Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Notifying individuals when a security breach has occurred is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the Personal Information Protection Commission (PPC) provide that it is preferable to notify the individual of the fact of the incident or make the fact readily available for affected individuals in order to prevent secondary damage or recurrence of the incident. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the Financial Services Agency (FSA) state that if a personal information breach occurs, the business operator handling the personal information should immediately provide notice to the relevant individuals of the facts around the breach.

Are data owners/processors required to notify the regulator in the event of a breach?

This is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the PPC provide that, as a general rule, a business operator handling personal information should strive to immediately notify the PPC of incidents of data security breach and the preventive measures taken. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the FSA state that if a personal information breach occurs, the business operator handling the personal information should immediately report the breach to the FSA and promptly make a public announcement addressing – among other things – the facts around the breach and the measures to be taken to prevent a recurrence.

Click here to view the full article.