As of 23 January 2019, Japan and the EU have formally adopted their reciprocal adequacy decision on each other’s data protection framework. The mutual recognition creates the world’s largest area of safe data flow and further business opportunities between Japan and the EU. We would like to highlight some aspects of the reciprocal adequacy decision which companies should be aware of as set forth below.
Data Transfer Japan to EU
- Additional safeguards for a transfer of personal data from Japan to a recipient in the EU, such as the consent of the data subject whose personal information is to be transferred or contractual agreements between the data exporter in Japan and the data recipient in the EU to ensure compliance with the data protection standards in Japan, are no longer required as the EU has been “whitelisted”.
- Companies should however note that a transfer of personal data to a third party – whether located in Japan or abroad – still requires the consent of the data subject concerned, unless the entity to which personal information is being transferred is deemed as a so-called “joint user” of the data.
- For Japanese affiliates of European companies, it may therefore be advisable to include the European entities with which personal data from Japan, e.g. employee or customer data, shall be shared in the “purpose of use” to be informed to the data subject. The “purpose of use” may, in principle, only be amended for the future collection of information. With regard to already collected personal information the new “purpose of use” must be disclosed to the persons whose data was already collected, and their consent to the new “purpose of use” must be obtained.
Continue Reading (PDF) – EN Continue Reading (PDF) – JP