Home | Databases | WorldLII | Search | Feedback Privacy Law Resources

Act on the Protection of Personal Information (Japan) [2005] PrivLRes 1 (1 April 2005)

	[Home] [Databases] [Search] [Feedback] [Help]

Act on the Protection of Personal Information (Japan) - [2005] PrivLRes 1

Act on the Protection of Personal Information

(Tentative translation)

[Law No.57, 2003]

[promulgated on May 30, 2003]

[enforced on May 30, 2003 except for Chapter 4 to 6 and

Article 2 to 6 of Supplementary Provisions]

[completely enforced on April 1, 2005]

Contents

Chapter 1. General Provisions (Articles 1 to 3)

Chapter 2. Responsibilities of the State and Local Public Bodies, etc. (Articles 4 to 6)

Chapter 3. Measures for the Protection of Personal Information, etc.

Section 1. Basic Policy on the Protection of Personal Information (Article 7)

Section 2. Measures of the State (Articles 8 to 10)

Section 3. Measures of Local Public Bodies (Articles 11 to 13)

Section 4. Cooperation between the State and Local Public Bodies (Article 14)

Chapter 4. Duties of Entities Handling Personal Information, etc.

Section 1. Duties of Entities Handling Personal Information (Articles 15 to 36)

Section 2. Promotion of the Protection of Personal Information by Private Institutions (Articles 37 to 49)

Chapter 5. Miscellaneous Provisions (Articles 50 to 55)

Chapter 6. Penal Provisions (Articles 56 to 59) Supplementary Provisions

Chapter 1. General Provisions

Article 1 (Purpose)

The purpose of this Act is to protect the rights and interests of individuals while taking consideration of the usefulness of personal information, in view of a remarkable increase in the use of personal information due to development of the advanced information and communications society, by clarifying the responsibilities of the State and local public bodies, etc. with laying down basic philosophy, establishment of a basic policy by the Government and the matters to serve as a basis for other measures on the protection of personal information, and by prescribing the duties to be observed by entities handling personal information, etc., regarding the proper handling of personal information.

Article 2 (Definitions)

1. In this Act, "personal information" means information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).

2. In this Act, "a personal information database, etc." means a set of information including personal information as set forth below:

(1) a set of information systematically arranged in such a way that specific personal information can be retrieved by an electronic computer; or

(2) other than those described in the preceding paragraph, a set of information designated by a Cabinet order as being systematically arranged in such a way that specific personal information can be easily retrieved.

3. In this Act, "an entity handling personal information" means an entity using a personal information database, etc. for its business; however, the following entities shall be excluded;

(1) The State institutions

(2) Local public bodies

(3) Independent administrative agencies, etc. (which means independent administrative agencies as prescribed in Paragraph 1 of Article 2 of the Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc. (Law No.59, 2003; the same shall apply hereinafter))

(4) Local independent administrative agencies (which means local independent administrative agencies as prescribed in Paragraph 1 of Article 2 of the Local Independent Administrative Agencies Law. (Law No.118, 2003; the same shall apply hereinafter))

(5) Entities specified by a Cabinet order as having a little likelihood to harm the rights and interests of individuals considering the volume and the manner of use of personal information they handle.

4. In this Act, "personal data" means personal information constituting a personal information database, etc.

5. In this Act, "retained personal data" means such personal data over which an entity handling personal information has the authority to disclose, to correct, add or delete the content, to suspend its use, to erase, and to suspend its provision to third parties, excluding the data which is specified by a Cabinet order as harming public or other interests if its presence or absence is known and the data which will be erased within a period of no longer than one year that is specified by a Cabinet order.

6. In this Act, "person" as to personal information means a specific individual identified by personal information.

Article 3 (Basic Philosophy)

In view of the fact that personal information should be handled cautiously under the philosophy of respecting the personalities of individuals, proper handling of personal information must be promoted.

Chapter 2. Responsibilities of the State and Local Public Bodies, etc.

Article 4 (Responsibilities of the State)

The State shall be responsible for comprehensively formulating and implementing measures necessary for ensuring the proper handling of personal information in conformity with the purport of this Act.

Article 5 (Responsibilities of Local Public Bodies)

Local public bodies shall be responsible for formulating and implementing the measures necessary for ensuring the proper handling of personal information according to the characteristics of its district in conformity with the purport of this Act.

Article 6 (Legal Measures, etc.)

The Government shall take necessary legal and other measures to ensure that special measures will be taken for the protection of the personal information whose proper handling is especially strictly required for the further protection of the rights and interests of individuals in view of the nature and the method of use of the personal information.

