Skip to Main Content
Main Menu
Regulation

Act on the Protection of Personal Information (APPI)

Japan’s APPI applies to all business operators that handle the personal data of individuals in Japan, including organizations that are located within Japan and those with offices outside of the country.

Are you subject to the APPI?

Japan’s APPI applies to personal information handling business operators that:
  • Supply good or services to persons in Japan

  • Handle personal information of individuals in Japan

  • Pseudonymously or anonymously processed information produced by the personal information, even if the processing takes place in a foreign country

Key obligations under the APPI

Notification

Under the APPI, organizations collecting personal data must inform individuals about the purpose for which the data is being collected, This notification typically includes details such as the purpose of use, the scope of use, and any potential third-party recipients of the data. Notification should be provided in a clear and easily understandable manner, ensuring that individuals are fully aware of how their personal data will be utilized.

Consent

Consent is a fundamental principle under the APPI. Organizations must obtain explicit consent from individuals before collecting, using, or disclosing their personal data. Consent should be obtained through affirmative action, such as ticking a box or signing a consent form, and should be freely given, specific, informed, and unambiguous. Individuals have the right to withdraw their consent at any time, and organizations must respect this right.

Purpose Limitation

The APPI defines that personal data should only be collected for legitimate and specified purposes that are clearly communicated to individuals. Organizations are prohibited from using personal data for purposes other than those for which it was originally collected without obtaining additional consent from the individuals concerned.

Security Measures

Under the APPI, organizations are required to implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. This may include physical, technical, and organizational safeguards, such as encryption, access controls, and employee training on data protection.

Data Transfer Restrictions

According to the APPI, personal data cannot be transferred to third parties without the consent of the individuals concerned, unless permitted by law. If personal data is transferred to third parties, organizations must ensure that the recipients provide an adequate level of protection for the data.

Accuracy

The APPI outlines that organizations are responsible for ensuring that personal data is accurate, complete, and up-to-date. They must take responsible steps to verify the accuracy of the data at the time of collection and periodically update it as necessary.

Access and Correction

Under the APPI, individuals have the right to access their personal data held by organizations and request corrections or deletions if the data is inaccurate or outdated. Organizations must establish procedures for handling such requests in a timely manner and may only refuse requests in specific circumstances as allowed by the law.

Webinar

Building Trust and Competitive Advantage: The Value of Privacy Certifications

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today’s privacy-conscious landscape.

FAQs

  • Are data breach notifications mandatory under the APPI?

    Following the 2020 APPI amendments, data breach notification is mandatory, while previously notifying the PPC and data subjects was only a recommendation. In the event that business operators become aware of a data breach that could potentially breach the rights and interests of individuals, they are required to inform both the PPC and the affected data subjects.

  • Do I have to appoint a Data Protection Officer (DPO) under the APPI?

    Although the APPI does not expressly mandate businesses to designate a DPO, it suggests appointing an individual responsible for managing personal information, which may be viewed as fulfilling a similar function.

  • Is employee personal data subject to the APPI?

    Yes, employee personal data is generally subject to the provisions of the APPI. The APPI applies to the handling of personal data by both public and private entities, including employers. Therefore, any personal data collected, used, or stored by employers in relation to their employees is typically covered by the APPI.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top