1. Governing Texts

1.1. Legislation

• Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI')

A bill to amend the APPI (only available in Japanese here; English summary available here) ('the 2020 Amendments') was promulgated by the National Diet of Japan on 12 June 2020. The 2020 Amendments will come into force on 1 April 2022.

1.2. Regulatory authority guidance

The Personal Information Protection Commission ('PPC') has released the following guidance:

• General Guidelines on the APPI (only available in Japanese here) ('the General Guidelines')
• Guidelines on the APPI (Providing information to third parties in foreign countries) (only available in Japanese here) ('the Guidelines on Foreign Third Parties')

1.3. Regulatory authority templates

The PPC has not released templates for vendor contracts.

2. Definitions

Data controller: Data controller is not defined in the APPI. However, a 'Personal Information Controller' ('PIC') is a business operator using a personal information database for its business (Article 2(5) of the APPI).

Data processor: The APPI refers to entrusting or consigning personal information in whole or in part, however it does not define the concept of a trustee/ consignee/ data processor (Article 22 of the APPI).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 22 of the APPI provides that, 'A PIC shall, in case of entrusting a whole or part of the handling of personal data, exercise necessary and appropriate supervision over an entrusted person so as to seek the security control of the personal data of which the handling has been entrusted.'

The General Guidelines recommend the conclusion of a consignment contract as necessary and appropriate for safety management measures regarding the handling of personal data (Section 3-3-4(2) of the General Guidelines).

3.2. What content should be included?

The General Guidelines state that the following information should be included in a consignment agreement (Section 3-3-4(2) of the General Guidelines): 

• information on the contents agreed by both the consignor and the consignee; and
• reasonable means for the consignor to confirm how the consignee processes personal data.

Furthermore, Section 4-2-7 of the Guidelines on Foreign Third Parties states that a provision concerning supervision of employees of business operators located in foreign countries should be stipulated within a consignment contract.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

The APPI does not explicitly set out requirements for processors to assist controllers with the handling of data subject requests.

For further information see Japan – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

The APPI does not explicitly set out requirements for consignees to keep a record of their processing activities. Although the General Guidelines do not specifically refer to consignees maintaining a record of processing, there are expectations for PICs to be able to audit consignees as well as security measures for processors (see below).

PICs are generally required to keep records of their transfers of personal information to third parties under Article 25 of the APPI. However, this requirement does not apply when personal data is provided to the processor via the entrustment of processing (Article 25(1) of the APPI).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Section 3-3-4(1) of the General Guidelines establishes that when selecting a consignee, the consignee's safety management measures must, at least, be in accordance with Article 20 of the APPI. Article 20 of the APPI states a PIC must take necessary and appropriate action for the security control of personal data including preventing the leakage, loss, or damage of its handled personal data. In addition, the consignee's safety measures should meet the provisions of the General Guidelines, including carrying out the items stipulated in the 'safety management measures' specified in Attachment 8 in accordance with the contents of the outsourced work. This level of safety management must be confirmed in advance.  

Attachment 8-1-6 (attached hereto) of the General Guidelines provide details of the safety management measures to be taken, including:

Formulation of a basic policy

The formulation of a basic policy to ensure the proper handling of personal data within an organisation in a specific manner in order to prevent the leakage of handled personal data and for general safety management of personal data. Specifically, the General Guidelines highlight that the basic policy may stipulate:

• the name of the PIC;
• compliance with relevant laws and guidelines, etc;
• matters related to safety management measures; and
• the contact point for handling questions and complaints, etc.

Discipline regarding handling personal data

PICs must set out rules specifying the handling of personal data in order to prevent leakage of the personal data handled and for general safety management of personal data.

Organisational security control measures

• establishment of organisational structure: an organisational system must be established for taking safety management measures;
• operation in accordance with discipline regarding the handling of personal data: personal data must be handled in accordance with prepared rules for handling personal data, and the system log or data usage status should be recorded in order to confirm the status of operations;
• preparation of means for checking the handling status of personal data: a means for monitoring the handling status of personal data must be established;
• establishment of a system for responding to incidents such as data breaches: a system must be put in place to respond appropriately and promptly when the occurrence or signs of incidents such as leaks are grasped. If a leak or similar event occurs, the facts thereof and the recurrence prevention measures must be announced as soon as possible, depending on the case, in order to prevent secondary damage and similar cases; and
• grasping handling status and reviewing safety management measures: A PIC must thoroughly understand the status of personal data handling and ensure the evaluation, review, and improvement of safety management measures.

Personal safety measures

A PIC must take measures for human safety management including employee supervision and education. 

Physical safety measures

• the management of areas handling personal data: appropriate management must be carried out for each area in which an important information system is involved and in which the handling of personal data occurs;
• prevention of Theft of equipment and electronic media: appropriate management must be performed to prevent theft, loss, of devices, electronic media, and documents that handle personal data;
• prevention of leakage when using electronic media: when carrying an electronic medium or documents in which personal data is recorded, safe measures must be taken to prevent personal data from being easily revealed; and
• deletion of personal data and disposal requirement: when deleting personal data or discarding devices, electronic media, etc. on which personal data is recorded, must be done by means that cannot be restored. In addition, if personal data is deleted, or if the device, electronic medium, etc. on which personal data is recorded is discarded and deleted, it is also important to confirm by a certificate, etc. that the consignee has deleted or discarded when entrusting such work.

Technical safety measures

• access control: appropriate access control must be performed to limit the scope of the person in charge and the personal information handled from the database;
• identification and authentication: based on the result of identification, it is necessary to authenticate that the employee who uses the information system that handles personal data has a legitimate access right;
• prevention of outside unauthorised access: an information system that handles personal data must be introduced and operated properly to protect it from unauthorised access or software from outside; and
• prevention of leaks associated with the use of information systems: measures must be taken to prevent leakage of personal data due to the use of information systems, and they must be operated appropriately.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The APPI does not explicitly establish an obligation for consignees to notify controllers in the event of a data breach. 

However, Section 3-3-4(1) of the General Guidelines establishes that PIC must confirm in advance that consignees have security measures equivalent to the safety management measures outlined in Attachment 8 which stipulates the establishment of a system responding to incidents such as data breaches (Attachment 8 of the General Guidelines).

Specifically, Attachment 8-3(4) of the General Guidelines provide that:

a system should be put in place to respond appropriately and promptly when the occurrence or signs of incidents such as leaks are recognised. If a case such as a leak occurs, the facts of the incident and recurrence prevention measures should be announced as soon as possible depending on the case, from the perspective of preventing secondary damage and preventing similar cases.

In addition, Section 4 of the General Guidelines and the APPI notice on Breach (only available in Japanese here) establish that PICs should take the following necessary measures and promptly report the facts of the incident and recurrence prevention measures to the PPC when incidents, such as leaks, or indications thereof are recognised.

• reporting within the PICs and preventing the spread of damage;
• investigating the facts and determining the cause of the incident;
• identification of the scope of effects;
• consideration and implementation of recurrence prevention measures;
• contacting person that may have been affected by the leak; and
• publication of the facts of the incident and recurrence prevention measures.

For further information see Japan – Data Breach Notification.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The APPI does not explicitly regulate the subcontracting activities of processors.

However, Section 3-3-4(3) of the General Guidelines states that, when processors intend to subcontract, controllers shall receive a report regarding the party to which the processors intend to subcontract from processors in advance, the nature of the subcontracted work, and the method of handling the personal data of the subcontractors. PICs must also periodically audit the subcontractors through the processor(s) or themselves. PICs must confirm that the subcontractors take safety management measures based on Article 20 of the APPI (Section 3-3-4(3) of the General Guidelines).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The APPI does not explicitly provide any transfer restrictions specific to consignees.

However, Article 24 of the APPI provides more generally that personal data may not be transferred to a third party located in a foreign country unless:

• the principal has given advance consent to the transfer of their personal data to a third party in a foreign country;
• the country in which the recipient is located has a legal system that is deemed equivalent to the Japanese data protection regime, designated by the PPC; or
• the recipient undertakes adequate precautionary measures for the protection of personal data, as specified by the PPC.

For further information see Japan – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The APPI does not explicitly provide for the obligation of data processors to assist a data controller with regulatory investigations.

However, Article 40 of the APPI establishes that PICs maybe required to submit necessary information or material relating to the handling of personal information or anonymously processed information, or have PPC officials enter a business office or other necessary place of a PIC etc., inquire about the handling of personal information etc., or inspect a book, document and other property.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The APPI does not explicitly require the appointment of a data protection officer ('DPO') or representative.

However, Section 3-3-4(1) of the General Guidelines establishes that PICs must confirm in advance that processors have security measures equivalent to the safety management measures outlined in Attachment 8 which recommends the security measures to be taken for the handling of personal information, an example of which includes the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of that person (Attachment 8-3(1) of the General Guidelines).

For further information on DPOs in Japan, please see: Japan – Data Protection Officer Appointment

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

Article 22 of the APPI states that a PIC must, in the case of entrusting a whole or part of the handling of personal data, choose a proper consignee, sign an agreement with the person entrusted with such handling, and exercise necessary and appropriate supervision over an entrusted person so as to seek the security control of the personal data of which the handling has been entrusted.

Specifically, a PIC must ensure compliance with the requirements outline in section 6., above, as well as the degree of implementation of the contents included in the consignment contract (Section 3-3-4(3) of the General Guidelines). Moreover, the Section 3-3-4(3) of the General Guidelines recommends that PICs conduct regular audits and evaluate consignees appropriately, including to consider corrective action.

Yuto Noro Attorney at Law
[email protected]
Yuto Kakiyama Attorney at Law
[email protected]
Tomohiro Hayashi Attorney at Law
[email protected]
TMI Associates, Tokyo and London