Chapter 3. Measures for the Protection of Personal Information, etc.

Section 1. Basic Policy on the Protection of Personal Information

Article 7

1. The Government shall establish a basic policy on the protection of personal information (hereinafter called the "Basic Policy") in order to ensure the comprehensive and integrated promotion of measures for the protection of personal information.

2. The Basic Policy shall cover the following matters:

(1) The basic direction concerning the promotion of measures for the protection of personal information

(2) Matters concerning the measures for the protection of personal information to be taken by the State

(3) Basic matters concerning the measures for the protection of personal information to be taken by local public bodies

(4) Basic matters concerning the measures for the protection of personal information to be taken by independent administrative agencies, etc.

(5) Basic matters concerning the measures for the protection of personal information to be taken by local independent administrative agencies.

(6) Basic matters concerning the measures for the protection of personal information to be taken by entities handling personal information and authorized personal information protection organizations defined in Paragraph 1 of Article 40

(7) Matters concerning the smooth handling of complaints about the handling of personal information

(8) Other important matters concerning the promotion of measures for the protection of personal information

3. The Prime Minister must prepare a draft of the Basic Policy, consulting the Quality of Life Council, and seek a Cabinet decision.

4. When a Cabinet decision is made under the preceding paragraph, the Prime Minister must publicly announce the Basic Policy without delay.

5. The provisions of the preceding two paragraphs shall be applied to amendments to the Basic Policy.

Section 2. Measures of the State

Article 8 (Support to Local Public Bodies and Others)

In order to support the measures for the protection of personal information formulated or implemented by local public bodies and the activities performed by people, entities, and others to ensure the proper handling of personal information, the State shall provide information, formulate guidelines to ensure the appropriate and effective implementation of measures to be taken by entities and others, and take any other necessary measures.

Article 9 (Measures for the Handling of Complaints)

The State shall take necessary measures to ensure the appropriate, prompt handling of complaints arising between an entity and a person about the handling of personal information concerning the person.

Article 10 (Measures to Ensure Proper Handling of Personal Information)

Through the appropriate division of roles between the State and local public bodies, the State shall take necessary measures to ensure the proper handling of personal information by entities handling personal information defined in the next chapter.

Section 3. Measures of Local Public Bodies

Article 11 (Protection of Personal Information Held)

A local public body must endeavor to take necessary measures in order to ensure the proper handling of the personal information it holds in consideration of the nature of the personal information, the purpose of holding the personal information concerned, and other factors.

Article 12 (Support to Entities and Others in the District)

In order to ensure the proper handling of personal information, a local public body must endeavor to take necessary measures for supporting entities and residents in its district.

Article 13 (Mediation for the Handling of Complaints, etc.)

In order to ensure that any complaint arising between an entity and a person about the handling of personal information will be handled appropriately and promptly, a local public body must endeavor to mediate the handling of complaints and take necessary measures.

Section 4. Cooperation between the State and Local Public Bodies

Article 14

The State and local public bodies shall cooperate in taking measures for the protection of personal information.

Chapter 4. Duties of Entities Handling Personal Information, etc.

Section 1. Duties of Entities Handling Personal Information

Article 15 (Specification of the Purpose of Use)

1. When handling personal information, an entity handling personal information must specify the purpose of use of personal information (hereinafter called the "Purpose of Use") as much as possible.

2. An entity handling personal information must not change the Purpose of Use beyond the scope which is reasonably considered that the Purpose of Use after the change is duly related to that before the change.

Article 16 (Restriction by the Purpose of Use)

1. An entity handling personal information must not handle personal information about a person, without obtaining the prior consent of the person, beyond the scope necessary for the achievement of the Purpose of Use specified under the preceding article.

2. When an entity handling personal information has acquired personal information as a result of taking over the business of another entity handling personal information in a merger or otherwise, the acquiring entity must not handle the personal information concerned, without obtaining the prior consent of the persons, beyond the scope necessary for the achievement of the Purpose of Use of the personal information concerned before the take-over.

3. The provisions of the preceding two paragraphs shall not apply to the following cases:

(1) Cases in which the handling of personal information is based on laws

(2) Cases in which the handling of personal information is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person

(3) Cases in which the handling of personal information is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person

(4) Cases in which the handling of personal information is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned

Article 17 (Proper Acquisition)

An entity handling personal information must not acquire personal information by a fraudulent or other dishonest means.

