What is legal due diligence (legal DD)?Explanation of purpose, flow, and check items
2023 January 8Amendments to the EU Competition Law R&D and Expert Agreement Blanket Exemption Regulations and Horizontal Cooperation Guidelines
2023 January 8"GDPR" is a law concerning the protection of personal information established by the EU. Non-EU companies may also be subject to the law when doing business with EU companies, and sanctions may be imposed for non-compliance. We will also explain the risks that arise when GDPR is violated, their impact, and the differences from Japan's personal information protection law.
What is GDPR
The GDPR (General Data Protection Regulation) is a law enacted in April 2016 to regulate the protection of personal information within the EU (European Union).It stipulates not only names and addresses, but also personal data and privacy protection, including cookie information and IP addresses related to website browsing, and is generally stricter than the Japanese Personal Information Protection Law.
Even Japanese companies may be subject to the GDPR when doing business with EU companies. It is necessary to understand the details as well as the difference between
Scope of personal information under GDPR
Regarding personal information subject to protection, the GDPR cites specific examples of information that may identify an individual as "personal data."
For example, an individual's name, address, telephone number, identification number (passport, driver's license, etc.), e-mail address, credit card information, GPS data, IP address, etc. When hearing the word "personal information," the image that comes to mind is digital. It can be said that it will be widely covered, including data.
Scope of companies subject to GDPR
Next, I will explain the scope of companies to which the GDPR applies.
Companies with subsidiaries or branches in the EU
Even if the head office is in Japan, the GDPR is always applied when companies that have subsidiaries or branches in the EU handle personal data.Subject to GDPR regulation regardless of whether the processing takes place within the EU.
Companies that provide goods and services within the EU
The GDPR applies to companies that provide goods and services to users in the EU, even if they do not have a subsidiary or branch office in the EU.For example, a user in Europe registers an ID, email address, etc. through the company's e-commerce site and purchases a product.
Companies entrusted with personal data processing by EU companies
GDPR applies to companies and organizations that handle personal data entrusted by companies with subsidiaries or branches in the EU.
When understanding and analyzing user behavior within the EU
Even companies that do not have subsidiaries or branches in the EU and do not provide products or services to users in the EU are subject to GDPR regulations if they want to understand and analyze user behavior in the EU. Masu.Be careful when acquiring personal data such as names and cookie information, as your company's website is frequently accessed from the EU.Targeting advertisements and recommendations are also included.
Differences between GDPR and Japan's Personal Information Protection Law
The law concerning the protection of personal information in Japan is the "Personal Information Protection Law".We will explain the outline while comparing the differences with GDPR from the viewpoint of definition of personal information, scope of protection, penalties, etc.
What is Japan's Personal Information Protection Law?
Japan's Personal Information Protection Law, which was enacted in 2003 and fully enforced in 2005, is a law that stipulates businesses that handle personal information, such as Japanese companies and sole proprietors.It has been revised every few years, and recently, the handling of personal information has become stricter even in Japan, such as the tightening of regulations on cookie information.
It aims to protect the rights and interests of individuals as well as improve services and efficiency in various fields such as administration and business. This law applies not only to groups, but also to all businesses and organizations that handle personal information.
What is the difference between GDPR and Japan's personal information protection law?
- Definition of personal information (scope of protection)
- GDPR
All information such as names and addresses that can identify individuals (including IP addresses and cookies) - Privacy Policy
Information that can identify a specific individual by name, date of birth, address, face photo, etc.
- GDPR
- Scope of application
- GDPR
All organizations that handle personal data within the EU - Privacy Policy
Business operators that handle personal information in Japan
- GDPR
- Penalties
- GDPR
・"1000 million euros or less" or "2% or less of total global annual sales for the previous fiscal year", whichever is higher
・"2000 million euros or less" or "4% or less of total global annual sales for the previous fiscal year", whichever is higher
- Privacy Policy
・For corporations: Fines of up to 1 million yen
・Individuals: Imprisonment for up to 1 year or a fine of up to 100 yen
- GDPR
The GDPR is characterized by a wide range of definitions and applications for personal information.In particular, looking at the penalties, under Japan's Personal Information Protection Law, the maximum fine is 1 million yen, while under the GDPR, the fine is several billion units.
Responsibilities of companies under GDPR
The GDPR stipulates in detail the responsibilities of companies that act as controllers of personal data, and clarifies the protection of personal data and obligations to businesses.The company's responsibilities regarding personal data are as follows:
Responsibility for developing personal data handling systems and human resources in line with GDPR
The GDPR stipulates that the controller, that is, the company, should take appropriate measures and improve both technology and organization.
In handling personal data, responsibilities include pseudonymizing and encrypting data, building highly confidential systems, and appointing a person responsible for monitoring compliance with GDPR within the organization.
Responsibility to keep records of the handling of personal data
Covered companies are required to keep records each time they handle personal data.Content to be recorded includes the name and contact information of the controller, the purpose of handling personal data, the type of personal data, and the information of the disclosed recipient.
Responsibility to respond to personal data breaches and information leaks
In the event of a breach of personal data or information leakage at a target company, it is obliged to respond promptly, such as notifying the prescribed agency within 72 hours and explaining the reason for the delay.You should also contact the person whose personal data has been compromised if that person may be at risk.
Companies that do business in the EU should be fully aware of and take measures against GDPR
At Japanese companies, there are many cases where personal information handling manuals that comply with domestic personal information protection laws do not comply with GDPR.
It is essential for not only companies already operating in the EU region in Japan, but also companies planning to do so in the future to be aware of the possibility of applying GDPR to their company. Companies that may be subject to the GDPR may suddenly be subject to penalties, face large fines, or be required to stop trading with EU companies.In order to avoid such risks, it is necessary to promptly implement GDPR measures.
There is an urgent need for countermeasures across multiple departments within the company, such as subsidiaries and branches in the EU, general affairs and human resources departments, and security departments, led by legal staff. If you have transactions with EU companies or if your company's website is frequently accessed from within the EU, it is highly likely that you are already covered, so be careful.
Lawyer explains GDPR
At the media “FRONTEO Legal Link Portal (FLLP)” operated by FRONTEO, up-and-coming lawyers from Japan and abroad explain legal topics that are useful in the business scene, and new videos are being added one after another. Many lawyers also cover overseas personal information protection laws such as GDPR. If you want to know more about GDPR or are worried about the handling of personal information, please check out the FLLP video.
Unlimited viewing of over 600 commentary videos on legal intellectual property supervised by top lawyers and experts!