Publication
Publication
Contacts
Linklaters Toyko
Kenji Shimada
Tel: +(81) 3 6212 1249
www.linklaters.com
Supervisory Authority
National Legislation
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Last updated May 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
Japan is not an EU Member State and therefore has not implemented the GDPR. However, the Act on the Protection of Personal Information (Act No. 57 of 2003) (the “APPI”) contains similar provisions.
In October 2015, the Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures (Act No. 27 of 2013) (the so-called “My Number Act”) came into force, under which an ID number is allocated to every individual so that the government can manage social security and tax systems effectively. Please note that this memo does not cover the My Number Act, which is a special law of the APPI.
Entry into force
The APPI came into force fully on 1 April 2005 (followed by several amendments).
Details of the competent national supervisory authority
The Personal Information Protection Commission (the “PPC”) has overall responsibility for the legal framework of the APPI.
Personal Information Protection Commission
Toranomon Alcea Tower 12th Floor
2-2-3, Toranomon
Minato-ku
Tokyo, 105-0001
Japan
TEL: +81-(0)3-6457-9680
Although the PPC has centralised authority to supervise certain businesses, it may delegate its authority to other regulatory authorities. For example, the PPC delegated its authority to the Financial Service Agency regarding incident reports from financial institutions.
Notification or registration scheme and timing
A notification to the PPC is required to rely on the opt-out exemption regarding the transfer of data to a third party.
Exemptions to notification
None.
What is the territorial scope of application?
The APPI applies to overseas information handlers who have acquired personal information of data subjects in Japan in connection with the offering of goods or services, even if processing occurs outside Japan.
The PPC can exercise authority over such overseas handlers, including issuing orders or requesting reports. Failure to comply may result in public naming or criminal sanctions.
Is there a concept of a controller and a processor?
Japanese law does not recognise the concepts of controller and processor. However, it distinguishes “retained personal data”, which refers to personal data over which an information handler has rights and obligations such as disclosure, correction and deletion.
Some APPI obligations apply only to retained personal data. This creates a functional distinction similar to controller and processor concepts under EU law.
Are both manual and electronic records subject to data protection legislation?
The APPI applies to both manual and electronic records.
Are there any national derogations?
Government entities are subject to different rules under the APPI, including limitations tied to their public functions.
Certain exemptions apply for press, academic, religious and political activities where personal data is handled solely for those purposes.
What is personal data?
The APPI defines personal information as information about a living person that allows identification of the individual. This includes identifiers such as fingerprint data and passport numbers, as well as information that can be combined with other data to identify a person.
The APPI also distinguishes between categories of personal information with different regulatory treatments, including: (i) Anonymous Processed Information; (ii) Pseudonymously Processed Information; and (iii) Person-related Information.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
Information handlers must: (i) specify the purpose of use of personal information as clearly as possible; (ii) not change the purpose beyond a reasonable scope; and (iii) not process personal information beyond what is necessary without prior consent of the data subject.
Personal data may not be transferred to third parties without consent, subject to exceptions including disclosures required by law, public interest situations, business succession, outsourcing to processors, joint use, and the opt-out exemption.
Are there any formalities to obtain consent to process personal data?
Consent is generally not required for processing within the original purpose of use, but is required for processing outside that scope. Consent may be oral or written depending on context.
Certain sectors, such as financial services, require written or electronic consent under regulatory guidelines.
Are there any special rules when processing personal data about children?
No specific rules are provided, but consent must be obtained from a legal representative where the data subject is a minor.
Are there any special rules when processing personal data about employees?
No specific statutory rules apply, but regulatory guidance requires consent when handling employees’ health information.
What is sensitive personal data?
Sensitive personal information includes data relating to race, beliefs, social status, medical history, criminal record, victim status, and other categories designated by cabinet order, such as disability or medical treatment records.
Are there additional rules for processing sensitive personal data?
Prior consent of the data subject is generally required to acquire sensitive personal information. The opt-out exemption does not apply to such data.
Guidelines in certain sectors (such as financial services) further restrict the acquisition, use and transfer of sensitive personal data to situations where strictly necessary.
Are there additional rules for processing information about criminal offences?
These are treated as sensitive personal information and subject to the same restrictions.
Are there any formalities to obtain consent to process sensitive personal data?
No additional formalities beyond the requirement for prior consent.
When must a data protection officer be appointed?
The APPI does not specifically require the appointment of data protection officers. However, the Guidelines on the APPI (General Rules) published by the PPC (the “APPI Guidelines”) state that appointing a person responsible for handling personal data is one example of the security measures that information handlers should implement.
What are the duties of a data protection officer?
Not applicable.
#topTop
Is there a general accountability obligation?
Under the APPI, information handlers must take necessary and appropriate measures to ensure the security of personal data. These measures depend on the nature, scope, context and purpose of processing, as well as the risks to individuals’ rights and interests.
The APPI Guidelines provide indicative examples of such measures. These include: (i) establishing a privacy policy; (ii) implementing internal rules and documentation; (iii) creating organisational structures for data protection (including appointing responsible personnel); (iv) training employees; (v) maintaining physical safeguards; and (vi) implementing appropriate technical security measures.
Are privacy impact assessments mandatory?
There is no explicit requirement to carry out privacy impact assessments. However, information handlers are expected to conduct regular reviews and assessments of their security measures as part of their general obligations under the APPI.
#topTop
Privacy notices
Information handlers must provide data subjects with information regarding retained personal data, including: (i) the information handler’s identity; (ii) the purpose of use; (iii) procedures for access and requests; (iv) complaint handling details; (v) security measures; and (vi) information about any recognised personal information protection organisation.
