What is the GDPR? Explaining the Comparison with the Japanese Personal Information Protection Law and Key Points Japanese Companies Should Be Aware Of
When expanding your business into the EU domain, it is essential to have a comprehensive understanding of the GDPR (General Data Protection Regulation). Japanese companies without a base in the EU may still be subject to GDPR. Acquire foundational knowledge of GDPR and Japanese Personal Information Protection Law, and ensure proper data management.
This article will explain GDPR in comparison with Japanese Personal Information Protection Law and highlight key points that Japanese companies should be aware of. If you are a legal professional considering whether you need to modify your data protection regulations or seeking to understand the laws you must comply with for business expansion into the EU, this article will be a valuable resource.
What is the GDPR (General Data Protection Regulation)?
The “GDPR (General Data Protection Regulation)” is a set of rules concerning the handling of personal data (data protection) established by the European Union (EU), also referred to as the “General Data Protection Regulation” in Japan.
It sets strict standards for the handling of personal data within the EU and aims to enhance the protection of individual privacy.
From the perspective of personal information protection, it provides standards for how companies and organizations should handle data and how individuals can protect their own information.
Reference: Personal Information Protection Commission | “Provisional Japanese Translation of the General Data Protection Regulation (GDPR)[ja]“
The fundamental principles of the GDPR are as follows:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
We will explain each of these fundamental principles below.
Legality, Fairness, and Transparency
At the forefront of the General Data Protection Regulation (GDPR) principles are legality, fairness, and transparency.
When businesses collect and process personal data, they must do so on a legally justified basis and clearly communicate to the individuals involved how their data will be handled.
Furthermore, businesses are required to explicitly provide privacy-related information, ensuring transparency so that individuals understand and can control how their data is managed.
Limitation of Purpose for Use
The limitation of purpose for use means that the collection and processing of data should be carried out for specific and clear purposes.
Business operators who acquire personal data must accurately and specifically indicate the purpose to the parties involved and obtain clear consent. Furthermore, operators are required to restrict the use of collected data to purposes other than those consented to by the data subjects and to manage it strictly.
Minimization of Personal Data
The collection of personal data should be limited (minimized) to the extent necessary to achieve the intended purpose. Personal data should be collected only within the scope suitable for the requested purpose, and care should be taken not to collect any excess personal information.
This approach ensures that the amount of personal data retained is kept to a minimum, thereby protecting individual privacy.
Accuracy
As a fundamental principle of the GDPR, personal data must be accurate. Inaccurate personal data should be corrected, and measures should be taken to maintain up-to-date and accurate information.
This ensures that individuals’ rights and interests are protected, and that personal data processing is based on accurate information.
Limitations on Record Retention
One of the fundamental principles of the GDPR (General Data Protection Regulation) is the concept of limitations on record retention. Personal data that is no longer necessary after its purpose has been fulfilled should be promptly deleted.
By not retaining personal data that is no longer needed, we ensure proper management of personal data and the protection of privacy.
Integrity and Confidentiality
Personal data must be complete and its confidentiality must be maintained. It is essential to protect personal data from tampering and loss, and appropriate measures should be taken to safeguard it from unauthorized access.
This enhances the reliability of personal data.
Not Just for EU-Based Companies? The Scope of GDPR Application
The GDPR is not only applicable to companies within the EU. Japanese companies may also fall under its scope. We will explain the following four categories of companies to which the GDPR applies.
Target Companies under GDPR | Overview |
Companies with an Establishment in the EU | “Controller” | An organization that determines the purposes and means of data processing and owns the data is known as the controller. For example, companies with headquarters or branches within the EU fall under this category. The controller is responsible for ensuring the lawful and transparent processing of data. |
Companies Entrusted with Personal Data Processing by EU Companies | “Processor” | When an EU-based company outsources data processing to another company, the latter becomes a “processor” and falls under the GDPR. Processors are also responsible for ensuring the security and lawful processing of data. |
Companies Offering Goods or Services to Individuals in the EU | Companies that provide online shops or web services are included. The handling of data related to the goods or services provided must comply with GDPR standards. |
Companies Monitoring Individuals in the EU | Monitoring refers to the long-term tracking of specific individuals’ behaviors or conditions. For example, companies that operate surveillance cameras or track online behavior are included, and they must ensure lawful data handling. |
Companies subject to the GDPR are required to ensure lawful and transparent data processing, data security, and compliance with GDPR standards.
Related article: What Happens When GDPR Applies Extraterritorially? Explaining the Response Methods[ja]
Handling of Personal Data under the GDPR
The General Data Protection Regulation (GDPR) provides a framework for the protection of privacy and the circulation of data when it comes to handling personal data.
The objectives and principles of this regulation are to ensure the protection of fundamental rights and freedoms, particularly respecting the privacy of individuals, and to promote the free flow of personal data (GDPR Article 4). |
The GDPR safeguards control and respect for personal data while facilitating data circulation and ensuring reliability through proper management.
For this purpose, transparency in data processing and corporate accountability are crucial, and companies are required to handle data appropriately in accordance with the regulations.
