ORIX JREIT INC.

Based on the Act on Investment Trusts and Investment Corporations (the "Investment Trust Act"), ORIX JREIT Inc. ("OJR") may acquire (Note 2) personal information (Note 1) either through OJR's asset management company ORIX Asset Management Corporation (the "Asset Management Company") which is entrusted with the management of the assets of OJR (the "Asset Management Business"), Sumitomo Mitsui Trust Bank, Limited, which is the general business administrator for matters such as the listing, recording, etc. of OJR's register of unitholders (the "Administrator of Unitholder Registry"), Japan Securities Depository Center, Inc. which is the depository center for OJR's investment units ("JASDEC"), securities companies and trust banks (together with JASDEC, the "Depository Institutions, etc.") at which accounts (including special accounts) have been opened for the transfer of OJR's investment units, sellers of properties which OJR owns and properties considered for acquisition ("Properties"), real estate brokers (the "Building Specialist") entrusted with agency or brokerage services for the sale, purchase or leasing of properties, or directly of OJR's unitholders (including pledgees of registered investment units, etc.; the same shall apply hereinafter in this document) and those who are considering acquiring OJR's investment units, business partners of OJR and the Asset Management Company, leaseholders and those considering leasing (hereinafter collectively "Customers").

The purpose of this document in accordance with the provisions in the Act on the Protection of Personal Information is to disclose the purpose of use with regard to the handling of Customers' personal information, the database of such Customers' personal information (Note 3), personal data (Note 4) and retained personal data (Note 5) by OJR, which is the party that handles personal information, and to explain the basic policies concerning the handling, safe management, etc. of such.

1. In this document, "personal information" refers to information about a living individual that can identify the specific individual by the included name, gender, date of birth, address, telephone number, email address, employer, family composition, income, unitholder code, number of units owned, registered seal, or other descriptive information (including such information as will allow the individual to be identified through simple reference to other information).
   Information that includes personal identification codes (codes that convert features of a specific individual's physical characteristics such as fingerprint recognition data and facial recognition data for use by electronic computers; codes like text, numbers, symbols, or other codes that differ for each subject person such as passport numbers and license numbers and are assigned to the use of services, the purchase of products, or to documents).
2. The method of acquiring personal information depends on the means of delivery such as with email, mail by post, facsimile or hand delivery and may take the form of acquiring originals, copies, data generated on a computer, etc.
3. In this document, "a personal information database" refers to the accumulation of data including personal information as set forth below:
   a. A set of information systematically structured in such a way that specific personal information can be retrieved by a computer.
   b. In addition to the description in the above paragraph, any set of information systematically structured in such a way that specific personal information is easily retrievable by ordering the personal information according to specific rules, or in such a way that the information is easily searchable in general by indexing, retrieval, or coding (ex: register of unitholders).
4. In this document, "personal data" refers to the personal information that constitutes a personal information database, etc.
5. In this document, "retained personal data" refers to personal data where OJR retains authority of disclosure, correction, addition or deletion of content, discontinuation of use, cancellation, or discontinuation of information provision to third parties (data that may damage the public interest or other interests by the disclosure of its existence, and data to be deleted within 6 months are exempt).

1．Identification of Purpose of Use

Upon its handling of personal information OJR will disclose the specified purpose of use of such after identifying in what business the personal information is to be used and for what purpose to the best of OJR's ability in a way that allows Customers rational projections, with the exception of cases where it is considered that the purpose of use is clear in consideration of the circumstances of the acquisition.

OJR may use personal information of Customers (the scope necessary for the achievement of the purpose of use may include those who are no longer Customers; the same shall apply hereinafter in this document) within the scope of the purposes of use outlined in the below items.

In cases where personal information of leaseholders or parties that are considering leasing are to be used with the purposes indicated in item 9 or items 12 to 14, or to be used with regard to these items for the purposes indicated in items 18 to 20, information pertaining particularly to place of employment, composition of family, income, etc. may be used.

1. To contact Customers, reply to Customer inquiries or requests for documents, etc.
2. To implement measures to facilitate the relationship of OJR with its unitholders such as activities to provide information to unitholders concerning the operations of OJR (IR activities), etc.
3. To manage unitholders with the register of unitholders, employing data created based on the provisions of the Investment Trust Act, the Company Law and other related laws and regulations.
4. To exercise the rights of its unitholders and to carry out OJR's duties based on the Investment Trust Act, the Companies Act and other related laws and regulations by sending out its asset management reports, notice of convocation of general meetings of unitholders, paying distributions, etc.
5. To provide convenience to unitholders in accordance to their status as unitholders.
6. To invite unitholders to OJR's financial briefings, performance report meetings and other meetings hosted by the Asset Management Company.
7. To borrow funds, offer investment corporation bonds and issue additional investment units.
8. To sign damage insurance contracts.
9. To implement various checks related to the acquisition of Properties (including title rights checks, credit checks on leaseholders and evaluation of building conditions) and to make judgments based on such.
10. To carry out closing of accounts and other operations related to accounting and tax practices.
11. To conduct registration procedures.
12. To manage the receipt of rental payments, the return of deposits and other operations related to Leasing.
13. To seek those that may be interested in acquiring Properties.
14. To determine the credit status of leaseholders and parties that are considering leasing Properties.
15. To notify and contact leaseholders of Properties when conducting repairs, additional work, renovation work, etc.
16. To collect data on Customers, implement statistical processing and analysis and to create lists, etc. that reflect such that are necessary in executing OJR's operations.
17. To request operations such as replication and binding of documents.
18. To request the advice of specialists (attorneys, certified public accountants, certified tax accountants, real estate appraisers, judicial clerks, licensed social insurance consultants, etc.)
19. To conduct operations incidental or related to the above items.
20. To provide personal information or personal data to third parties with the purpose of achieving the purposes of use in the above items.
21. To facilitate the appropriate and efficient performance of business by OJR or business ancillary or related to such business.