Information handlers must notify data subjects of the purpose of use when acquiring personal information, unless the purpose is already publicly disclosed. Any change of purpose must also be notified or publicly announced.
It is common for organisations to publish privacy policies on their websites or display them at their premises.
Rights to access information
Information handlers must, upon request, notify data subjects of the purpose of use of retained personal data and disclose such data without delay.
Reasonable fees may be charged for access requests.
Rights to data portability
There is no concept of data portability under the APPI.
Right to be forgotten
Data subjects may request cessation of use or deletion of retained personal data in specified circumstances, including where: (i) processing exceeds the permitted purpose; (ii) the data is no longer necessary; (iii) data has been obtained unlawfully or involves sensitive data obtained without consent; (iv) a serious data breach has occurred; or (v) the individual’s rights are being harmed.
Requests may be refused where compliance would involve excessive cost or difficulty, provided alternative measures are taken to protect the data subject’s interests.
Objection to direct marketing and profiling
The APPI does not provide a specific right to object to direct marketing. However, processing outside the stated purpose generally requires consent.
Other rights
Data subjects may request correction, addition or deletion of retained personal data where it is inaccurate.
#topTop
Security requirements in order to protect personal data
Information handlers must implement appropriate control measures to prevent unauthorised access, disclosure, loss or damage to personal data.
Detailed requirements are set out in the APPI Guidelines and sector-specific regulatory guidance.
Specific rules governing processing by third-party agents (processors)
When outsourcing processing, the information handler must exercise necessary and appropriate supervision over the third party to ensure the security of the data.
Notice of breach laws
Personal data breaches that may significantly affect individuals’ rights and interests must be reported promptly to the PPC or relevant authority. Typically, this requires initial notification within three to five days, with a final report within 30 days (or 60 days in specific cases).
Affected data subjects must also be notified unless this is impracticable, in which case public announcements or alternative measures must be implemented.
Restrictions on transfers to third countries
An information handler must obtain prior consent from the data subject for any transfer of personal data to a recipient in a foreign country unless that country is recognised by the PPC as providing an equivalent level of protection or the recipient has established an adequate data protection system.
Currently, only EU Member States and the UK are recognised as providing an equivalent level of protection.
Consent must relate specifically to the relevant transfer and must be informed. The data subject must be provided with information including: (i) the destination country; (ii) the applicable data protection regime; and (iii) the safeguards implemented by the recipient.
Notification and approval of national regulator (including notification of use of Model Contracts)
No general requirement exists to notify or obtain approval from the regulator in relation to international transfers, except where specifically required under other provisions.
Use of binding corporate rules
There is no concept of binding corporate rules under the APPI.
Fines
Breaches of the APPI and related guidelines may result in civil liability or criminal sanctions, including fines of up to 100 million Japanese yen.
Additional criminal sanctions apply where personal data is unlawfully provided or obtained for improper purposes, including imprisonment or fines.
Imprisonment
Criminal penalties include imprisonment of up to one year for serious violations.
Compensation
Data subjects may claim compensation for damages, including mental distress, under general civil law principles.
Other powers
The PPC may issue enforcement notices requiring cessation or improvement of data handling practices. Failure to comply may result in criminal penalties.
Authorities may also require reports on data processing practices.
Practice
Fines remain relatively uncommon under the APPI framework.
The PPC generally adopts a staged approach to enforcement, beginning with guidance, requests for information and recommendations, followed by formal orders where necessary.
Between 1 April 2024 and 31 March 2025, authorities issued 148 requests for reports, provided advice on 395 occasions, made one recommendation, issued one order and conducted 47 onsite inspections.
ePrivacy laws
Japan has not implemented the Privacy and Electronic Communications Directive. However, the Act on Specified Commercial Transactions (ASCT) and the Act on Regulation of Transmission of Specified Electronic Mail (ARTSEM) regulate direct marketing activities.
Conditions for use of cookies
There are no specific rules governing cookies under the APPI. However, cookies may be treated as Person-related Information where they can be linked to identifiable individuals.
Where such information is transferred to third parties and used as personal data, the provider must confirm that the recipient has obtained consent from the data subjects.
Amendments to the Telecommunications Business Act (effective 16 June 2023) introduced additional rules for certain operators regarding the use of cookies.
The Japan Fair Trade Commission has also issued guidelines addressing the misuse of personal data in digital platform environments.
Regulatory guidance on the use of cookies
Guidance is provided under the JFTC Guidelines.
Conditions for direct marketing by e-mail to individual subscribers
Direct marketing emails may only be sent where the recipient has provided consent.
Conditions for direct marketing by e-mail to corporate subscribers
The same consent requirements apply to corporate subscribers.
Exemptions and other issues
Exceptions under the ARTSEM apply where: (i) the recipient has provided their email address; (ii) a business relationship exists; or (iii) the email address is publicly available.
Additional exemptions under the ASCT apply for certain contractual or bundled communications.
Marketing emails must identify the sender and provide clear opt-out mechanisms.
Additional requirements may apply depending on the nature of the products or services.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is not permitted to solicit contracts from individuals who have expressed a refusal to engage.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same principle applies to corporate subscribers.
Exemptions and other issues
When conducting telemarketing, the caller must disclose: (i) the name of the organisation; (ii) the identity of the caller; (iii) the nature of the goods or services; and (iv) the purpose of the call.
Additional regulatory requirements may apply depending on the sector involved.
#topTop
Contents