-1-
この個人情報の保護に関する法律の翻訳は、平成十五年法律第百十九号までの改正(平
成17年4月1日施行)について 「法令用語日英標準対訳辞書 (平成18年3月版)に 、 」
準拠して作成したものです。
なお、この法令の翻訳は公定訳ではありません。法的効力を有するのは日本語の法令自
体であり、翻訳はあくまでその理解を助けるための参考資料です。この翻訳の利用に伴っ
て発生した問題について、一切の責任を負いかねますので、法律上の問題に関しては、官
報に掲載された日本語の法令を参照してください。
This English translation of the Act on the Protection of Personal Information has been translated
( ( )) through the revisions of Act No. 119 of 2003 Effective April 1, 2005 in compliance with the
Standard Bilingual Dictionary March 2006 edition . ( )
This is an unofficial translation. Only the original Japanese texts of laws and regulations have
legal effect, and the translations are to be used solely as reference material to aid in the
understanding of Japanese laws and regulations.
The Government of Japan shall not be responsible for the accuracy, reliability or currency of the
legislative material provided in this Website, or for any consequence resulting from use of the
information in this Website. For all purposes of interpreting and applying law to any legal issue or
dispute, users should consult the original Japanese texts published in the Official Gazette.
Act on the Protection of Personal Information Act No. 57 of (
2003)
Chapter 1 General Provisions
Article 1 ( ) Purpose
The purpose of this Act is to protect the rights and interests of individuals while
taking consideration of the usefulness of personal information, in view of a
remarkable increase in the utilization of personal information due to development of
the advanced information and communications society, by clarifying the
responsibilities of the State and local governments, etc. with laying down basic
principle, establishment of a basic policy by the Government and the matters to
serve as a basis for other measures on the protection of personal information, and by
prescribing the duties to be observed by entities handling personal information, etc.,
regarding the proper handling of personal information.
Article 2 ( ) Definitions
( )1 The term “personal information” as used in this Act shall mean information
about a living individual which can identify the specific individual by name, date
of birth or other description contained in such information including such (
information as will allow easy reference to other information and will thereby
enable the identification of the specific individual . )
( )2 The term “a personal information database, etc.” as used in this Act shall mean
an assembly of information including personal information as set forth below:
( )i an assembly of information systematically arranged in such a way that
-2-
specific personal information can be retrieved by a computer; or
( ) ii in addition to what is listed in the preceding item, an assembly of
information designated by a Cabinet Order as being systematically arranged in
such a way that specific personal information can be easily retrieved.
( )3 The term “a business operator handling personal information” as used in this
Act shall mean a business operator using a personal information database, etc. for
its business; however, the following entities shall be excluded;
( )i The State organs
( ) ii Local governments
() ( iii Incorporated administrative agencies, etc. which means independent
administrative agencies as provided in paragraph 1 of Article 2 of the Act on the
Protection of Personal Information Held by Incorporated Administrative
Agencies, etc. Act No. 59 of 2003; the same shall apply hereinafter ( ))
() ( iv Local independent administrative institutions which means local
incorporated administrative agencies as provided in paragraph 1 of Article 2 of
the Local Incorporated Administrative Agencies Law. Act No. 118 of 2003; the (
same shall apply hereinafter))
( )v Entities specified by a Cabinet Order as having a little likelihood to harm
the rights and interests of individuals considering the volume and the manner of
utilization of personal information they handle.
( )4 The term “personal data” as used in this Act shall mean personal information
constituting a personal information database, etc.
( )5 The term “retained personal data” as used in this Act shall mean such personal
data over which a business operator handling personal information has the
authority to disclose, to correct, add or delete the content, to discontinue its
utilization, to erase, and to discontinue its provision to a third party, excluding the
data which is specified by a Cabinet Order as harming public or other interests if
its presence or absence is known and the data which will be erased within a period
of no longer than one year that is specified by a Cabinet Order.
( )6 The term “person” as to personal information as used in this Act shall mean a
specific individual identified by personal information.
Article 3 ( ) Basic Principle
In view of the fact that personal information should be handled cautiously under
the philosophy of respecting the personalities of individuals, proper handling of
personal information shall be promoted.
Chapter 2 Responsibilities of the State and Local governments, etc.
Article 4 ( ) Responsibilities of the State
-3-
The State shall be responsible for comprehensively formulating and implementing
measures necessary for ensuring the proper handling of personal information in
conformity with the purport of this Act.
Article 5 ( ) Responsibilities of Local governments
Local governments shall be responsible for formulating and implementing the
measures necessary for ensuring the proper handling of personal information
according to the characteristics of their area in conformity with the purport of this
Act.
Article 6 ( ) Legislative Measures, etc.
The Government shall take necessary legislative and other measures to ensure
that special measures will be taken for the protection of the personal information
which especially needs to be ensured the strict implementation of its proper handling
for the further protection of the rights and interests of individuals in view of the
nature and the method of utilization of the personal information.
Chapter 3 Measures for the Protection of Personal Information, etc.
