MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST


Personal Information Protection

Business situations involving IT and the Internet often involve the handling of various types of personal information, including personal information databases, cookies, and the rest. Particular attention must be paid to those that may change due to legal revisions. MONOLITH LAW OFFICE provides highly specialised legal services related to the Japan privacy law.

The Japan Act on the Protection of Personal Information(APPI) is one of the most crucial law. It governs the handling of personal information in business activities. This Japan privacy law focuses on how personal data should be handled. The article sets out the obligations that personal data providers must fulfil in order to protect the rights and interests of individuals. Companies are facing the challenge of complying with the revised APPI, which was forced in April 2022.
As an expertise in supporting IT and Internet businesses, MONOLITH LAW OFFICE has handled legal matters related to The Japan Act on the Protection of Personal Information for numerous companies, ranging from companies listed on the Prime Market of the Tokyo Stock Exchange (TSE) to seed-stage startups.

Example of support provided by our firm

  • Privacy Policy

    We have handled the drafting of privacy policies for websites, services, apps, etc., as well as numerous revisions in response to legal amendments and other changes.

  • Business Manuals for Internal Use

    We also help establish a Chief Privacy Officer (CPO) and maintain internal manuals and policies..

  • GDPR and Other Compliance

    We also handle legal matters related to personal data protection, such as the EU General Data Protection Regulation (GDPR) in cross-border IT business opportunities.

  • Personal Data Breach

    We can assist with reporting to the Personal Information Protection Commission and notifying individuals in case of a personal data breach.

Compliance with The Japan privacy law

The Japan Act on the Protection of Personal Information(APPI) imposes regulations on business operators handling personal information in relation to the provision or transfer of such personal information to third parties. This law imposes strict requirements on the purposes for which personal information may be used, how it may be obtained, and the security control measures that must be taken.

In addition, the law is frequently amended to provide new definitions and regulations, such as personal information databases, anonymously processed information and pseudonymised information.

Basic Obligations of Business Operator Handling Personal Data

The Japan privacy law establishes the following obligations for the “Business Operator Handling Personal Information” that handles personal information in particular. It is necessary to respond to these obligations and establish a compliance system.

Rules Regarding the Utilization Purpose of Use of Personal DataSpecify the utilization purpose as explicitly as possible (Article 15, Paragraph 1)
Notification or disclosure of the utilization purpose (Article 18, Paragraph 1)
Use within the specified utilization purpose (Article 16, Paragraph 1)
Altered utilization purpose are not permitted in principle (Article 15, Paragraph 2)
Acquisition by Appropriate MeansProhibition of acquisition by deception or other wrongful means (Article 17, Paragraph 1)
Appropriate security control actionsPrevention of data breaching, loss, or damage, etc. (Article 20)
Supervision over employees and contractors (Article 20, 21)
Provision to a third party and cross-border transferNecessary when providing information to a third party
Obtaining the principal’s consent in advance (Article 23, Paragraph 1)
So-called opt-out method (Article 23, Paragraph 2)
Creating and Revising a Privacy Policy

Creating and Revising a Privacy Policy

When an IT service is launched, an appropriate privacy policy should be developed based on what type of personal information will be collected and how that information will be used. In addition, such policies must be revised as new business functions are added or as laws are revised.

As an IT, Internet and business law firm, we understand the behavior of such systems. We can help you create or revise appropriate privacy policies at minimal cost to your organization.

Examples of our experiences

BGM and sound effect distribution service, BGM playback app, SaaS based voice recognition service for BtoB use, D2C EC sites, EC platforms, Services for data integration between SaaS services, Integration services for SaaS businesses, Artist platforms, Sales support tools, Household account books Apps, Job-related web services, Job search services, Cloud-based expense reimbursement services, Cloud-based attendance management services, Cloud-based transportation expense reimbursement services, Supplement sales services, Politics-related SNS, Taxi dispatch apps, Outsourced data analysis services, Video SNS services, Business SNS, Business matching site, Hospital reservation platform, Programming school, Blockchain SNS, Blockchain ad network, Reference service, Travel concierge service, Safety confirmation service, Medical information network system, Virtual currency exchange (outside Japan), Orthodontic clinic database site, Support service for the disabled, Student recruitment, Employee management, Employee training cloud service, Authorized import car sales site, Lifestyle-related support service, Start-up support service, and Antisocial check service

Responding to a Personal Information Breach

Responding to a Personal Information Breach

The 2022 revision of the Japan Act on the Protection of Personal Information (APPI) established the obligation of business operators that handle personal information to report to the Personal Information Protection Commission and notify individuals when a breach or potential breach of personal information has occurred. The types of reports are preliminary reports and detailed reports. In particular, preliminary reports must be made within 3 to 5 days of the discovery of the data breach.

