and regulations or internal rules concerning the protection of personal data.
• Establish the above-mentioned rules and this Policy, in order to ensure the proper processing of personal data, for each stage of collection, use, storage, disclosure/transfer, disposal/deletion, , with regard to the responsible person and personnel in charge and their duties, processing methods, compliance with laws and regulations, point of contact for receiving questions and exercise of rights, etc.
• Training periodically personnel in charge of processing personal data on the matters to be noted regarding the processing of personal data

8.     Retention Period of Personal Data

Our group stores your personal data only for the period specified by laws and regulations in each country/region or for the period necessary to achieve the purposes of processing personal data described in Chapter 3 of this Policy.

Our group promptly deletes or destroys your personal data when the period specified by laws and regulations in each country/region has expired.

Our group promptly deletes or destroys your personal data when the purpose of processing personal data has been achieved or lost, or when you request erasure or withdraws consent based on the rights described in Chapter 9 below.

9.     Your Rights

With respect to the personal data processed by our group, you have the rights specified by the laws and regulations of the country/region in which you reside as described in Chapter 13, "Privacy Policies by Country/Region" of this Policy. If you exercise the rights, our group will promptly respond in accordance with the laws and regulations. If we are unable to respond to your request and we notify you that we will not accommodate your request or that we will make alternative responses, we will try to explain the reason to you.

If you wish to exercise your rights, please get in touch with the point of contact provided in Chapter 10 below.

Please note that our group does not process personal data in a way that would be subject to automated decision-making (a decision made technically without human intervention), unless otherwise notified.

If you are dissatisfied with our group's response to your request, or if you have a complaint about the

way our group processes your personal data, you have the right to lodge a complaint with a supervisory authority depending on the laws and regulations of the country/region you reside.

However, we may not be able to respond to your request in whole or in part if responding to your request is likely to seriously impede the proper execution of the business of our group.

10. Procedures and Contact Points for Exercising Rights

①     Procedures and contact points for personal data

If you have any questions about the processing of personal data or requests for exercising rights, please contact us by e-mail as follows.

Personal Information Protection Contact Point, Mitsui O.S.K. Lines, Ltd. E-mail: privacy-mol@molgroup.com

If you wish to make an inquiry by e-mail, please send an e-mail to the above email address with your request to exercise your rights and contact information.

②     Personal data registered on our group membership websites

For personal data registered on our group membership websites, please refer to the membership website.

If you have any questions about the processing of personal data or requests for exercising rights, please contact Sumitomo Mitsui Trust Bank, Limited, the administrator of Shareholders' Ledger of our group.

Stock Transfer Agency Business Planning Dept., Sumitomo Mitsui Trust Bank, Limited Toll-free: 0120-782-031

If you have any questions about the processing of personal data or requests for exercising rights, please contact the person in charge at each company with which you have transactions.

If you have any questions about the processing of personal data or requests for exercising rights, please contact the person in charge at your company.

If you have any questions about the processing of personal data or requests for exercising rights, please contact the person in charge of recruitment or your recruitment agency.

11. Revision of this Policy

Our group may revise or update this Policy from time to time. Any change to this Policy will take effect when the revised version of this Policy is published on this website or by other appropriate means. If our group makes a change that our group considers to be material, our group will notify you to the extent possible via this website, email, etc. In some cases, we may ask you to provide your consent.

12. Processing of Cookies and Other Information on Our Group's Website

On the websites operated by our group (hereinafter referred to as "our group’s websites"), our group may use cookies, a mechanism that causes your computer’s browser to store information, only to the extent necessary to achieve the purposes described in Chapter 3. Depending on the browser you are using, you may be able to change its settings to disable all cookies except for those essential for the websites to function properly. However, as a result, you may not be able to use all or part of the services on our group’s websites.

Some pages of our group’s websites may use measurement servers by third parties, such as those listed below, in order to understand your visit to the pages and other information.

When you use our group’s websites, third parties collect, record, and analyze your visit history based on cookies and other information for efficient advertisement delivery and measurement of the page access. Since this information is stored on the servers of third parties, its management is in accordance with their privacy policies.

Google Analytics Terms of Use: https://marketingplatform.google.com/about/analytics/terms/us/ Google Privacy Policy:

https://policies.google.com/privacy?hl=en Google Analytics opt-out add-on: https://tools.google.com/dlpage/gaoptout?hl=en

*Google Analytics is a trademark owned by Google.

On our group’s websites or smartphone applications provided by our group, IP addresses may be used to understand your usage, to improve products and services, etc. Although IP addresses alone cannot identify a specific individual, when IP addresses are combined with other information and processed as personal data, our group will appropriately manage them in accordance with this Policy.

Please note that our group cannot be responsible for ensuring the security of your personal data on websites other than our group’s websites that are linked from our group’s websites. If you have questions or inquiries about the processing of personal data on websites other than our group’s websites, please contact the respective websites directly.

13.    Privacy Policies by Country/Region

Japan

How personal data is processed in Japan

East Asia

How personal data is processed in Taiwan

How personal data is processed in China

How personal data is processed in Hong Kong

Southeast Asia・Oceania

How personal data is processed in Indonesia

How personal data is processed in Australia

How personal data is processed in Cambodia

How personal data is processed in Singapore

How personal data is processed in Thailand

How personal data is processed in the Philippines

How personal data is processed in Vietnam

How personal data is processed in Malaysia

How personal data is processed in Myanmar

South Asia・Middle East

How personal data is processed in India

How personal data is processed in the UAE

Europe・Africa

How personal data is processed in the UK

How personal data is processed in the European Economic Area (EEA)

Americas

How personal data is processed in Panama

How personal data is processed in Brazil

How personal data is processed in California, USA

How personal data is processed in Texas, USA

How personal data is processed in Mexico