Section 1 Basic Policy on the Protection of Personal Information
Article 7
( )1 The Government shall establish a basic policy on the protection of personal
information hereinafter referred to as “Basic Policy” in order to ensure the ( )
comprehensive and integrated promotion of measures for the protection of personal
information.
( )2 The Basic Policy shall cover the following matters:
( )i The basic direction concerning the promotion of measures for the protection
of personal information
( ) ii Matters concerning the measures for the protection of personal information
to be taken by the State
( ) iii Basic matters concerning the measures for the protection of personal
information to be taken by local governments
( ) iv Basic matters concerning the measures for the protection of personal
information to be taken by incorporated administrative agencies, etc.
( )v Basic matters concerning the measures for the protection of personal
information to be taken by local incorporated administrative agencies.
( ) vi Basic matters concerning the measures for the protection of personal
information to be taken by entities handling personal information and
authorized personal information protection organizations provided in paragraph
-4-
1 of Article 40
( ) vii Matters concerning the smooth processing of complaints about the handling
of personal information
( ) viii Other important matters concerning the promotion of measures for the
protection of personal information
( )3 The Prime Minister shall prepare a draft of the Basic Policy, consulting the
Quality of Life Council, and seek a cabinet decision.
( )4 When a cabinet decision is made under the preceding paragraph, the Prime
Minister shall publicly announce the Basic Policy without delay.
( )5 The provisions of the preceding two paragraphs shall apply mutatis mutandis to
amendments to the Basic Policy.
Section 2 Measures of the State
Article 8 ( ) Support to Local Governments and Others
In order to support the measures for the protection of personal information
formulated or implemented by local governments and the activities performed by
citizens, entities, and others to ensure the proper handling of personal information,
the State shall provide information, formulate guidelines to ensure the appropriate
and effective implementation of measures to be taken by entities and others, and
take any other necessary measures.
Article 9 ( ) Measures for the Processing of Complaints
The State shall take necessary measures to ensure the appropriate, prompt
processing of complaints arising between a business operator and a person about the
handling of personal information concerning the person.
Article 10 ( ) Measures to Ensure Proper Handling of Personal Information
Through the appropriate division of roles between the State and local
governments, the State shall take necessary measures to ensure the proper handling
of personal information by entities handling personal information provided in the
next chapter.
Section 3 Measures of Local Governments
Article 11 (Protection of Personal Information Held by Local Governments and
Others)
( )1 A local government shall endeavor to take necessary measures in order to
ensure the proper handling of the personal information it holds in consideration of
the nature of the personal information, the purpose of holding the personal
-5-
information concerned, and other factors.
( )2 A local government shall endeavor to take necessary measures for local
incorporated administrative agencies established by it in order to ensure the
proper handling of the personal information they hold in accordance with the
nature and affairs of them.
Article 12 ( ) Support to Entities and Others in the Area
In order to ensure the proper handling of personal information, a local government
shall endeavor to take necessary measures for supporting entities and residents in
its area.
Article 13 ( ) Mediation for the Processing of Complaints, etc.
In order to ensure that any complaint arising between a business operator and a
person about the handling of personal information will be handled appropriately and
promptly, a local government shall endeavor to mediate the processing of complaints
and take other necessary measures.
Section 4 Cooperation between the State and Local governments
Article 14
The State and local governments shall cooperate in taking measures for the
protection of personal information.
Chapter 4 Duties of Entities Handling Personal Information, etc.
Section 1 Duties of Entities Handling Personal Information
Article 15 ( ) Specification of the Purpose of Utilization
( )1 When handling personal information, a business operator handling personal
information shall specify the purpose of utilization of personal information
( ) hereinafter referred to as “Purpose of Utilization” as much as possible.
( )2 A business operator handling personal information shall not change the Purpose
of Utilization beyond the scope which is reasonably considered that the Purpose of
Utilization after the change is duly related to that before the change.
Article 16 ( ) Restriction by the Purpose of Utilization
( )1 A business operator handling personal information shall not handle personal
information about a person, without obtaining the prior consent of the person,
beyond the scope necessary for the achievement of the Purpose of Utilization
specified pursuant to the provision of the preceding article.
-6-
( )2 When a business operator handling personal information has acquired personal
information as a result of taking over the business of another business operator
handling personal information in a merger or otherwise, the acquiring business
operator shall not handle the personal information concerned, without obtaining
the prior consent of the persons, beyond the scope necessary for the achievement of
the Purpose of Utilization of the personal information concerned before the
succession.
( )3 The provisions of the preceding two paragraphs shall not apply to the following
cases:
( )i Cases in which the handling of personal information is based on laws and
regulations
( ) ii Cases in which the handling of personal information is necessary for the
protection of the life, body, or property of an individual and in which it is
difficult to obtain the consent of the person
( ) iii Cases in which the handling of personal information is specially necessary
for improving public health or promoting the sound growth of children and in
which it is difficult to obtain the consent of the person
( ) iv Cases in which the handling of personal information is necessary for
cooperating with a state organ, a local government, or an individual or a
business operator entrusted by either of the former two in executing the affairs
prescribed by laws and regulations and in which obtaining the consent of the
person is likely to impede the execution of the affairs concerned
Article 17 ( ) Proper Acquisition
A business operator handling personal information shall not acquire personal
information by a deception or other wrongful means.
