1. What is the Personal Data Protection Act (Kojin Joho Hogo Ho)

The Personal Data Protection Act was enacted in 2003. The law clarifies the responsibilities of national and local authorities regarding the processing of personal data and establishes the obligations that businesses that collect and use personal data must fulfill. The law was enacted because the use of personal information has expanded considerably as a result of the development of the digital society, making it necessary to stipulate the appropriate handling of personal information.

Companies can effectively market their products and services to customers, users, and others who need them, using personal information. However, if personal information stored by a company is leaked, it can harm the individual.

Therefore, the Personal Data Protection Act establishes rules for the processing of personal data in order to guarantee the effective use of personal data and at the same time prevent leaks and other incidents.

2. What information constitutes "personal data" under the Law?

In the Personal Data Protection Act, "personal data" is defined as information relating to a living individual that can be identified as a specific individual (name, address, date of birth, etc.) and that can be easily identified as a specific individual by linking it to other information, or that contains a personal identification code. Information containing a personal identification code includes facial recognition data, fingerprint recognition data, iris scans, voiceprints, gait patterns, finger vein and palm prints, passport numbers, basic pension numbers, driver's license numbers, resident registration numbers, personal insurance numbers, and so on. Such data are always considered personal data under this Act.

Personal data of a foreigner residing in a foreign country is also considered personal data under the Personal Data Protection Act if held by a Japanese company or organization.

Personal data is limited to information about living people, so information about a deceased person does not constitute "personal data" under the Personal Data Protection Act.

Information about the company itself or another organization is not personal data and is therefore not subject to the protection of this law. However, information about a company employee is personal data.

3. Basic rules for the processing of personal data

Businesses that use personal data have obligations to comply with the following rules, for example.

(1) When they acquire personal data

- Specify the specific purposes for which the data will be used

- The specific purposes of the use are made public or notified to the person in advance.

- In principle, the data will be used within the scope of the specified uses, and the person's consent will be required for any use outside of the specified uses.

(2) When they store and manage personal data

Of course, the necessary measures must be taken to ensure that personal data is managed securely, so that no leaks occur. For example, if stored on paper, it must be kept in a locked location, and if stored as data on a computer, passwords must be set or security software used.

(3) When personal data is provided to others

In principle, prior consent must be obtained from the individual before sharing their personal data with others. However, there are exceptional cases in which personal data can be shared with third parties without the individual's consent. Examples of such cases include when required by law (such as when receiving an inquiry from the police, a court, the tax authorities, etc.) or when necessary to protect a person's life or body in an emergency.

The Personal Data Protection Act also does not apply when personal data is used by newspapers and media outlets to report, by writers to write, by universities and research institutions to research, by religious organizations for religious activities, and by political organizations for political activities.

4. Personal data that requires special consideration

Some personal data requires special consideration in its processing to ensure that the individual does not suffer unjustified discrimination, prejudice, or other disadvantages if disclosed to third parties. Such data must be treated with special care as "personal data requiring special consideration." The individual's consent is required to obtain personal data requiring special consideration. For example, the following types of personal information are personal data requiring special consideration: personal data that includes race, creed, social status, medical history, criminal record, the fact that the individual has been harmed by a crime, as well as the fact that the individual has a disability, such as a physical, intellectual, or mental disability, the results of medical examinations and other tests performed by a physician, etc.

5. Penalties for violating the Personal Data Protection Act

If a company is found to be in breach of the Personal Data Protection Act, steps will be taken step by step.

First, there are reports and on-site inspections conducted by a government organization called the Personal Data Protection Commission. The Personal Data Protection Commission also provides guidance and advice. If the situation worsens, an order will be issued. Failure to comply with these orders can result in imprisonment or fines.

6. Which business needs to comply with the obligation of this law?

All businesses that handle personal data are subject to the regulations of this law. This means that even a sole trader who only handles the personal data of a few individuals is subject to its regulations. Since most businesses store information about customers or employees as data, it can be said that, ultimately, almost all businesses are subject to the regulations of this law.