All questions

Data protection

i Requirements for registration

Data protection in Japan is governed by the Act on the Protection of Personal Information (APPI). The APPI was amended on 3 September 2015. The amendment included clarification on the definition of personal information, the establishment of the Personal Information Protection Commission and the introduction of provisions relating to sensitive information. There is no required registration in relation to data protection under Japanese laws.

When handling personal information, a company shall, as far as possible, specify the purpose for its use of personal information (the purpose). In principle, no company can handle personal information beyond the scope necessary to achieve the purpose without obtaining the prior consent of the data subject.

When acquiring personal information, a company must promptly notify the person of, or publicly announce, the purpose, unless the company has already publicly announced it. In addition, when a company directly acquires personal information from a person in writing, the company must expressly show its purpose to the person in advance.

A company must not, in principle, provide any personal data to any third parties without obtaining the prior consent of the person.

A company must keep personal data accurate and up to date within the scope necessary for the achievement of the purpose. Once the purpose is achieved, a company needs to delete personal data without delay. Also, a company must take necessary and proper measures for the prevention of leakage, loss or damage, and for other security control of the personal data. A company must exercise necessary and appropriate supervision over its employees to ensure the security control of the personal data.

ii Cross-border data transfers

A company must, in principle, obtain the prior consent of the person when it provides personal data to any third party. The same shall apply for cross-border transfer of personal data.

A company does not have to obtain the prior consent of the person in cases that are not regarded as the transfer of personal information to a third party. The same shall apply for the cross-border transfer of personal data if a company provides personal data to (1) any third party in a foreign country that has regulations for personal information protection at the same level as Japanese regulations, or (2) any third party in a foreign country who puts into place a system compliant with the standards prescribed by rules of the Personal Information Protection Commission as is necessary to continuously take measures corresponding with measures that business operators handling personal information ought to carry out pursuant to certain provisions under APPI with regard to the handling of personal data.

iii Sensitive data

The amendment of the APPI defines sensitive information as personal information that contains descriptions that have been specified by Cabinet Order to require special consideration in handling so as to avoid any unfair discrimination, prejudice or other disadvantage to an individual based on his or her race, creed, social status, medical history, criminal records or the fact that a person has incurred damages through an offence, etc. A company must not acquire sensitive personal information without obtaining the person's consent to do so, except in certain circumstances.

Certain guidelines also set forth additional rules concerning sensitive personal information, such as information relating to race, ethnic group, social status, family origin, income and medical records. Further, if a company abusively uses such sensitive information, this may be regarded as a violation of privacy or an invasion of personal rights, in which case the company may be held liable for damages arising from the violation or invasion.

iv Background checks

As an employer has the freedom to employ applicants of its choosing, it may collect personal information about applicants (such as information related to their credit records), to a reasonable extent, as part of a background check. However, when collecting sensitive information, such as criminal records, an employer must obtain the applicant's consent to do so.

The collection of sensitive information needs to be carried out by commonly accepted proper methods and care must be taken to respect applicants' privacy.