Article 18 ( ) Notice of the Purpose of Utilization at the Time of Acquisition, etc.
( )1 When having acquired personal information, a business operator handling
personal information shall, except in cases in which the Purpose of Utilization has
already been publicly announced, promptly notify the person of the Purpose of
Utilization or publicly announce the Purpose of Utilization.
( )2 Notwithstanding the provision of the preceding paragraph, when a business
operator handling personal information acquires such personal information on a
person as is written in a contract or other document including a record made by (
an electronic method, a magnetic method, or any other method not recognizable to
human senses. hereinafter the same shall apply in this paragraph. as a result of )
concluding a contract with the person or acquires such personal information on a
person as is written in a document directly from the person, the business operator
shall expressly show the Purpose of Utilization in advance. However, this
-7-
provision shall not apply in cases in which the acquisition of personal information
is urgently required for the protection of the life, body, or property of an
individual.
( )3 When a business operator handling personal information has changed the
Purpose of Utilization, the business operator shall notify the person of the changed
Purpose of Utilization or publicly announce it.
( )4 The provisions of the preceding three paragraphs shall not apply to the following
cases:
( )i Cases in which notifying the person of the Purpose of Utilization or publicly
announcing it are likely to harm the life, body, property, or other rights or
interests of the person or a third party
( ) ii Cases in which notifying the person of the Purpose of Utilization or publicly
announcing it are likely to harm the rights or legitimate interests of the
business operator handling personal information
( ) iii Cases in which it is necessary to cooperate with a state organ or a local
government in executing the affairs prescribed by laws and regulations and in
which notifying the person of the Purpose of Utilization or publicly announcing
it are likely to impede the execution of the affairs
( ) iv Cases in which it is considered that the Purpose of Utilization is clear in
consideration of the circumstances of the acquisition
Article 19 ( ) Maintenance of the Accuracy of Data
A business operator handling personal information shall endeavor to maintain
personal data accurate and up to date within the scope necessary for the
achievement of the Purpose of Utilization.
Article 20 ( ) Security Control Measures
A business operator handling personal information shall take necessary and
proper measures for the prevention of leakage, loss, or damage, and for other
security control of the personal data.
Article 21 ( ) Supervision of Employees
When a business operator handling personal information has an employee handle
personal data, it shall exercise necessary and appropriate supervision over the
employee to ensure the security control of the personal data.
Article 22 ( ) Supervision of Trustees
When a business operator handling personal information entrusts an individual or
a business operator with the handling of personal data in whole or in part, it shall
exercise necessary and appropriate supervision over the trustee to ensure the
-8-
security control of the entrusted personal data.
Article 23 ( ) Restriction of Provision to A Third Party
( )1 A business operator handling personal information shall not, except in the
following cases, provide personal data to a third party without obtaining the prior
consent of the person:
( )i Cases in which the provision of personal data is based on laws and
regulations
( ) ii Cases in which the provision of personal data is necessary for the protection
of the life, body, or property of an individual and in which it is difficult to obtain
the consent of the person
( ) iii Cases in which the provision of personal data is specially necessary for
improving public health or promoting the sound growth of children and in which
it is difficult to obtain the consent of the person
( ) iv Cases in which the provision of personal data is necessary for cooperating
with a state organ, a local government, or an individual or a business operator
entrusted by one in executing the affairs prescribed by laws and regulations and
in which obtaining the consent of the person are likely to impede the execution
of the affairs
( )2 With respect to personal data intended to be provided to a third party, where a
business operator handling personal information agrees to discontinue, at the
request of a person, the provision of such personal data as will lead to the
identification of the person, and where the business operator, in advance, notifies
the person of the matters listed in the following items or put those matters in a
readily accessible condition for the person, the business operator may,
notwithstanding the provision of the preceding paragraph, provide such personal
data to a third party:
( )i The fact that the provision to a third party is the Purpose of Utilization
( ) ii The items of the personal data to be provided to a third party
( ) iii The means or method of provision to a third party
( ) iv The fact that the provision of such personal data as will lead to the
identification of the person to a third party will be discontinued at the request of
the person
( )3 When a business operator handling personal information changes the matter
listed in item 2 or 3 of the preceding paragraph, the business operator shall, in
advance, notify the person of the content of the change or put it in a readily
accessible condition for the person.