Response to the Japan Act on the Protection of Personal Information in 2022

In April 2022, the revised privacy law went into effect in Japan. This has created a need for all business owners to review their internal manuals and internal systems. In particular, for those business operators who handle short-term stored data that will be erased within 6 months or those who use opt-out, it is necessary to revise their privacy policies.

AmendmentsNecessary Response
All economic operatorsRelaxed requirements for requests for cessation of use, erasure, and cessation of provision to third partiesReinforcement of response to increased number of claims
All economic operatorsEnhancement of disclosure requestsEstablishment of a system to determine no longer necessary
Businesses that process short-term stored data to be deleted within 6 monthsExpansion of the scope of retained personal data subject to disclosure, etc.Revision of internal manuals and other handling procedures
Business operators using opt-outStrengthening of opt-out regulations: addition of matters to be notified, etc.Revision of privacy policy, etc.
Business operators using opt-outStrengthening of opt-out regulations: prohibition of double opt-outVerify means of acquisition/obtaining information, and change business schemes as necessary
All economic operatorsObligation to report leaks, etc. and notify the individualEstablish internal manuals and other procedures to prepare for possible leakage
Business operators using anonymously processed informationEstablishment of new provision of pseudonymized processed informationRevision of privacy policy, etc
Business operators providing DMP and related servicesRegulation of personal-related information that becomes personal data at the destination of provisionVerify that the consent of the individual is obtained from the business to which the information is provided
Business operators conducting cross-border transactionsTighter regulation of cross-border transfersReview whether the service is being provided or not, and switch services as appropriate.
Drafts can be prepared with minimal hearings

Drafts can be prepared with minimal hearings

Our founding lawyer is a former IT engineer.

In order to create privacy policies for apps and web services, it is necessary to understand their functions and screen transitions (in terms of what the user is supposed to agree to and by what method of operation). We can read the various documents and data that already exist in your company, such as requirement definitions, frameworks created with Adobe XD, LP, sales materials for potential clients.

Therefore, we can create a draft for your privacy policy, etc. with minimal time spent on interviews, effectively reducing communication costs and the time required for creation.

Terms of Use for Apps

Terms of Use for Apps

At MONOLITH LAW OFFICE, we create and revise the terms of use for various apps, services, games, etc., and create privacy policies. It is also possible to create a privacy policy based on existing documents and data used for app development, such as requirement definitions, frameworks, LPs, and sales materials for prospective customers.

Examples of our client’s products

  • oVice

    We have been an auditor for oVice Corporation, which realizes co-working spaces and event spaces in virtual spaces where you can feel close to people, as if you are talking next to them.

  • TOKIUM Expense Reimbursement

    We have worked with TOKIUM Inc., the company behind the corporate finance app “TOKIUM Expense Reimbursement” as their Chief Legal Officer. We have provided legal support for their projects, including the release of their expense reimbursement system “TOKIUM Invoice”.

  • Securio

    We have been an auditor for LRM Corporation, which releases Securio, which improves the perception of information security throughout the company.


    We are in charge of a project for TRIBEAU Corporation, which releases “TRIBEAU,” an application for beauty care reviews and reservations, which is also available as a web service.

As well as these clients, we are responsible for many other products. Only the companies that have given us permission to disclose their client status or the businesses registered us as their executives are listed here. As a general rule, clients’ information is kept confidential under the confidentiality agreement.


GDPR: What Happens When It's Applied Extraterritorially? Explaining How to Respond

GDPR: What Happens When It's Applied Extraterritorially? Explaining How to Respo.

What is the UK GDPR? Explaining the Relationship with the GDPR and Key Points to Remember

What is the UK GDPR? Explaining the Relationship with the GDPR and Key Points to.

Explaining the Basics of the EU's Digital Markets Act (DMA): What is its Impact on Japan?

Explaining the Basics of the EU's Digital Markets Act (DMA): What is its Impact .

Fee Structure

  • Hourly Rate

    $400per hour
    In certain instances, we may consider accepting a dispute or lawsuit with an initiation fee and a contingency fee. For more details, please feel free to contact us.
  • Drafting Contracts

    from$500to $2,000 or more
    The pricing structure is subject to variation based on the type and quantity of contracts. We are pleased to offer a preliminary estimate upon inquiry, thereby encouraging you to reach out to us for further details.
  • Other Services

    Contact Us
    We offer a wide range of services including company formation, contract review, legal opinion, case review, or research letter. Should you have any inquiries or concerns, we cordially invite you to contact us and our knowledgeable team will be happy to assist you.
Return to Top