The GDPR also includes the following provisions:
Companies subject to the GDPR must generally obtain the individual’s consent when handling personal data (‘processing’) (GDPR Article 6(1)(a)). |
Controllers must be able to demonstrate that the individual has consented to the processing of their personal data (GDPR Article 7(1)). |
Furthermore, individuals have the right to withdraw their consent to the processing of their personal data at any time (GDPR Article 7(3)). |
However, there are cases where the handling (‘processing’) of personal data is permitted even without the individual’s consent. Specific examples include:
- When necessary for the performance of a contract to which the individual is a party,
- When necessary to take steps at the request of the individual prior to entering into a contract,
- When necessary for compliance with a legal obligation to which the controller is subject,
- When necessary to protect the vital interests of the individual or another person,
- When necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- When necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the individual (which require protection of personal data).
Key Rights Relating to Personal Data under the GDPR
Under the GDPR, the data subject is primarily entitled to the following rights:
- The right to access their personal data
- The right to request the rectification or erasure of their personal data
- The right to request restrictions on the use of their personal data
- The right to object to the processing of their personal data
Data subjects have the right to understand how their information is being used by the provider. If they feel that the information is inaccurate or being misused, they can request rectification or erasure, as well as a temporary halt on its use, or lodge an objection.
Key Responsibilities Regarding Personal Data under the GDPR
While individuals have certain rights over their personal data, companies that collect and process personal data primarily have the following responsibilities:
- Establishing a system and human resources framework for handling personal data in compliance with the GDPR
- Maintaining records of personal data handling activities
- Responding to personal data breaches
These responsibilities are crucial for ensuring that personal data is adequately protected within a company.
Furthermore, it is essential that all data processing activities are properly recorded, as this is necessary for conducting reviews when required.
In the event of a personal data breach, companies are responsible for taking appropriate measures and notifying the relevant parties.
In the Event of a GDPR Violation
If a controller or processor violates the GDPR and causes harm to the data subject, they may be liable for damages as stipulated in Article 82(1) of the GDPR.
Furthermore, violations of the GDPR can lead to severe consequences. For instance, the EU may impose fines as a measure under Article 83 of the GDPR in response to the infringement (GDPR Article 83).
Differences Between GDPR and Personal Information Protection Laws
The main differences between the GDPR and personal information protection laws are as follows:
- Scope of protection
- Response to personal data breaches
- Appointment of representatives
- Penalties for non-compliance
We will explain these differences in detail below.
Scope of Protection
The GDPR and personal information protection laws differ in the data they aim to protect. The GDPR extensively protects personal data processed within the EU. It applies not only to companies based in the EU but also to those offering goods or services to individuals within the EU.
On the other hand, the scope of protection under personal information protection laws varies by country or region.
For example, the Japanese Personal Information Protection Law (Japanese PIPA) targets personal information processed within Japan, and its protection is generally limited to within the country.
Response to Personal Data Breaches
The GDPR and personal information protection laws also differ in their response to personal data breaches.
Under the GDPR, in the event of a data breach, companies are obligated to report to the supervisory authority within 72 hours. They also have a responsibility to notify the data subjects promptly and explicitly.
While personal information protection laws also require prompt notification in the event of a data breach, the deadlines for reporting obligations and the content of notifications vary by country or region.
Appointment of Representatives
The rules regarding the appointment of representatives differ between the GDPR and personal information protection laws.
Under the GDPR, the processing of children’s personal data requires the consent of parents or legal guardians. Furthermore, companies providing online services must obtain parental consent when handling personal data of children under 16 years of age.
Personal information protection laws also require the consent of a legal guardian for handling children’s personal information, but the age requirements and methods for obtaining consent vary according to the legislation.
Penalties for Non-Compliance
Another difference between the GDPR and personal information protection laws is the penalties for non-compliance.
Under the GDPR, violations can lead to fines of up to 4% of the company’s total annual worldwide turnover or 20 million euros, whichever is higher.
The penalties under personal information protection laws vary by country or region, but typically involve fines or legal liabilities. The amount of the fine fluctuates depending on the nature and severity of the violation.
Key Points for Japanese Companies to Address GDPR Compliance
The following companies need to take measures to comply with the GDPR:
- Companies with subsidiaries, branches, or offices within the EU
- Companies providing goods or services from Japan to the EU
- Companies entrusted with the processing of personal data by entities within the EU
As specific measures within a company, Article 32 and Recital (83) of the GDPR recommend encryption as one of the data protection technologies.
Therefore, it is necessary to encrypt personal data on client PCs, HDDs, USB drives, shared folders, and other storage media.
In addition, it is essential to update your privacy policy to be GDPR-compliant. For more details on GDPR-compliant privacy policies, please refer to the following article.
Related article: Explaining the Key Points in Creating a GDPR-Compliant Privacy Policy[ja]
Summary: Consult Experts for GDPR Compliance
The General Data Protection Regulation (GDPR) extensively protects personal data processed within the EU, demanding lawful and transparent handling of data and ensuring its security. Differences between the GDPR and the Japanese Personal Information Protection Law include the scope of protection, responses to personal data breaches, appointment of representatives, and penalties for non-compliance.
Entities such as companies with bases in the EU, those offering goods or services to individuals in the EU, and those entrusted with processing personal data by EU companies are subject to GDPR. Violations of GDPR can lead to claims for damages and the imposition of fines, so it is crucial to exercise caution.
If you are considering whether to update your company’s data protection policies to comply with GDPR, it is advisable to consult with experts in the field.
Guidance on Measures by Our Firm
Monolith Law Office is a legal practice with extensive experience in IT, particularly in both the internet and legal fields. In recent years, global business has been expanding increasingly, and the need for expert legal checks is growing more than ever. Our firm provides solutions related to international legal affairs.
Areas of practice at Monolith Law Office: International Legal Affairs & Overseas Business[ja]