( )4 In following the cases, the individual or business operator receiving such
personal data shall not be deemed a third party for the purpose of application of
the provisions of the preceding three paragraphs:
-9-
( )i Cases in which a business operator handling personal information entrust
the handling of personal data in whole or in part within the scope necessary for
the achievement of the Purpose of Utilization
( ) ii Cases in which personal data is provided as a result of the succession of
business in a merger or otherwise
( ) iii Cases in which personal data is used jointly between specific individuals or
entities and in which this fact, the items of the personal data used jointly, the
scope of the joint users, the purpose for which the personal data is used by
them, and the name of the individual or business operator responsible for the
management of the personal data is, in advance, notified to the person or put in
a readily accessible condition for the person
( )5 When a business operator handling personal information changes the purpose
for which the personal data is used or the name of the individual or business
operator responsible for the management of the personal data as are provided in
item 3 of the preceding paragraph, the business operator shall, in advance, notify
the person of the content of the change or put it in a readily accessible condition
for the person.
Article 24 (Public Announcement of Matters Concerning Retained Personal Data,
etc.)
( )1 With respect to the retained personal data, a business operator handling
personal information shall put the matters listed in the following items in an
accessible condition for the person suc ( h condition includes cases in which a
response is made without delay at the request of the person : )
( )i The name of the business operator handling personal information
() ( ii The Purpose of Utilization of all retained personal data except in cases
falling under any of items 1 to 3 of paragraph 4 of Article 18)
( ) iii Procedures to meet requests made pursuant to the provisions of the next
paragraph, paragraph 1 of the next article, paragraph 1 of Article 26, or
paragraph 1 or paragraph 2 of Article 27 including the amount of charges if set (
pursuant to the provision of paragraph 2 of Article 30)
( ) iv In addition to what is listed in the preceding three items, such matters,
specified by a Cabinet Order, as being necessary for ensuring the proper
handling of retained personal data
( )2 When a business operator handling personal information is requested by a
person to notify him or her of the Purpose of Utilization of such retained personal
data as may lead to the identification of the person concerned, the business
operator shall meet the request without delay. However, this provision shall not
apply to cases falling under either of the following items:
( )i Cases in which the Purpose of Utilization of such retained personal data as
- 10 –
may lead to the identification of the person concerned is clear pursuant to the
provision of the preceding paragraph
( ) ii Cases falling under any of items 1 to 3 of paragraph 4 of Article 18
( )3 When a business operator handling personal information has decided not to
notify the Purpose of Utilization of such retained personal data as is requested
under the preceding paragraph, the business operator shall notify the person of
that effect without delay.
Article 25 ( ) Disclosure
( )1 When a business operator handling personal information is requested by a
person to disclose such retained personal data as may lead to the identification of
the person such disclosure includes notifying the person that the business (
operator has no such retained personal data as may lead to the identification of
the person concerned. The same shall apply hereinafter. , the business operator )
shall disclose the retained personal data without delay by a method prescribed by
a Cabinet Order. However, in falling under any of the following items, the
business operator may keep all or part of the retained personal data undisclosed:
( )i Cases in which disclosure is likely to harm the life, body, property, or other
rights or interests of the person or a third party
( ) ii Cases in which disclosure is likely to seriously impede the proper execution
of the business of the business operator handling personal information
( ) iii Cases in which disclosure violates other laws and regulations
( )2 When a business operator handling personal information has decided not to
disclose all or part of such retained personal data as is requested pursuant to the
provision of the preceding paragraph, the business operator shall notify the
person of that effect without delay.
( )3 If the provisions of any other laws and regulations require that all or part of
such retained personal data as may lead to the identification of a person be
disclosed to the person by a method equivalent to the method prescribed in the
main part of paragraph 1, the provision of the paragraph shall not apply to such
all or part of the retained personal data concerned.
Article 26 ( ) Correction, etc.
( )1 When a business operator handling personal information is requested by a
person to correct, add, or delete such retained personal data as may lead to the
identification of the person on the ground that the retained personal data is
contrary to the fact, the business operator shall, except in cases in which special
procedures are prescribed by any other laws and regulations for such correction,
addition, or deletion, make a necessary investigation without delay within the
scope necessary for the achievement of the Purpose of Utilization and, on the basis - 11 –
of the results, correct, add, or delete the retained personal data.
( )2 When a business operator handling personal information has corrected, added,
or deleted all or part of the retained personal data as requested or has decided not
to make such correction, addition, or deletion, the business operator shall notify
the person of that effect including the content of the correction, addition, or (
deletion if performed without delay. )
Article 27 ( ) Discontinuance of the Utilization, etc.
( )1 Where a business operator handling personal information is requested by a
person to discontinue using or to erase such retained personal data as may lead to
the identification of the person on the ground that the retained personal data is
being handled in violation of Article 16 or has been acquired in violation of Article
17, and where it is found that the request has a reason, the business operator
shall discontinue using or erase the retained personal data concerned without
delay to the extent necessary for redressing the violation. However, this provision
shall not apply to cases in which it costs large amount or otherwise difficult to
discontinue using or to erase the retained personal data and in which the business
operator takes necessary alternative measures to protect the rights and interests
of the person.