Article 18 (Notice of the Purpose of Use at the Time of Acquisition, etc.)

1. When having acquired personal information, an entity handling personal information must, except in cases in which the Purpose of Use has already been publicly announced, promptly notify the person of the Purpose of Use or publicly announce the Purpose of Use.

2. Notwithstanding the provision of the preceding paragraph, when an entity handling personal information acquires such personal information on a person as is written in an agreement or other document (including a record made by an electronic method, a magnetic method, or any other method not recognizable to human senses. hereinafter this applies in this paragraph.) as a result of concluding an agreement with the person or acquires such personal information on a person as is written in a document directly from the person, the entity must expressly show the Purpose of Use in advance. However, this provision shall not apply in cases in which the acquisition of personal information is urgently required for the protection of the life, body, or property of an individual.

3. When an entity handling personal information has changed the Purpose of Use, the entity must notify the person of the changed Purpose of Use or publicly announce it.

4. The provisions of the preceding three paragraphs shall not apply to the following cases:

(1) Cases in which notifying the person of the Purpose of Use or publicly announcing it might harm the life, body, property, or other rights or interests of the person or a third party

(2) Cases in which notifying the person of the Purpose of Use or publicly announcing it might harm the rights or legitimate interests of the entity concerned handling personal information

(3) Cases in which it is necessary to cooperate with a state institution or a local public body in executing the operations prescribed by laws and in which notifying the person of the Purpose of Use or publicly announcing it might impede the execution of the operations concerned

(4) Cases in which it is considered that the Purpose of Use is clear in consideration of the circumstances of the acquisition

Article 19 (Maintenance of the Accuracy of Data)

An entity handling personal information must endeavor to maintain personal data accurate and up to date within the scope necessary for the achievement of the Purpose of Use.

Article 20 (Security Control Measures)

An entity handling personal information must take necessary and proper measures for the prevention of leakage, loss, or damage, and for other control of security of the personal data.

Article 21 (Supervision of Employees)

When an entity handling personal information has an employee handle personal data, it must exercise necessary and appropriate supervision over the employee concerned to ensure the control of security of the personal data concerned.

Article 22 (Supervision of Trustees)

When an entity handling personal information entrusts an individual or entity with the handling of personal data in whole or in part, it must exercise necessary and appropriate supervision over the trustee to ensure the control of security of the entrusted personal data.

Article 23 (Restriction of Provision to Third Parties)

1. An entity handling personal information must not, except in the following cases, provide personal data to a third party without obtaining the prior consent of the person :

(1) Cases in which the provision of personal data is based on laws

(2) Cases in which the provision of personal data is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person

(3) Cases in which the provision of personal data is specially necessary for improving public hygiene or promoting the sound growth of children and in which it is difficult to obtain the consent of the person

(4) Cases in which the provision of personal data is necessary for cooperating with a state institution, a local public body, or an individual or entity entrusted by one in executing the operations prescribed by laws and in which obtaining the consent of the person might impede the execution of the operations concerned

2. With respect to personal data intended to be provided to third parties, where an entity handling personal information agrees to suspend, at the request of a person, the provision of such personal data as will lead to the identification of the person concerned, and where the entity, in advance, notifies the person of the matters enumerated in the following items or put those matters in a readily accessible condition for the person, the entity may, notwithstanding the provision of the preceding paragraph, provide such personal data concerned to third parties:

(1) The fact that the provision to third parties is the Purpose of Use

(2) The items of the personal data to be provided to third parties

(3) The means or method of provision to third parties

(4) The fact that the provision of such personal data as will lead to the identification of the person concerned to third parties will be stopped at the request of the person

3. When an entity handling personal information changes the matter mentioned in Item 2 or 3 of the preceding paragraph, the entity must, in advance, notify the person of the content of the change or put it in a readily accessible condition for the person.

4. In following the cases, the individual or entity receiving such personal data shall not be deemed a third party for the purpose of application of the preceding three paragraphs:

(1) Cases in which an entity handling personal information entrust the handling of personal data in whole or in part within the scope necessary for the achievement of the Purpose of Use

(2) Cases in which personal data is provided as a result of the take-over of business in a merger or otherwise

(3) Cases in which personal data is used jointly between specific individuals or entities and in which this fact, the items of the personal data used jointly, the scope of the joint users, the purpose for which the personal data is used by them, and the name of the individual or entity responsible for the management of the personal data concerned is, in advance, notified to the person or put in a readily accessible condition for the person

5. When an entity handling personal information changes the purpose for which the personal data is used or the name of the individual or entity responsible for the management of the personal data as are mentioned in Item 3 of the preceding paragraph, the entity must, in advance, notify the person of the content of the change or put it in a readily accessible condition for the person.

