Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Processing
A business operator governed by the Act on the Protection of Personal Information must specify the purpose of use for personal information it handles (to the extent possible) and comply with the following rules:

  • it must not change the purpose of use beyond a scope which has a reasonably substantial relation to the original purpose of use; and
  • it must not use the personal information beyond the scope necessary to achieve the purpose of use, without obtaining the individual’s prior consent.

The word ‘substantial’ will be removed from the first requirement in the amended Act on the Protection of Personal Information, which will instead read “a scope which has a reasonable relation to the Purpose of Use before the change”.

Collection
The following restrictions apply to the collection of personal information by business operators governed by the Act on the Protection of Personal Information:

  • proper acquisition – a business operator must not acquire personal information by deception or other wrongful means;
  • notice of purpose of use at time of acquisition – once a business operator has acquired personal information, it must notify the individual of or publicly announce the purpose of use unless it has already been publicly announced or one of the following applies:
    • such notification or public announcement would likely cause harm to the life, body, property, rights or interests of an individual or third party;
    • such notification would likely harm the business operator’s rights or legitimate interests;
    • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and the notification or public announcement of the purpose of use would likely impede the execution of such affairs; or
    • the purpose of use is evident from the circumstances around the collection of the personal information.

The Ministry of Economy, Trade and Industry Guidelines Targeting the Economic and Industrial Sectors Pertaining to the Protection of Personal Information include examples of how business operators can make such public announcement – namely, by posting it on their websites or displaying it in an easily viewable location within their places of business.

Once amended, the Act on the Protection of Personal Information will provide that – as a general rule – business operators must not obtain ‘sensitive information' without the individual’s prior consent. Details of such information will be specified in a cabinet order.

Storage
Business operators governed by the Act on the Protection of Personal Information must take security control measures in regards to personal data. The act imposes a broadly stated obligation on business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”. The act provides no concrete measures to satisfy this requirement. However, it is generally understood that such security control measures include:

  • organisational measures;
  • employee-related measures (eg, personnel training);
  • physical measures; and
  • technical measures. 

Specific actions to be taken for each type of measure are stipulated in the various ministry guidelines.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There are no limitations or restrictions regarding the retention period for personal data.

Once amended, the Act on the Protection of Personal Information will provide that – as a general rule –business operators governed by the act must endeavour to delete personal data without delay when its use is no longer required.

Do individuals have a right to access personal information about them that is held by an organisation?

A business operator governed by the Act on the Protection of Personal Information must make the following details accessible to individuals whose personal data it retains:

  • its name;
  • the purpose of use (except in specified circumstances);
  • the procedures for requesting correction, cessation of use, sharing or deletion of the retained personal data, as well as the procedures for other requests; and
  • other matters as specified by cabinet order that are necessary to ensure the proper handling of the retained personal data.

In addition, business operators governed by the act must disclose any relevant personal data without delay if:

  • an individual requests that the business operator disclose whether it has retained any personal data that could lead to the individual’s identification; or
  • an individual requests notification that the business operator holds no such personal data.

Do individuals have a right to request deletion of their data?

If an individual requests that a business operator governed by the Act on the Protection of Personal Information correct, expand or delete his or her retained personal data because it is inaccurate, the business operator must investigate the issue without delay. Based on the investigation results, the business operator must correct, expand or delete the personal data and notify the individual of its response to the request.

In addition, if an individual requests that a business operator stop using or disclosing retained personal data on the basis that it is violating the Act on the Protection of Personal Information, the business operator must stop using or disclosing the personal data if the request is reasonable.

Consent obligations
Is consent required before processing personal data?

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot handle personal information for reasons beyond the scope necessary to achieve the purpose of use without obtaining the individual’s prior consent.

As a general rule, business operators governed by the act may not provide such information to a third party without obtaining the individual’s prior opt-in consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Exceptions to the general rules above apply if:

  • the handling of personal information is required by laws and regulations;
  • the handling of personal information is necessary to protect an individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal information is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; or
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

What information must be provided to individuals when personal data is collected?

As a general rule, once a business operator governed by the Act on the Protection of Personal Information has acquired personal information, it must notify the individual of or publicly announce the purpose of use.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Act on the Protection of Personal Information does not restrict the transfer of data outside Japan.

The amended act will restrict the provision of personal information to third parties (excluding those operators with a management system conforming to the standards set out in the Personal Information Protection Commission (PPC) rules) in a foreign country (excluding countries that are specified in the PPC rules as having a system for the protection of personal information to that required under Japanese law) without the individual’s prior consent.

Are there restrictions on the geographic transfer of data?

The Act on the Protection of Personal Information and most guidelines include no restrictions on the geographic transfer of data. However, the guidelines regarding medical information systems provide that medical information systems (eg, servers including medical information) and medical data should be located in an area where Japanese laws can be enforced. 

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot provide personal information to a third party without obtaining the individual’s prior opt-in consent.

The amended act will require business operators providing personal data to third parties to record:

  • the date on which the data was provided;
  • the third party’s name; and
  • the matters specified in the PPC rules. 

Conversely, if a business operator receives such personal data from a third party, it must confirm:

  • the third party’s name and address;
  • the representative’s name; and
  • how the third party obtained the personal data.

In addition, the business operator must record the date on which the information was provided and any matters regarding such confirmation, as well as the matters specified by the PPC rules.

Exceptions
Exceptions to the general rule above apply if:

  • the handling of personal data is required under laws and regulations;
  • the handling of personal data is necessary for the protection of the individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal data is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; and
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

The following exceptions also apply:

  • A business operator governed by the Act on the Protection of Personal Information can provide personal data to a third party without obtaining the individual’s prior consent if it notifies the individual in advance of the following information or makes such information readily available to the individual:
    • the fact that providing the personal data to a third party falls under the purpose of use;
    • the personal data that will be provided to the third party;
    • the means or methods of providing the personal data to the third party; and
    • the fact that the provision of the personal data – which will lead to the identification of the individual by a third party – will be discontinued on the individual’s request to opt out.

Once amended, the Act on the Protection of Personal Information will also require business operators to advise on the way in which an individual can make an opt-out request and to notify the PPC of all of the above information. They will also be prohibited from providing sensitive information to third parties by using the opt-out option.

  • If the personal data is to be transferred as a result of a merger, acquisition or similar succession transaction, the recipient does not constitute a third party.
  • If the personal data is to be transferred as a result of a third-party service provider’s commissioning of a business operator for all or part of the processing of the personal data that is necessary to achieve the purpose of use, and the service provider does not process the data for its own purpose of use, such service provider does not constitute a third party.
  • A business operator governed by the Act on the Protection of Personal Information can use the personal information jointly with another individual or entity without the individual’s prior consent if it notifies the individual of the following information or ensures that such information is made readily available to the individual, in advance:
    • the fact that the personal data may be shared with and used jointly by specific individuals or entities;
    • the personal data that will be jointly used;
    • the scope of the joint users;
    • the purpose for which the personal data will be used; and
    • the name of the joint user responsible for the management of the personal data (either an individual or a business operator).

Click here to view the full article.