( )2 Where a business operator handling personal information is requested by a
person to discontinue providing to a third party such retained personal data as
may lead to the identification of the person on the ground that the retained
personal data is being provided to a third party in violation of paragraph 1 of
Article 23, and where it is found that the request has a reason, the business
operator shall discontinue providing the retained personal data to a third party
without delay. However, this provision shall not apply to cases in which it costs
large amount or otherwise difficult to discontinue providing the retained personal
data concerned to a third party and in which the business operator takes
necessary alternative measures to protect the rights and interests of the person.
( )3 When a business operator handling personal information has discontinued using
or has erased all or part of the retained personal data as requested under
paragraph 1 or has decided not to discontinue using or not to erase the retained
personal data or when a business operator handling personal information has
discontinued providing all or part of the retained personal data to a third party as
requested under the provision of the preceding paragraph or has decided not to
discontinue providing the retained personal data to a third party, the business
operator shall notify the person of that effect without delay.
Article 28 ( ) Explanation of Reasons
When a business operator handling personal information notifies a person - 12 –
requesting the business operator to take certain measures pursuant to the provisions
of paragraph 3 of Article 24, paragraph 2 of Article 25, paragraph 2 of Article 26, or
paragraph 3 of the preceding article that the business operator will not take all or
part of the measures or that the business operator will take different measures, the
business operator shall endeavor to explain the reasons.
Article 29 ( ) Procedures to Meet Requests for Disclosure and Others
( )1 A business operator handling personal information may, as prescribed by a
Cabinet Order, determine procedures for receiving requests that may be made
pursuant to the provisions of paragraph 2 of Article 24, paragraph 1 of Article 25,
paragraph 1 of Article 26 or paragraph 1 or paragraph 2 of Article 27 hereinafter (
referred to as “a request for disclosure and others” in this article . In such a case, )
any person making a request for disclosure and others shall comply with the
procedures.
( )2 A business operator handling personal information may request a person
making a request for disclosure and others to show sufficient items to identify the
retained personal data in question. In this case, the business operator shall
provide the information contributing to the identification of the retained personal
data in question or take any other appropriate measures in consideration of the
person’s convenience so that the person can easily and accurately make a request
for disclosure and others.
( )3 A person may, as prescribed by a Cabinet Order, make a request for disclosure
and others through a representative.
( )4 When a business operator determine the procedures for meeting requests for
disclosure and others under the provisions of the preceding three paragraphs, the
business operator shall take into consideration that the procedures will not impose
excessively heavy burden on the persons making requests for disclosure and
others.
Article 30 ( ) Charges
( )1 When a business operator handling personal information is requested to notify
the Purpose of Utilization under the provision of paragraph 2 of Article 24 or to
make a disclosure under the provision of paragraph 1 of Article 25, the business
operator may collect charges for taking the measure.
( )2 When a business operator handling personal information collects charges
pursuant to the provision of the preceding paragraph, the business operator shall
determine the amounts of charges within the scope considered reasonable in
consideration of actual costs.
Article 31 (Processing of Complaints by Entities Handling Personal Information) - 13 –
( )1 A business operator handling personal information shall endeavor to
appropriately and promptly process complaints about the handling of personal
information.
( )2 A business operator handling personal information shall endeavor to establish a
system necessary for achieving the purpose set forth in the preceding paragraph.
Article 32 ( ) Collection of Reports
The competent minister may have a business operator handling personal
information make a report on the handle of personal information to the extent
necessary for implementation of the provisions of this section.
Article 33 ( ) Advice
The competent minister may advise a business operator handling personal
information on the handle of personal information to the extent necessary for
implementation of the provisions of this section.
Article 34 ( ) Recommendations and Orders
( )1 When a business operator handling personal information has violated any of the
provisions of Article 16 to Article 18, Article 20 to Article 27, or paragraph 2 of
Article 30, the competent Minister may recommend that the business operator
handling personal information cease the violation and take other necessary
measures to correct the violation when a competent Minister finds it necessary for
protecting the rights and interests of individuals.
( )2 Where a business operator handling personal information having received a
recommendation under the provision of the preceding paragraph does not take the
recommended measures without justifiable ground, and when the competent
minister finds that the serious infringement on the rights and interests of
individuals is imminent, the competent minister may order the business operator
handling personal information to take the recommended measures.
( )3 Notwithstanding the provisions of the preceding two paragraphs, where a
business operator handling personal information has violated any of the provisions
of Article 16, Article 17, Articles 20 to 22, or paragraph 1 of Article 23, and when
the competent minister finds it necessary to take measures urgently as there is
the fact of serious infringement of the rights and interests of individuals, the
competent minister may order the business operator handling personal
information to cease the violation and take other necessary measures to rectify the
violation.
Article 35 ( ) Restrictions of the Exercise of Authority by the Competent Minister
( )1 In collecting a report from, or giving an advice, a recommendation or an order to - 14 –
a business operator handling personal information pursuant to the provisions of
the preceding three articles, the competent Minister shall not disturb freedom of
expression, academic freedom, freedom of religion, or freedom of political activity.