Article 24 (Public Announcement of Matters Concerning Retained Personal Data, etc.)

1. With respect to the retained personal data, an entity handling personal information must put the matters enumerated in the following items in an accessible condition for the person (such condition includes cases in which a reply is made without delay at the request of the person):

(1) The name of the entity concerned handling personal information

(2) The Purpose of Use of all retained personal data (except in cases falling under any of Items 1 to 3 of Paragraph 4 of Article 18)

(3) Procedures to meet requests made pursuant to the provisions of the next paragraph, Paragraph 1 of the next article, Paragraph 1 of Article 26, or Paragraph 1 or Paragraph 2 of Article 27 (including the amount of charges if set under Paragraph 2 of Article 30)

(4) In addition to those mentioned in the preceding three items, such matters, specified by a Cabinet order, as being necessary for ensuring the proper handling of retained personal data

2. When an entity handling personal information is requested by a person to notify him or her of the Purpose of Use of such retained personal data as may lead to the identification of the person concerned, the entity must meet the request without delay. However, this provision shall not apply to cases falling under either of the following items:

(1) Cases in which the Purpose of Use of such retained personal data as may lead to the identification of the person concerned is clear under the provision of the preceding paragraph

(2) Cases falling under any of items (1) to (3) of Paragraph 4 of Article 18

3. When an entity handling personal information has decided not to notify the Purpose of Use of such retained personal data as is requested under the preceding paragraph, the entity must notify the person of that effect without delay.

Article 25 (Disclosure)

1. When an entity handling personal information is requested by a person to disclose such retained personal data as may lead to the identification of the person concerned (such disclosure includes notifying the person that the entity has no such retained personal data as may lead to the identification of the person concerned. This applies hereinafter.), the entity must disclose the retained personal data concerned without delay by a method prescribed by a Cabinet order. However, in any of the following cases, the entity may keep all or part of the retained personal data undisclosed:

(1) Cases in which disclosure might harm the life, body, property, or other rights or interests of the person or a third party

(2) Cases in which disclosure might seriously impede the proper execution of the business of the entity concerned handling personal information

(3) Cases in which disclosure violates other laws

2. When an entity handling personal information has decided not to disclose all or part of such retained personal data as is requested under the preceding paragraph, the entity must notify the person of that effect without delay.

3. If the provisions of any other laws require that all or part of such retained personal data as may lead to the identification of a person be disclosed to the person by a method equivalent to the method prescribed in the main part of Paragraph 1, the provision of the paragraph shall not apply to such all or part of the retained personal data concerned.

Article 26 (Correction, etc.)

1. When an entity handling personal information is requested by a person to correct, add, or delete such retained personal data as may lead to the identification of the person concerned on the ground that the retained personal data is contrary to the fact, the entity must, except in cases in which special procedures are prescribed by any other laws for such correction, addition, or deletion, make a necessary investigation without delay within the scope necessary for the achievement of the Purpose of Use and, on the basis of the results, correct, add, or delete the retained personal data concerned.

2. When an entity handling personal information has corrected, added, or deleted all or part of the retained personal data as requested or has decided not to make such correction, addition, or deletion, the entity must notify the person of that effect (including the content of the correction, addition, or deletion if performed) without delay.

Article 27 (Stopping the Use, etc.)

1. Where an entity handling personal information is requested by a person to stop using or to erase such retained personal data as may lead to the identification of the person concerned on the ground that the retained personal data is being handled in violation of Article 16 or has been acquired in violation of Article 17, and where it is found that the request has a reason, the entity must stop using or erase the retained personal data concerned without delay to the extent necessary for redressing the violation. However, this provision shall not bind cases in which it costs a great deal or otherwise difficult to stop using or to erase the retained personal data concerned and in which the entity takes necessary alternative measures to protect the rights and interests of the person.

2. Where an entity handling personal information is requested by a person to stop providing to a third party such retained personal data as may lead to the identification of the person concerned on the ground that the retained personal data is being provided to a third party in violation of Paragraph 1 of Article 23, and where it is found that the request has a reason, the entity must stop providing the retained personal data concerned to a third party without delay. However, this provision shall not bind cases in which it costs a great deal or otherwise difficult to stop providing the retained personal data concerned to a third party and in which the entity takes necessary alternative measures to protect the rights and interests of the person.