Third parties to whom personal data is provided includes the Asset Management Company, Administrator of Unitholder Registry, Depository Institutions, etc., partner financial institutions, underwriters, general insurance companies, specialists, Building Specialists, companies managing Properties, those interested in purchasing or renting Properties, information processing companies, survey companies, etc., and provision of information to third parties will depend on the means of delivery such as with email, mail by post, facsimile or hand delivery and may take the form of issuing originals, copies, data generated on a computer, etc.

2. Restriction of Purpose of Use

OJR will not handle personal information beyond the scope necessary for achieving the purposes of use specified in the above items.

3. Change of Purpose of Use, etc.

In the event that OJR is to make changes to the purposes of use specified in Section 1 or to the method or means of provision to third parties and such, OJR will promptly disclose the content of changes with the exception of the situations in the below items.

1. When the notification or disclosure of the purpose of use to the Customer concerned poses a risk of damage to the life, health, property or other rights and interests of the Customer or a third party.
2. When the notification or disclosure of the purpose of use to the Customer concerned poses a risk to OJR's rights or legitimate interests.
3. When it is necessary to cooperate with a national agency or a local government in executing the affairs prescribed by laws and regulations and in which notifying the Customer of the purpose of use or disclosing it are likely to impede the execution of the affairs.
4. When it is considered that the purpose of use concerned is clear in consideration of the circumstances of the acquisition.

4. Proper Acquisition

OJR will not acquire personal information through improper means.

5. Accurate Retention

OJR will endeavor to retain personal data that is accurate and up to date within the scope necessary for the achievement of the purpose of use.

6. Security Control Measures

OJR takes necessary and appropriate measures to prevent leakage, destruction or damage, outflow, unauthorized external access, loss or tampering of personal data and to securely manage personal data (the "Security Control Measures").

Regarding these rules, the Asset Management Company to whom OJR entrusts the handling of personal information has formulated a privacy policy for the basic policies of secure management (including the Security Control Measures) and other matters in the following items, etc.

1. Name of the party handling personal information
2. Contact for handling questions, complaints and requests concerning Security Control Measures
3. Declaration concerning secure management of personal data
4. Declaration of continued improvement of basic policies of secure management
5. Declaration on compliance with related laws and regulations.

Also, with regard to the above rules, OJR takes measures such as seeking assurance from the Administrator of Unitholder Registry to whom OJR entrusts the handling of personal information concerning the matters set forth in the following items, etc.

1. To appoint a person in charge of managing personal information.
2. To establish on its own measures to prevent leakage, theft and tampering as well as security control measures concerning personal data such as education of employees.
3. To maintain the personal information of unitholders in good faith.
4. To use personal information only within the scope of commissioned operations and not to use it for any other purpose.
5. To report on the status of compliance with security control measures at least once a year.
6. In cases of subcontracting parts of commissioned operations, to take responsibility for OJR with regard to selection of the subcontractors and in terms of necessary and appropriate supervision, and to periodically report on outlines of such.

7. Supervision, etc. of Subcontractors

OJR may entrust all or part of handling of personal data to third parties prescribed in Section 1 such as when entrusting Asset Management Business to the Asset Management Company, when entrusting the Administrator of Unitholder Registry with operations such as listing and recording to the register of unitholders or when entrusting the Building Specialists with transactions of Properties or agency and brokerage services.

When entrusting all or part of handling of personal data, OJR shall conduct necessary and appropriate supervision of the subcontractor so that the personal data whose handling has been commissioned will be safely managed.

The entrusting of handling of personal data by OJR will be conducted within the scope necessary for the achievement of the purposes of use set forth in Section 1.

8. Restriction of Provision to Third Parties

OJR will not provide Customers' personal data to third parties (parties that have been entrusted with operations as specified in the previous sections do not constitute third party in this section as long as they comply with the rules in the previous sections and parties that received personal data pursuant to an assumption of business in conjunction with a merger or for other reasons) with the exception of cases set forth in the items below.