( )2 In light of the purport of the provision of the preceding paragraph, with respect
to the act of a business operator handling personal information to provide an
individual or business operator mentioned in each item of paragraph 1 of Article
50 limited to cases in which the persona ( l information is handled for a purpose as
respectively provided in each of such items with personal information, the )
competent Minister shall not exercise its authority.
Article 36 ( ) Competent Ministers
( )1 The competent ministers under the provisions of this section shall be as
specified below. However, for specific handling of personal information by a
business operator handling personal information, the Prime Minister may
designate a specific minister or the National Public Safety Commission
( ) hereinafter referred to as “minister, etc ” as a competent minister when he or
she considers it necessary for smooth implementation of the provisions of this
section.
( )i For such handling of personal information by a business operator handling
personal information as is related to employment management, Minister of
Health, Labor and Welfare for such hand ( ling of personal information as is
related to the employment management of mariners, the Minister of Land,
Infrastructure, Transport and Tourism) and the minister, etc. concerned with
jurisdiction over the business of the business operator handling personal
information
( ) ii For such handling of personal information by a business operator handling
personal information as is not falling under the preceding item, the minister,
etc. concerned with jurisdiction over the business of the business operator
handling personal information
( )2 When the Prime Minister has designated a competent minister under the
provision of the proviso to the preceding paragraph, he or she shall publicly notice
that effect.
( )3 Competent ministers shall maintain close liaison and cooperate with each other
in implementing the provisions of this section.
Section 2 Promotion of the Protection of Personal Information by Private
Organizations
Article 37 ( ) Authorization
() ( 1 A juridical person which includes an association or foundation that is not a - 15 –
juridical person with a specified representative or manager; the same applies in
() ) b of item 3 of the next article that intends to conduct any of the businesses
enumerated in the following items for the purpose of ensuring the proper handling
of personal information by a business operator handling personal information, may
be authorized as such by the competent minister:
( )i The processing under the provision of Article 42 of complaints about the
handling of personal information of such business operations handling personal
information as are the targets of the business hereinafter referred to as “target (
entities”)
( ) ii The provision of information for target entities about the matters
contributing to ensuring the proper handling of personal information
( ) iii In addition to what is listed in the preceding two items, any business
necessary for ensuring the proper handling of personal information by target
entities
( )2 A business operator intending to receive authorization set forth in the preceding
paragraph shall apply to the competent minister as prescribed by a Cabinet Order.
( )3 When having granted authorization under paragraph 1, the competent minister
shall publicly notice that effect.
Article 38 ( ) Clause of Disqualification
A business operator falling under any of the following items may not receive
authorization set forth in paragraph 1 of the preceding article:
( )i A business operator having received a sentence pursuant to the provisions
of this Act with not exceeding two years after the business operator served out
the sentence or was exempted from the execution of the sentence
( ) ii A business operator whose authorization was rescinded pursuant to the
provision of paragraph 1 of Article 48 with not exceeding two years after the
rescission
() ( iii A business operator with an officer including the representative or
manager of an association or foundation which is not a juridical person with a
specified representative or manager. Hereinafter the same shall apply in this
article. conducting the business who falls under any of the following categories: )
( )a An individual sentenced to imprisonment or a heavier punishment, or
having received a sentence pursuant to the provision of this Act, with not
exceeding two years after the individual served out the sentence or was
exempted from the execution of the sentence
( )b In the case of a juridical person whose authorization was rescinded
pursuant to the provision of paragraph 1 of Article 48, an individual who was
an officer of the juridical person within at least 30 days before the rescission,
with not exceeding two years after the rescission - 16 –
Article 39 ( ) Authorization Standard
The competent minister shall not grant authorization unless he or she considers
that an application for authorization filed under paragraph 1 of Article 37 conforms
every requirement enumerated in the following items:
( )i The applicant shall have established a business execution method necessary
for properly and soundly conducting the business mentioned in any of the items
of paragraph 1 of Article 37.
( ) ii The applicant shall have sufficient knowledge, abilities, and financial base
for properly and soundly conducting the business mentioned in any of the items
of paragraph 1 of Article 37.
( ) iii When the applicant conducts any business other than the businesses
mentioned in the items of paragraph 1 of Article 37, by conducting the business,
the applicant shall not be likely to impede the fair execution of the businesses
mentioned in the same items of the same paragraph.
Article 40 ( ) Notification of Abolition
( )1 When a business operator authorized under paragraph 1 of Article 37
( hereinafter referred to as “authorized personal information protection
organization” intends to abolish the business pertaining to the authorization )
( ) hereinafter referred to as “authorized business” , it shall notify the competent
minister of that effect in advance as prescribed by a Cabinet Order.
( )2 When having received a notification under the provision of the preceding
paragraph, the competent minister shall publicly notice to that effect.
Article 41 ( ) Target Entities
( )1 Each target business operator of an authorized personal information protection
organization shall be a business operator handling personal information that is a
member of the authorized personal information protection organization or a
business operator handling personal information that has agreed to become a
target of the authorized businesses.
( )2 Each authorized personal information protection organization shall publicly
announce the names of its target entities.
Article 42 ( ) Handling of Complaints
( )1 When an authorized personal information protection organization is requested
by a person, etc. to solve a complaint about the handling of personal information
by a target business operator, corresponding to the request, the organization shall
give the person, etc. necessary advice, investigate the circumstances pertaining to
the complaint and request the target business operator to solve the complaint - 17 –
promptly by notifying the target business operator of the content of the complaint.
( )2 When an authorized personal information protection organization finds it
necessary for settling complaints offered under the preceding paragraph, the
organization may request the target business operator to explain in writing or
orally, or request it to submit relevant materials.
( )3 When a target business operator has received a request under the provision of
the preceding paragraph from an authorized personal information protection
organization, the target business operator shall not reject the request without
justifiable ground.
Article 43 ( ) Personal Information Protection Guidelines
( )1 In order to ensure the proper handling of personal information by its target
entities, each authorized personal information protection organization shall
endeavor to draw up and publicly announce guidelines hereinafter referred to as (
“personal information protection guidelines” in conformity with the purport of the )
provisions of this Act, concerning the specification of the Purpose of Utilization,
security control measures, procedures for complying with individuals’ requests,
and other matters.
( )2 When an authorized personal information protection organization has publicly
announced its personal information protection guidelines pursuant to the provision
of the preceding paragraph, the organization shall endeavor to provide guidance,
give recommendations, and take other measures necessary in order to have its
target entities observe the personal information protection guidelines.
Article 44 ( ) Prohibition of Utilization Other Than for Intended Purposes
An authorized personal information protection organization shall not utilize any
information acquired in the course of conducting its authorized businesses for
purposes other than that for the authorized business.
Article 45 ( ) Restriction on Use of the Name
A business operator that is not an authorized personal information protection
organization shall not use the name “authorized personal information protection
organization” or any other name that might be mistaken for it.
Article 46 ( ) Collection of Reports
The competent minister may have an authorized personal information protection
organization make a report on the authorized businesses to the extent necessary for
implementation of the provisions of this section.
Article 47 ( ) Orders - 18 –
The competent minister may order an authorized personal information protection
organization to improve the method of conducting its authorized businesses, to
amend its personal information protection guidelines, or to take any other necessary
measures to the extent necessary for implementation of the provisions of this section.
Article 48 ( ) Rescission of Authorization
( )1 If an authorized personal information protection organization falls under any of
the following items, the competent minister may rescind its authorization:
( )i Cases of falling under item 1 or 3 of Article 38
( ) ii Cases of falling not to conform with any of the items of Article 39
( ) iii Cases of violating the provisions of Article 44
( ) iv Cases of not complying with orders in the preceding article
( )v Cases of having received the authorization in paragraph 1 of Article 37 by a
dishonest means
( )2 When having rescinded authorization pursuant to the provision of the preceding
paragraph, the competent minister shall publicly notice that effect.
Article 49 ( ) Competent Ministers
( )1 The competent ministers under the provisions of this section shall be as
specified below. However, when the Prime Minister considers it necessary for
smooth implementation of the provisions of this section, he or she may designate a
specific minister, etc. as a competent minister for specific entities that intend to
apply for authorization under paragraph 1 of Article 37.
( )i For authorized personal information protection organization including (
entities that intend to be authorized under paragraph 1 of Article 37. This
applies in the next item. established under permission or approval, the )
competent minister shall be the minister, etc. that has granted the permission
or approval.
( ) ii For authorized personal information protection organization other than
those mentioned in the preceding item, the competent minister shall be the
minister, etc. having jurisdiction over the business conducted by the target
entities of the authorized personal information protection organizations
concerned.
( )2 When the Prime Minister has designated a competent minister pursuant to the
provision of the proviso to the preceding paragraph, he or she shall publicly notice
that effect.
Chapter 5 Miscellaneous Provisions
Article 50 ( ) Exclusion from Application - 19 –
( )1 With respect to entities handling personal information, being the entities
enumerated in each of the items below, if all or part of the purpose of handling
personal information is a purpose respectively prescribed in each of the items, the
provisions of the preceding chapter shall not be applied.
( )i Broadcasting institutions, newspaper publishers, communication agencies
and the other press including individ ( uals engaged in news report as their
business ; the purpose for news report )
( ) ii A business operator who conduct literary work as their business; the
purpose for literary work
( ) iii Colleges, universities, other institutions or organizations engaged in
academic studies, or entities belonging to them: The purpose for academic
studies
( ) iv Religious organizations: The purpose for religious activities including (
activities incidental thereto)
( )v Political organizations: The purpose for political activities including (
activities incidental thereto)
( )2 “News report” as mentioned in item 1 of the preceding paragraph shall mean
informing many and unspecified individuals or entities of objective facts as the
facts including to state opinio ( ) ns or views based on such facts .
( )3 Entities handling personal information enumerated in the items of paragraph 1
shall endeavor to take by themselves the necessary and appropriate measures for
controlling the security of personal data, and the necessary measures for the
processing of complaints about the handling of personal information and the other
necessary measures for ensuring the proper handling of personal information, and
shall also endeavor to publicly announce the content of those measures concerned.
Article 51 ( ) Affairs Handled by Local Governments
The affairs belonging to the authority of a competent minister provided by this Act
may be handled by the heads of local governments or by other executive agencies as
prescribed by a Cabinet Order.
Article 52 ( ) Delegation of Authority or Affairs
The matters belonging to the authority or the affairs of a competent minister may
be delegated to his or her staffs as prescribed by a Cabinet Order.
Article 53 ( ) Public Announcement of the Status of Enforcement
( )1 The Prime Minister may collect reports on the status of enforcement of this Act
from the heads of relevant administrative organs the organs established in the (
Cabinet under the provisions of laws except the Cabinet Office , organs under the ( )
supervision of the Cabinet, the Cabinet Office, the Imperial Household Agency, the - 20 –
institutions prescribed in paragraphs 1 and 2 of Article 49 of the Act for the
Establishment of the Cabinet Office Act No. 89 of 1999 , and the institutions ( )
prescribed in paragraph 2 of Article 3 of the National Government Organization
Law Act No. 120 of 1948 ; this applies in the next article . () )
( )2 Each year the Prime Minister shall compile the reports set forth in the
preceding paragraph and publicly announce their outline.
Article 54 ( ) Liaison and Cooperation
The Prime Minister and the heads of the administrative organs involved in the
enforecement of this Act shall maintain close liaison and cooperate with each other.
Article 55 ( ) Delegation to Cabinet Orders
The matters necessary for implementation of this Act, in addition to those
prescribed in this Act, shall be prescribed by Cabinet Orders.
Chapter 6 Penal Provisions
Article 56
A business operator who violates orders issued under paragraph 2 or 3 of Article
34 shall be sentenced to imprisonment with work of not more than six months or to
a fine of not more than 300,000 yen.
Article 57
A business operator who does not make a report required by Article 32 or 46 or
who has made a false report shall be sentenced to a fine of not more than 300,000
yen.
Article 58
() ( 1 If any representative of a juridical person which includes an association or
foundation which is not a juridical person with a specified representative or
manager; hereinafter the same shall apply in this paragraph , or any agent, )
employee or other workers of a juridical person or of an individual commits any of
the violations prescribed in the preceding two articles concerning the business of
the juridical person or individual, then not only shall the performer be punished
but also the juridical person or individual shall be sentenced to the fine prescribed
in the corresponding article.
( )2 When the provision of the preceding paragraph applies to an association or
foundation which is not a juridical person, its representative or manager shall
represent the association or foundation which is not a juridical person in its
procedural action, and the provisions of the acts concerning criminal suits in which - 21 –
a juridical person is the accused or suspect shall be apply mutatis mutandis.
Article 59
A business operator who falls under any of the following items shall be sentenced
to a civil fine of not more than 100,000 yen:
( )i A business operator who does not make a notification required by paragraph
1 of Article 40 or who has made a false notification
( ) ii A business operator who violates the provision of Article 45
Supplementary Provisions ( ) Extract
Article 1 ( ) Effective Date
This Act shall come into force as from the day of promulgation. However, the
provisions of Chapter 4 to Chapter 6 and Article 2 to Article 6 of the supplementary
Provisions shall become effective as of the date specified by a Cabinet Order within a
period not exceeding two years from the day of promulgation.
Article 2 ( ) Transitional Measures Concerning a Consent of a Person
Where a person has given consent to the handling of his or her personal
information prior to enforcement of this Act, and where the consent is equivalent to
the consent that allows the personal information to be handled for a purpose other
than the Purpose of Utilization specified under paragraph 1 of Article 15, then it
shall be deemed that there is such consent as is prescribed in paragraph 1 or 2 of
Article 16.
Article 3
Where a person has given consent to the handling of his or her personal
information prior to enforcement of this Act, and where the consent is equivalent to
the consent that allows the personal data to be provided to a third party under
paragraph 1 of Article 23, then it shall be deemed that there is such consent as is
prescribed in the same paragraph.
Article 4 ( ) Transitional Measures Concerning Notices
If an individual has been notified, prior to enforcement of this Act, of the matters
that shall be notified to the individual or be put in a readily accessible condition for
the individual under paragraph 2 of Article 23, then it shall be deemed that the
notice concerned has been given under the provision of the same paragraph.
Article 5
If an individual has been notified, prior to enforcement of this Act, of the matters - 22 –
that shall be notified to the individual or be put in a readily accessible condition for
the individual under item 3 of paragraph 4 of Article 23, then it shall be deemed
that the notice concerned has been given under the provision of the same paragraph.
Article 6 (Transitional Measures Concerning the Restriction on Use of the Name)
The provisions of Article 45 shall not apply, for six months after the provision of
the same article is enforced, to any business operator actually using the name
“authorized personal information protection organization” or a name that might be
mistaken for it at the time when this Act is enforced.