3. When an entity handling personal information has stopped using or has erased all or part of the retained personal data as requested under Paragraph 1 or has decided not to stop using or not to erase the retained personal data or when an entity handling personal information has stopped providing all or part of the retained personal data to a third party as requested under the preceding paragraph or has decided not to stop providing the retained personal data to a third party, the entity must notify the person of that effect without delay.

Article 28 (Explanation of Reasons)

When an entity handling personal information notifies a person requesting the entity to take certain measures under Paragraph 3 of Article 24, Paragraph 2 of Article 25, Paragraph 2 of Article 26, or Paragraph 3 of the preceding article that the entity will not take all or part of the measures or that the entity will take different measures, the entity must endeavor to explain the reasons.

Article 29 (Procedures to Meet Requests for Disclosure and Others)

1. An entity handling personal information may, as prescribed by a Cabinet order, determine procedures for receiving requests that may be made pursuant to the provisions of Paragraph 2 of Article 24, Paragraph 1 of Article 25, Paragraph 1 of Article 26 or Paragraph 1 or Paragraph 2 of Article 27 (such requests are hereinafter called “a request for disclosure and others” in this article). In such a case, any person making a request for disclosure and others shall comply with the procedures concerned.

2. An entity handling personal information may request a person making a request for disclosure and others to show sufficient items to identify the retained personal data in question. In this case, the entity must provide the information useful for the identification of the retained personal data in question or take any other appropriate measures in consideration of the person's convenience so that the person can easily and accurately make a request for disclosure and others.

3. A person may, as prescribed by a Cabinet order, make a request for disclosure and others through a representative.

4. When an entity determine the procedures for meeting requests for disclosure and others under the provisions of the preceding three paragraphs, the entity must take into consideration that the procedures will not impose excessively heavy burden on the persons making requests for disclosure and others .

Article 30 (Charges)

1. When an entity handling personal information is requested to notify the Purpose of Use under Paragraph 2 of Article 24 or to make a disclosure under Paragraph 1 of Article 25, the entity may collect charges for taking the action concerned.

2. When an entity handling personal information collects charges under the provision of the preceding paragraph, the entity must determine the amounts of charges within the scope considered reasonable in consideration of actual costs.

Article 31 (Handling of Complaints by Entities Handling Personal Information)

1. An entity handling personal information must endeavor to appropriately and promptly handle complaints about the handling of personal information.

2. An entity handling personal information must endeavor to establish a system necessary for achieving the objective mentioned in the preceding paragraph.

Article 32 (Collection of Reports)

The competent minister may have an entity handling personal information make a report on the handle of personal information to the extent necessary for the implementation of the provisions of this section.

Article 33 (Advice)

The competent minister may advise an entity handling personal information on the handle of personal information to the extent necessary for the implementation of the provisions of this section.

Article 34 (Recommendations and Orders)

1. When an entity handling personal information has violated any of the provisions of Article 16 to Article 18, Article 20 to Article 27, or Paragraph 2 of Article 30, the competent Minister may recommend that the entity handling personal information concerned cease the violation concerned and take other necessary measures to correct the violation if a competent Minister considers it necessary for protecting the rights and interests of individuals.

2. Where an entity handling personal information having received a recommendation under the provision of the preceding paragraph does not take the recommended measures without justifiable reason, and where the competent minister considers that the infringement on the important rights and interests of individuals is imminent, the competent minister may order the entity handling personal information concerned to take the recommended measures.

3. Notwithstanding the provisions of the preceding two paragraphs, where an entity handling personal information has violated any of the provisions of Article 16, Article 17, Articles 20 to 22, or Paragraph 1 of Article 23, and where the competent minister considers it necessary to take measures urgently as there is the fact of infringement of the important rights and interests of individuals, the competent minister may order the entity handling personal information concerned to cease the violation concerned and take other necessary measures to redress the violation.

Article 35 (Restrictions of the Exercise of Authority by the Competent Minister)

1. In collecting a report from, or giving an advice, a recommendation or an order to an entity handling personal information pursuant to the provisions of the preceding three articles, the competent Minister must not disturb freedom of expression, academic freedom, freedom of religion, or freedom of political activity.

2. In light of the purport of the provision of the preceding paragraph, with respect to the act of an entity handling personal information to provide an individual or entity mentioned in each item of Paragraph 1 of Article 50 (limited to cases in which the personal information is handled for a purpose as respectively provided in each of such items) with personal information, the competent Minister shall not exercise its authority.