1. When the Customer's consent has been granted.
2. When the handling of personal data is based on laws and regulations.
3. When the handling of personal data is necessary for the protection of life, body or property (including property of corporations) of the Customer and when it is difficult to obtain the consent of the Customer.
4. When the handling of personal data is especially necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the Customer.
5. When the handling of personal data is necessary for cooperating with a national agency, a local government or an individual or a business operator entrusted by either of the former two in executing the affairs prescribed by laws and regulations and when obtaining the consent of the Customer is likely to impede the execution of the affairs concerned.

9. Disclosure of Retained Personal Data

When OJR receives a request from a Customer for the disclosure of retained personal data on said Customer OJR shall without delay disclose the retained personal data to the Customer in writing (including notifications that there is no retained personal data of said Customer). However, if any of the following items apply with regard to the disclosure, OJR may not disclose all or part of the retained personal data. In such a case, OJR shall without delay notify the Customer.

1. When the disclosure concerned is likely to pose a risk of harming the life, body, property or other rights or interests of the Customer or third party.
2. When the disclosure concerned is likely to pose a risk of seriously impeding the proper execution of OJR.
3. When the disclosure violates laws and regulations.

10. Correction, etc. of Retained Personal Data

When OJR receives a request for correction, addition or deletion (correction, etc.) of retained personal data of a Customer from said Customer for the reason that the content of the concerned data is not factual, OJR shall without delay conduct necessary checks and, based on the results, make corrections, etc. to the content of the concerned retained personal data or decide that no corrections, etc. will be made and to notify the Customer, except when special procedures are prescribed by laws and regulations for correction, etc. of the content of concern.

11. Discontinuation of Use, etc. of Retained Personal Data

When OJR receives a request for the discontinuation of use or cancellation (discontinuation of use, etc.) of retained personal data of a Customer from said Customer for the reason that the data is being handled in violation of the provision in Section 2 or that the data was acquired in violation of the provision in Section 4, and if it is revealed that there is reason for such a request, OJR shall without delay discontinue the use, etc. of the concerned retained personal data to the extent necessary for redressing the violation, or decide that no discontinuation of use, etc. will be implemented and to notify the Customer. However, this shall not apply to cases in which the cost involved is large or if it is otherwise difficult to implement discontinuation of use, etc. of the retained personal data and in which OJR takes necessary alternative measures to protect the rights and interests of the Customer.

12. Discontinuation of Provision of Retained Personal Data to Third Parties

When OJR receives a request for the discontinuation of provision of retained personal data of a Customer to third parties from said Customer for the reason that the data is being provided to third parties in violation of the provision in Section 8, and if it is revealed that there is reason for such a request, OJR shall without delay discontinue the provision of the concerned retained personal data to third parties or decide that no discontinuation will be implemented and to notify the Customer. However, this shall not apply to cases in which the cost involved is large or if it is otherwise difficult to implement discontinuation of the retained personal data and in which OJR takes necessary alternative measures to protect the rights and interests of the Customer.

13. Compliance, etc. with Related Laws and Regulations, etc.

OJR recognizes that protecting personal information and maintaining its security requires sufficient understanding of and compliance with related laws and regulations, norms, etc., and it shall do all in its power for this aim. Also, OJR shall respond appropriately to complaints and claims concerning the protection of personal information.

14. Continued Improvement of Privacy Policy

OJR shall comply with its Privacy Policy including the basic policies of secure management and shall review as needed and work toward its continued improvement going forward. Also, when changes are to be made to the privacy policy as a result of such reviews, the content shall be published on this website.

15. Contact

Requests and proposals concerning the content of this document can be made at the following contact address.
However, requests stipulated in sections 9 to 12 shall be made in writing, and OJR may need to confirm if the request is from the Customer him/herself. Also, please note that requests stipulated in Section 9 may require payment of a set fee.

Nippon Life Hamamatsucho Crea Tower, 2-3-1 Hamamatsucho, Minato-ku, Tokyo 〒105-0013
ORIX Asset Management Corporation
Risk Management and Compliance Department (TEL: 03-5776-3324)
(Reception hours: 9:00 to 17:00 on Mondays through Fridays except holidays (including compensatory holidays) and year end and new year from December 30 to January 3)

Please note, notwithstanding the provision above, requests and proposals from unitholders concerning the content of this document may be handled and responded from the following contact address on behalf of OJR.

＜Contact address of Administrator of Unitholder Registry＞
8-4 Izumi 2-chome, Suginami-ku, Tokyo 〒168-0063
Sumitomo Mitsui Trust Bank, Limited, Stock Transfer Agency Department
(TEL: 0120-782-031 toll free)

Please note that depending on the content of requests and proposals, there may be cases where responses cannot be made in light of the Investment Trust Act, the Companies Act, the Financial Instruments and Exchange Law and other related laws and regulations.

16. Customer Complaints Office to Authorized Personal Information Protection Organization

The Asset Management Company is a member of the Investment Trusts Association, Japan, which is a personal information protection organization authorized based on the Act on the Protection of Personal Information. The Investment Trusts Association, Japan handles complaints regarding the handling of personal information of its members.

The Investment Trusts Association, Japan, Investor Consultation Office (TEL: 03-5614-8440)

Last updated : February 25, 2019