Doing Business In... 2025

JAPAN Law and Practice Contributed by: Junichi Ueda, Etsuko Hara, Nobuto Shirane, Takahiro Hayase, Yutaka Shimoo and Miki Goto, Anderson Mori & Tomotsune

8. Data Protection 8.1 Applicable Regulations

sent of the data subject (Article 27 of the APPI). An information handler must also obtain the prior consent of the relevant data subject before pro - viding their personal data to a third party in a for - eign country and provide certain information to the relevant data subjects when obtaining their consent (Article 28 of the APPI). An information handler must keep records regarding the transfer and receipt of personal data (Articles 29 and 30 of the APPI). Security Measures An information handler must take reasonable steps to keep personal data as accurate and up to date as is necessary to achieve the pur - poses of use and must endeavour to delete the personal data without delay when it becomes unnecessary to use the data (Article 22 of the APPI). An information handler must also take all necessary and proper measures to ensure that personal data is kept secure from loss and from unauthorised access, use and disclosure (Article 23 of the APPI). In addition, an information handler must exer - cise necessary and appropriate supervision of its employees who handle personal data and of its data management outsourcing entities to ensure they implement and comply with security meas - ures (Articles 24 and 25 of the APPI). Data incidents, such as leakages of, loss of or damage to personal data, must be reported to the Personal Information Protection Commis - sion (PPC) and the relevant data subject must be notified thereof when the incident reaches a certain threshold (Article 26 of the APPI). Data Subject’s Right Upon the request of a data subject, an informa - tion handler must inform them about the pur -

The Act on the Protection of Personal Informa - tion (APPI) is the main piece of legislation gov - erning the handling of personal information by business operators (information handlers) in Japan. Examples of APPI regulations with which information handlers are required to comply are as follows. Purposes of Use An information handler must specify the pur - poses for which it will process personal infor - mation and must not process personal informa - tion beyond the scope of the specified purpose without first obtaining the consent of the relevant data subject (Articles 17 and 18 of the APPI). An information handler must not process per - sonal information in manners that could facilitate or lead to illegal or improper activities (Article 19 of the APPI). Collection of Personal Information An information handler must not collect person - al information using fraudulent or other unjust means. In principle, an information handler must not acquire certain sensitive personal informa - tion without obtaining the data subject’s prior consent (Article 20 of the APPI). If personal information is collected, an informa - tion handler must promptly notify the relevant data subject of or announce the relevant pur - poses of use (Article 21 of the APPI). Limitation on Transfer of Personal Data to Third Parties In principle, an information handler must not transfer personal data to third parties, including its affiliated companies, without the prior con -

418 CHAMBERS.COM

Powered by