Article 36 (Competent Ministers)

1. The competent ministers under the provisions of this section shall be as specified below. However, for specific handling of personal information by an entity handling personal information, the Prime Minister may specify a specific minister or the National Public Safety Commission (hereinafter called a "minister, etc ") as a competent minister when he or she considers it necessary for the smooth implementation of the provisions of this section.

(1) For such handling of personal information by an entity handling personal information as is related to employment management, Minister of Health, Labour and Welfare (for such handling of personal information as is related to the employment management of seafarers, the Minister of Land, Infrastructure and Transport) and the minister, etc. concerned with jurisdiction over the business of the entity handling personal information

(2) For such handling of personal information by an entity handling personal information as is not falling under the preceding item, the minister, etc. concerned with jurisdiction over the business of the entity handling personal information

2. When the Prime Minister has specified a competent minister under the provision of the proviso to the preceding paragraph, he or she must officially announce that effect.

3. Competent ministers must maintain close liaison and cooperate with each other in implementing the provisions of this section.

Section 2. Promotion of the Protection of Personal Information by Private Institutions

Article 37 (Authorization)

1. A corporation (which includes an unincorporated organization with a specified representative or manager; this applies to (B) of Item 3 of the next article) that intends to conduct any of the businesses enumerated in the following items for the purpose of ensuring the proper handling of personal information by an entity handling personal information, may be authorized as such by the competent minister:

(1) The handling under Article 42 of complaints about the handling of personal information of such entities handling personal information as are the targets of the business (hereinafter called "target entities")

(2) The provision of information for target entities about the matters contributing to ensuring the proper handling of personal information

(3) In addition to those mentioned in the preceding two items, any business necessary for ensuring the proper handling of personal information by target entities

2. An entity intending to receive authorization under the preceding paragraph must apply to the competent minister as prescribed by a Cabinet order.

3. When having granted authorization under Paragraph 1, the competent minister must officially announce that effect.

Article 38 (Disqualification)

An entity falling under any of the following items may not receive authorization under Paragraph 1 of the preceding article:

(1) An entity having received a sentence under the provisions of this Act with less than two years after the entity served out the sentence or was exempted from the execution of the sentence

(2) An entity whose authorization was revoked under Paragraph 1 of Article 48 with less than two years after the revocation

(3) An entity with an officer (including the representative or manager of an unincorporated organization with a specified representative or manager. This applies hereinafter in this article.) conducting the business who falls under either of the following categories:

(A) An individual sentenced to imprisonment or a heavier penalty, or having received a sentence under the provision of this Act, with less than two years after the individual served out the sentence or was exempted from the execution of the sentence

(B) In the case of a corporation whose authorization was revoked under Paragraph 1 of Article 48, an individual who was an officer of the corporation within at least 30 days before the revocation, with less than two years after the revocation

Article 39 (Authorization Standard)

The competent minister must not grant authorization unless he or she considers that an application for authorization filed under Paragraph 1 of Article 37 meets every requirement enumerated in the following items:

(1) The applicant shall have established a business execution method necessary for properly and securely conducting the business mentioned in any of the items of Paragraph 1 of Article 37.

(2) The applicant shall have enough knowledge, abilities, and accounting base for properly and securely conducting the business mentioned in any of the items of Paragraph 1 of Article 37.

(3) When the applicant conducts any business other than the businesses mentioned in the items of Paragraph 1 of Article 37, by conducting the business, the applicant shall not possibly impede the fair execution of the businesses mentioned in the same items of the same paragraph.

Article 40 (Notice of Discontinuation)

1. When an entity authorized under Paragraph 1 of Article 37 (hereinafter called a " authorized personal information protection organization") intends to discontinue the business pertaining to the authorization (hereinafter called the " authorized business"), it must notify the competent minister of that effect in advance as prescribed by a Cabinet order.

2. When having received a notice under the provision of the preceding paragraph, the competent minister must officially announce that effect.

Article 41 (Target Entities)

1. Each target entity of an authorized personal information protection organization must be an entity handling personal information that is a member of the authorized personal information protection organization concerned or an entity handling personal information that has agreed to become a target of the authorized businesses.

2. Each authorized personal information protection organization must publicly announce the names of its target entities.

Article 42 (Handling of Complaints)

1. When an authorized personal information protection organization is requested by a person, etc. to solve a complaint about the handling of personal information by a target entity, corresponding to the request, the organization must give the person, etc. necessary advice, investigate the facts concerning the complaint and request the target entity to solve the complaint promptly by notifying the target entity concerned of the content of the complaint.

