Act on the Protection of Personal Information

Link to law: http://www.japaneselawtranslation.go.jp/law/detail_download/?ff=08&id=2262
Published: 2009

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now
Act on the Protection of Personal Information (Tentative translation)

Table of Contents

Chapter I General Provisions (Articles 1 to 3)

Chapter II Responsibilities of the State and Local governments, etc. (Articles 4 to 6)

Chapter III Measures for the Protection of Personal Information, etc.

Section 1 Basic Policy on the Protection of Personal Information (Article 7)

Section 2 Measures of the State (Articles 8 to 10)

Section 3 Measures of Local Governments (Articles 11 to 13)

Section 4 Cooperation between the State and Local governments (Article 14)

Chapter IV Duties of Entities Handling Personal Information, etc.

Section 1 Duties of Entities Handling Personal Information (Articles 15 to 36)

Section 2 Promotion of the Protection of Personal Information by Private Organizations (Articles 37 to 49)

Chapter V Miscellaneous Provisions (Articles 50 to 55)

Chapter VI Penal Provisions (Articles 56 to 59)

Supplementary Provisions

Chapter I General Provisions

(Purpose)

Article 1 The purpose of this Act is to protect the rights and interests of individuals while taking consideration of the usefulness of personal information, in view of a remarkable increase in the utilization of personal information due to development of the advanced information and communications society, by clarifying the responsibilities of the State and local governments, etc. with laying down basic principle, establishment of a basic policy by the Government and the matters to serve as a basis for other measures on the protection of personal information, and by prescribing the duties to be observed by entities handling personal information, etc., regarding the proper handling of personal information.

(Definitions)

Article 2 (1) The term "personal information" as used in this Act shall mean information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).

(2) The term "a personal information database, etc." as used in this Act shall mean an assembly of information including personal information as set forth below:

(i) an assembly of information systematically arranged in such a way that specific personal information can be retrieved by a computer; or

(ii) in addition to what is listed in the preceding item, an assembly of information designated by a Cabinet Order as being systematically arranged in such a way that specific personal information can be easily retrieved.

(3) The term "a business operator handling personal information" as used in this Act shall mean a business operator using a personal information database, etc. for its business; however, the following entities shall be excluded;

(i) The State organs

(ii) Local governments

(iii) Incorporated administrative agencies, etc. (which means independent administrative agencies as provided in paragraph (1) of Article 2 of the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc. (Act No. 59 of 2003); the same shall apply hereinafter)

(iv) Local incorporated administrative institutions (which means local incorporated administrative agencies as provided in paragraph (1) of Article 2 of the Local Incorporated Administrative Agencies Law (Act No. 118 of 2003); the same shall apply hereinafter)

(v) Entities specified by a Cabinet Order as having a little likelihood to harm the rights and interests of individuals considering the volume and the manner of utilization of personal information they handle.

(4) The term "personal data" as used in this Act shall mean personal information constituting a personal information database, etc.

(5) The term "retained personal data" as used in this Act shall mean such personal data over which a business operator handling personal information has the authority to disclose, to correct, add or delete the content, to discontinue its utilization, to erase, and to discontinue its provision to a third party, excluding the data which is specified by a Cabinet Order as harming public or other interests if its presence or absence is known and the data which will be erased within a period of no longer than one year that is specified by a Cabinet Order.

(6) The term "person" as to personal information as used in this Act shall mean a specific individual identified by personal information.

(Basic Principle)

Article 3 In view of the fact that personal information should be handled cautiously under the philosophy of respecting the personalities of individuals, proper handling of personal information shall be promoted.

Chapter II Responsibilities of the State and Local governments, etc.

(Responsibilities of the State)

Article 4 The State shall be responsible for comprehensively formulating and implementing measures necessary for ensuring the proper handling of personal information in conformity with the purport of this Act.

(Responsibilities of Local governments)

Article 5 Local governments shall be responsible for formulating and implementing the measures necessary for ensuring the proper handling of personal information according to the characteristics of their area in conformity with the purport of this Act.

(Legislative Measures, etc.)

Article 6 The Government shall take necessary legislative and other measures to ensure that special measures will be taken for the protection of the personal information which especially needs to be ensured the strict implementation of its proper handling for the further protection of the rights and interests of individuals in view of the nature and the method of utilization of the personal information.

Chapter III Measures for the Protection of Personal Information, etc.

Section 1 Basic Policy on the Protection of Personal Information

Article 7 (1) The Government shall establish a basic policy on the protection of personal information (hereinafter referred to as "Basic Policy") in order to ensure the comprehensive and integrated promotion of measures for the protection of personal information.

(2) The Basic Policy shall cover the following matters:

(i) The basic direction concerning the promotion of measures for the protection of personal information

(ii) Matters concerning the measures for the protection of personal information to be taken by the State

(iii) Basic matters concerning the measures for the protection of personal information to be taken by local governments

(iv) Basic matters concerning the measures for the protection of personal information to be taken by incorporated administrative agencies, etc.

(v) Basic matters concerning the measures for the protection of personal information to be taken by local incorporated administrative agencies

(vi) Basic matters concerning the measures for the protection of personal information to be taken by entities handling personal information and authorized personal information protection organizations provided in paragraph (1) of Article 40

(vii) Matters concerning the smooth processing of complaints about the handling of personal information

(viii) Other important matters concerning the promotion of measures for the protection of personal information

(3) The Prime Minister shall prepare a draft of the Basic Policy, consulting the Consumer Commission, and seek a cabinet decision.

(4) When a cabinet decision is made under the preceding paragraph, the Prime Minister shall publicly announce the Basic Policy without delay.

(5) The provisions of the preceding two paragraphs shall apply mutatis mutandis to amendments to the Basic Policy.

Section 2 Measures of the State

(Support to Local Governments and Others)

Article 8 In order to support the measures for the protection of personal information formulated or implemented by local governments and the activities performed by citizens, entities, and others to ensure the proper handling of personal information, the State shall provide information, formulate guidelines to ensure the appropriate and effective implementation of measures to be taken by entities and others, and take any other necessary measures.

(Measures for the Processing of Complaints)

Article 9 The State shall take necessary measures to ensure the appropriate, prompt processing of complaints arising between a business operator and a person about the handling of personal information concerning the person.

(Measures to Ensure Proper Handling of Personal Information)

Article 10 Through the appropriate division of roles between the State and local governments, the State shall take necessary measures to ensure the proper handling of personal information by entities handling personal information provided in the next chapter.

Section 3 Measures of Local Governments

(Protection of Personal Information Held by Local Governments and Others)

Article 11 (1) A local government shall endeavor to take necessary measures in order to ensure the proper handling of the personal information it holds in consideration of the nature of the personal information, the purpose of holding the personal information concerned, and other factors.

(2) A local government shall endeavor to take necessary measures for local incorporated administrative agencies established by it in order to ensure the proper handling of the personal information they hold in accordance with the nature and affairs of them.

(Support to Entities and Others in the Area)

Article 12 In order to ensure the proper handling of personal information, a local government shall endeavor to take necessary measures for supporting entities and residents in its area.

(Mediation for the Processing of Complaints, etc.)

Article 13 In order to ensure that any complaint arising between a business operator and a person about the handling of personal information will be handled appropriately and promptly, a local government shall endeavor to mediate the processing of complaints and take other necessary measures.

Section 4 Cooperation between the State and Local governments

Article 14 The State and local governments shall cooperate in taking measures for the protection of personal information.

Chapter IV Duties of Entities Handling Personal Information, etc.

Section 1 Duties of Entities Handling Personal Information

(Specification of the Purpose of Utilization)

Article 15 (1) When handling personal information, a business operator handling personal information shall specify the purpose of utilization of personal information (hereinafter referred to as "Purpose of Utilization") as much as possible.

(2) A business operator handling personal information shall not change the Purpose of Utilization beyond the scope which is reasonably considered that the Purpose of Utilization after the change is duly related to that before the change.

(Restriction by the Purpose of Utilization)

Article 16 (1) A business operator handling personal information shall not handle personal information about a person, without obtaining the prior consent of the person, beyond the scope necessary for the achievement of the Purpose of Utilization specified pursuant to the provision of the preceding article.

(2) When a business operator handling personal information has acquired personal information as a result of taking over the business of another business operator handling personal information in a merger or otherwise, the acquiring business operator shall not handle the personal information concerned, without obtaining the prior consent of the persons, beyond the scope necessary for the achievement of the Purpose of Utilization of the personal information concerned before the succession.

(3) The provisions of the preceding two paragraphs shall not apply to the following cases:

(i) Cases in which the handling of personal information is based on laws and regulations

(ii) Cases in which the handling of personal information is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person

(iii) Cases in which the handling of personal information is specially necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the person

(iv) Cases in which the handling of personal information is necessary for cooperating with a state organ, a local government, or an individual or a business operator entrusted by either of the former two in executing the affairs prescribed by laws and regulations and in which obtaining the consent of the person is likely to impede the execution of the affairs concerned

(Proper Acquisition)

Article 17 A business operator handling personal information shall not acquire personal information by a deception or other wrongful means.

(Notice of the Purpose of Utilization at the Time of Acquisition, etc.)

Article 18 (1) When having acquired personal information, a business operator handling personal information shall, except in cases in which the Purpose of Utilization has already been publicly announced, promptly notify the person of the Purpose of Utilization or publicly announce the Purpose of Utilization.

(2) Notwithstanding the provision of the preceding paragraph, when a business operator handling personal information acquires such personal information on a person as is written in a contract or other document (including a record made by an electronic method, a magnetic method, or any other method not recognizable to human senses. hereinafter the same shall apply in this paragraph.) as a result of concluding a contract with the person or acquires such personal information on a person as is written in a document directly from the person, the business operator shall expressly show the Purpose of Utilization in advance. However, this provision shall not apply in cases in which the acquisition of personal information is urgently required for the protection of the life, body, or property of an individual.

(3) When a business operator handling personal information has changed the Purpose of Utilization, the business operator shall notify the person of the changed Purpose of Utilization or publicly announce it.

(4) The provisions of the preceding three paragraphs shall not apply to the following cases:

(i) Cases in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to harm the life, body, property, or other rights or interests of the person or a third party

(ii) Cases in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to harm the rights or legitimate interests of the business operator handling personal information

(iii) Cases in which it is necessary to cooperate with a state organ or a local government in executing the affairs prescribed by laws and regulations and in which notifying the person of the Purpose of Utilization or publicly announcing it are likely to impede the execution of the affairs

(iv) Cases in which it is considered that the Purpose of Utilization is clear in consideration of the circumstances of the acquisition

(Maintenance of the Accuracy of Data)

Article 19 A business operator handling personal information shall endeavor to maintain personal data accurate and up to date within the scope necessary for the achievement of the Purpose of Utilization.

(Security Control Measures)

Article 20 A business operator handling personal information shall take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.

(Supervision of Employees)

Article 21 When a business operator handling personal information has an employee handle personal data, it shall exercise necessary and appropriate supervision over the employee to ensure the security control of the personal data.

(Supervision of Trustees)

Article 22 When a business operator handling personal information entrusts an individual or a business operator with the handling of personal data in whole or in part, it shall exercise necessary and appropriate supervision over the trustee to ensure the security control of the entrusted personal data.

(Restriction of Provision to A Third Party)

Article 23 (1) A business operator handling personal information shall not, except in the following cases, provide personal data to a third party without obtaining the prior consent of the person:

(i) Cases in which the provision of personal data is based on laws and regulations

(ii) Cases in which the provision of personal data is necessary for the protection of the life, body, or property of an individual and in which it is difficult to obtain the consent of the person

(iii) Cases in which the provision of personal data is specially necessary for improving public health or promoting the sound growth of children and in which it is difficult to obtain the consent of the person

(iv) Cases in which the provision of personal data is necessary for cooperating with a state organ, a local government, or an individual or a business operator entrusted by one in executing the affairs prescribed by laws and regulations and in which obtaining the consent of the person are likely to impede the execution of the affairs

(2) With respect to personal data intended to be provided to a third party, where a business operator handling personal information agrees to discontinue, at the request of a person, the provision of such personal data as will lead to the identification of the person, and where the business operator, in advance, notifies the person of the matters listed in the following items or put those matters in a readily accessible condition for the person, the business operator may, notwithstanding the provision of the preceding paragraph, provide such personal data to a third party:

(i) The fact that the provision to a third party is the Purpose of Utilization

(ii) The items of the personal data to be provided to a third party

(iii) The means or method of provision to a third party

(iv) The fact that the provision of such personal data as will lead to the identification of the person to a third party will be discontinued at the request of the person

(3) When a business operator handling personal information changes the matter listed in item (ii) or (iii) of the preceding paragraph, the business operator shall, in advance, notify the person of the content of the change or put it in a readily accessible condition for the person.

(4) In following the cases, the individual or business operator receiving such personal data shall not be deemed a third party for the purpose of application of the provisions of the preceding three paragraphs:

(i) Cases in which a business operator handling personal information entrust the handling of personal data in whole or in part within the scope necessary for the achievement of the Purpose of Utilization

(ii) Cases in which personal data is provided as a result of the succession of business in a merger or otherwise

(iii) Cases in which personal data is used jointly between specific individuals or entities and in which this fact, the items of the personal data used jointly, the scope of the joint users, the purpose for which the personal data is used by them, and the name of the individual or business operator responsible for the management of the personal data is, in advance, notified to the person or put in a readily accessible condition for the person

(5) When a business operator handling personal information changes the purpose for which the personal data is used or the name of the individual or business operator responsible for the management of the personal data as are provided in item (iii) of the preceding paragraph, the business operator shall, in advance, notify the person of the content of the change or put it in a readily accessible condition for the person.

(Public Announcement of Matters Concerning Retained Personal Data, etc.)

Article 24 (1) With respect to the retained personal data, a business operator handling personal information shall put the matters listed in the following items in an accessible condition for the person (such condition includes cases in which a response is made without delay at the request of the person):

(i) The name of the business operator handling personal information

(ii) The Purpose of Utilization of all retained personal data (except in cases falling under any of items (i) to (iii) of paragraph (4) of Article 18)

(iii) Procedures to meet requests made pursuant to the provisions of the next paragraph, paragraph (1) of the next article, paragraph (1) of Article 26, or paragraph (1) or paragraph (2) of Article 27 (including the amount of charges if set pursuant to the provision of paragraph (2) of Article 30)

(iv) In addition to what is listed in the preceding three items, such matters, specified by a Cabinet Order, as being necessary for ensuring the proper handling of retained personal data

(2) When a business operator handling personal information is requested by a person to notify him or her of the Purpose of Utilization of such retained personal data as may lead to the identification of the person concerned, the business operator shall meet the request without delay. However, this provision shall not apply to cases falling under either of the following items:

(i) Cases in which the Purpose of Utilization of such retained personal data as may lead to the identification of the person concerned is clear pursuant to the provision of the preceding paragraph

(ii) Cases falling under any of items (i) to (iii) of paragraph (4) of Article 18

(3) When a business operator handling personal information has decided not to notify the Purpose of Utilization of such retained personal data as is requested under the preceding paragraph, the business operator shall notify the person of that effect without delay.

(Disclosure)

Article 25 (1) When a business operator handling personal information is requested by a person to disclose such retained personal data as may lead to the identification of the person (such disclosure includes notifying the person that the business operator has no such retained personal data as may lead to the identification of the person concerned. The same shall apply hereinafter.), the business operator shall disclose the retained personal data without delay by a method prescribed by a Cabinet Order. However, in falling under any of the following items, the business operator may keep all or part of the retained personal data undisclosed:

(i) Cases in which disclosure is likely to harm the life, body, property, or other rights or interests of the person or a third party

(ii) Cases in which disclosure is likely to seriously impede the proper execution of the business of the business operator handling personal information

(iii) Cases in which disclosure violates other laws and regulations

(2) When a business operator handling personal information has decided not to disclose all or part of such retained personal data as is requested pursuant to the provision of the preceding paragraph, the business operator shall notify the person of that effect without delay.

(3) If the provisions of any other laws and regulations require that all or part of such retained personal data as may lead to the identification of a person be disclosed to the person by a method equivalent to the method prescribed in the main part of paragraph (1), the provision of the paragraph shall not apply to such all or part of the retained personal data concerned.

(Correction, etc.)

Article 26 (1) When a business operator handling personal information is requested by a person to correct, add, or delete such retained personal data as may lead to the identification of the person on the ground that the retained personal data is contrary to the fact, the business operator shall, except in cases in which special procedures are prescribed by any other laws and regulations for such correction, addition, or deletion, make a necessary investigation without delay within the scope necessary for the achievement of the Purpose of Utilization and, on the basis of the results, correct, add, or delete the retained personal data.

(2) When a business operator handling personal information has corrected, added, or deleted all or part of the retained personal data as requested or has decided not to make such correction, addition, or deletion, the business operator shall notify the person of that effect (including the content of the correction, addition, or deletion if performed) without delay.

(Discontinuance of the Utilization, etc.)

Article 27 (1) