• MEILIN INTERNATIONAL LAW FIRM

COLUMN

Revised Personal Information Protection Law

Personal Information Protection Law, GDPR

2022.02.03

Author: Mei Suzuki, Attorney at Law

The revisions to the Personal Information Protection Law enacted in 2020 and a part of the revisions to law enacted in 2021 are expected to be enforced together from April 1, 2022.

We will explain an outline of those revisions and necessary matters to be handled by companies in conjunction with the enforcement of the revised Personal Information Protection Law.

I. Outline of Revised Law

The primary revisions to the Personal Information Protection Law are as follows:

1.Personal rights

The rules on personal rights are revised as follows:

(1)In regard to the personal right to request suspension of use/deletion, etc., in addition to the case of an illegal acquisition and other violation of law, the conditions are moderated for the case where there is a possibility of harm to personal rights;

(2)In regard to the method of disclosure of personal data held (presently in written form), the data subject can designate the method by electronic means;

(3)The data subject can request disclosure of records provided to third persons in connection with the transfer of personal data;

(4)Data maintained for a short-term (within six (6) months) shall be subject to disclosure, suspension of use, etc.; and

(5)The scope of personal data that can be supplied to a third person under the opt out provisions is limited, and i) personal data illegally acquired and ii) personal data provided under the opt out provisions are excluded.

2.Duty of Company

(1)In the case where a leak, etc., is discovered and there is a great chance for the rights and interests of data subject to be harmed, it will become mandatory to report to the Personal Information Protection Commission and send a notice to the data subject.

(2)It has been made clear that personal information must not be used in inappropriate ways, encouraging illegal and/or unreasonable action, etc.

3.Utilization of Data

(1)Pseudonymously processed information

From the point of view of promotion of innovation, the duty to respond, etc., to the request of disclosure/suspension of use is mitigated for pseudonymously processed information where the names, etc., are deleted; provided that it is limited to internal analysis, etc.

(2)Regulations on provision to third persons of personal related information

In regard to provision to third persons of information that does not constitute personal data at the provider but could become personal data at the place provided, it is necessary for the provider to confirm the consent of the data subject.

4.Cross Border Transfer

(1)A foreign company handling the personal information of a data subject in Japan will become subject to reporting and orders (penalties are possible).

(2)At the time of provision of personal data to a third person in a foreign country, the provider is required to provide information to the data subject regarding the handling of personal information by the company to which information is transferred.

II. Matters Requiring Actions at the Company

For each company, it will be necessary to arrange internal rules/privacy policy/agreements, etc., and change its handling of personal information in accordance with the above revisions, and the following are particular matters that probably should be necessary.

1.Flow of Response for a Leak of Personal Information

In the case where personal information is leaked, reporting to the Personal Information Protection Commission and notification to the data subject concerned will become mandatory in certain cases. It will be necessary to establish an internal structure to report and notify without delay, so that it is recommended to (i) review the present response flow of your company and if necessary, (ii) revise the flow of response to be able to make a report promptly to the Personal Information Protection Commission and a notice to the data subject.

2.Disclosure of Information of a Foreign Company Transferee

In the case of transfer of personal data to a third person in a foreign country, it is required to inform the data subject of the provision of information and the handling of personal information by the transferee company. Therefore, in the case where personal information is being provided or shared with a foreign company, information about the transferee company and country name, outline of the measures being taken by the transferee company, status of arrangement of system, and other necessary information needs to be confirmed. It is necessary to reflect that in privacy policy as well.

3.Handling of Disclosure Request

In the case where there is a request for disclosure of personal information, up to now it was the rule to provide a written document, but the revisions allow a choice to the data subject to receive the information electronically, so that companies need to prepare for disclosing personal information electronically and review the response flow and privacy policy to enable handling of personal information disclosure electronically.

 

  • We deliver valuable and useful information on matters relating to corporate law and investment mainly from our seven offices; Fukuoka, Tokyo, Shanghai, Hong Kong, Singapore, Hanoi and Ho Chi Minh.
  • This article was drafted in the past based on the laws and cases applicable at that time. However, the laws and/or regulations may have been amended since then. Please note that we do not guarantee the legal accuracy of this article. Please contact us for the latest laws/regulations information.

BACK

pagetop