2. When an authorized personal information protection organization considers it necessary for solving complaints lodged under the preceding paragraph, the organization may request the target entity concerned to explain in writing or by mouth, or request it to submit relevant materials.

3. When a target entity has received a request under the provision of the preceding paragraph from an authorized personal information protection organization, the target entity must not reject the request without justifiable reason.

Article 43 (Personal Information Protection Guidelines)

1. In order to ensure the proper handling of personal information by its target entities, each authorized personal information protection organization must endeavor to draw up and publicly announce guidelines (hereinafter called "personal information protection guidelines") in conformity with the purport of the provisions of this Act, concerning the specification of the Purpose of Use, security control measures, procedures for complying with individuals' requests, and other matters.

2. When an authorized personal information protection organization has publicly announced its personal information protection guidelines under the provision of the preceding paragraph, the organization must endeavor to provide guidance, give recommendations, and take other measures necessary in order to have its target entities observe the personal information protection guidelines concerned.

Article 44 (Prohibition of Use Other Than for Intended Purposes)

An authorized personal information protection organization must not use any information it may have acquired in the course of conducting its authorized businesses for purposes other than that for the authorized business.

Article 45 (Restriction of Use of the Name)

An entity that is not an authorized personal information protection organization must not use the name " authorized personal information protection organization" or any other name that might be mistaken for it.

Article 46 (Collection of Reports)

The competent minister may have an authorized personal information protection organization make a report on the authorized businesses to the extent necessary for the implementation of the provisions of this section.

Article 47 (Orders)

The competent minister may order an authorized personal information protection organization to improve the method of conducting its authorized businesses, to amend its personal information protection guidelines, or to take any other necessary measures to the extent necessary for the implementation of the provisions of this section.

Article 48 (Revocation of Authorization)

1. If an authorized personal information protection organization falls under any of the following items, the competent minister may revoke its authorization :

(1) Cases of falling under Item 1 or 3 of Article 38

(2) Cases of falling not to conform with any of the items of Article 39

(3) Cases of violating the provisions of Article 44

(4) Cases of not complying with orders in the preceding article

(5) Cases of having received the authorization in Paragraph 1 of Article 37 by a dishonest means

2. When having revoked authorization under the provision of the preceding paragraph, the competent minister must officially announce that effect.

Article 49 (Competent Ministers)

1. The competent ministers under the provisions of this section shall be as specified below. However, when the Prime Minister considers it necessary for the smooth implementation of the provisions of this section, he or she may specify a specific minister, etc. as a competent minister for specific entities that intend to apply for authorization under Paragraph 1 of Article 37.

(1) For authorized personal information protection organization (including entities that intend to be authorized under Paragraph 1 of Article 37. This applies in the next item.) established under permission or approval, the competent minister shall be the minister, etc. that has granted the permission or approval.

(2) For authorized personal information protection organization other than those mentioned in the preceding item, the competent minister shall be the minister, etc. having jurisdiction over the business conducted by the target entities of the authorized personal information protection organizations concerned.

2. When the Prime Minister has specified a competent minister under the provision of the proviso to the preceding paragraph, he or she must officially announce that effect.

Chapter 5. Miscellaneous Provisions

Article 50 (Exclusion from Application)

1. With respect to entities handling personal information, being the entities enumerated in each of the items below, if all or part of the purpose of handling personal information is a purpose respectively prescribed in each of the items, the provisions of the preceding chapter shall not be applied.

(1) Broadcasting institutions, newspaper publishers, news agencies and the other press (including individuals engaged in journalism as their business); the purpose for journalism

(2) An entity who conduct literary work as their business; the purpose for literary work

(3) Colleges, universities, other institutions or organizations engaged in academic studies, or entities belonging to them: The purpose for academic studies

(4) Religious organizations: The purpose for religious activities (including activities incidental thereto)

(5) Political organizations: The purpose for political activities (including activities incidental thereto)

2. "Journalism" as mentioned in Item (1) of the preceding paragraph shall mean informing many and unspecified individuals or entities of objective facts as the facts (including to state opinions or views based on such facts).

3. Entities handling personal information enumerated in the items of Paragraph 1 must endeavor to take by themselves the necessary and appropriate measures for controlling the security of personal data, and the necessary measures for the handling of complaints about the handling of personal information and the other necessary measures for ensuring the proper handling of personal information, and must also endeavor to publicly announce the content of those measures concerned.

Article 51 (Operations Handled by Local Public Bodies)

The operations belonging to the authority of a competent minister defined by this Act may be handled by the heads of local public bodies or by other executive agencies as prescribed by a Cabinet order.

Article 52 (Delegation of Authority or Operations)

The matters belonging to the authority or the operations of a competent minister may be delegated to his or her staffs as prescribed by a Cabinet order.

Article 53 (Public Announcement of the Status of Enforcement)

1. The Prime Minister may collect reports on the status of enforcement of this Act from the heads of relevant administrative institutions (the institutions established in the Cabinet under the provisions of laws (except the Cabinet Office), institutions under the supervision of the Cabinet, the Cabinet Office, the Imperial Household Agency, the institutions prescribed in Paragraphs 1 and 2 of Article 49 of the Law for the Establishment of the Cabinet Office (Law No. 89 of 1999), and the institutions prescribed in Paragraph 2 of Article 3 of the National Government Organization Law (Law No. 120 of 1948); this applies in the next article).

2. Each year the Prime Minister shall compile the reports mentioned in the preceding paragraph and publicly announce their outline.

Article 54 (Liaison and Cooperation)

The Prime Minister and the heads of the administrative institutions involved in the enforecement of this Act must maintain close liaison and cooperate with each other.

Article 55 (Delegation to Cabinet Orders)

The matters necessary for the implementation of this Act, in addition to those prescribed in this Act, shall be prescribed by Cabinet orders.

Chapter 6. Penal Provisions

Article 56

An entity who violates orders issued under Paragraph 2 or 3 of Article 34 shall be sentenced to imprisonment of not more than six months or to a fine of not more than 300,000 yen.

Article 57

An entity who does not make a report required by Article 32 or 46 or who has made a false report shall be sentenced to a fine of not more than 300,000 yen.

Article 58

1. If any representative of a corporation (which includes an unincorporated organization with a specified representative or manager; this applies hereinafter in this paragraph), or any agent, employee or other workers of a corporation or of an individual commits any of the violations prescribed in the preceding two articles concerning the business of the corporation or individual, then not only shall the performer be punished but also the corporation or individual shall be sentenced to the fine prescribed in the corresponding article.

2. When the provision of the preceding paragraph applies to an unincorporated organization, its representative or manager shall represent the unincorporated organization in its acts of lawsuits, and the provisions of the laws concerning criminal suits in which a corporation is a defendant or suspect shall be apply mutatis mutandis.

Article 59

An entity who falls under either of the following items shall be sentenced to a fine of not more than 100,000 yen:

(1) An entity who does not make a report required by Paragraph 1 of Article 40 or who has made a false report

(2) An entity who violates the provision of Article 45

Supplementary Provisions

Article 1 (Effective Date)

This Act shall be enforced as of the date of promulgation. However, the provisions of Chapter 4 to Chapter 6 and Article 2 to Article 6 of the supplementary Provisions shall become effective as of the date to be prescribed by a Cabinet order within the limit of not more than two years beginning from the date of promulgation.

Article 2 (Transitional Measures Concerning a Consent of a Person)

Where a person has given consent to the handling of his or her personal information before this Act is enforced, and where the consent is equivalent to the consent that allows the personal information to be handled for a purpose other than the Purpose of Use specified under Paragraph 1 of Article 15, then it shall be deemed that there is such consent as is prescribed in Paragraph 1 or 2 of Article 16.

Article 3

Where a person has given consent to the handling of his or her personal information before this Act is enforced, and where the consent is equivalent to the consent that allows the personal data to be provided to third parties under Paragraph 1 of Article 23, then it shall be deemed that there is such consent as is prescribed in the same paragraph.

Article 4 (Transitional Measures Concerning Notices)

If an individual has been notified, before this Act is enforced, of the matters that shall be notified to the individual or be put in a readily accessible condition for the individual under Paragraph 2 of Article 23, then it shall be deemed that the notice concerned has been given under the provision of the same paragraph.

Article 5

If an individual has been notified, before this Act is enforced, of the matters that shall be notified to the individual or be put in a readily accessible condition for the individual under Item 3 of Paragraph 4 of Article 23, then it shall be deemed that the notice concerned has been given under the provision of the same paragraph.

Article 6 (Transitional Measures Concerning the Restriction of Use of the Name)

The provisions of Article 45 shall not apply, for six months after the provision of the same article is enforced, to any entity actually using the name " authorized personal information protection organization" or a name that might be mistaken for it at the time when this Act is enforced.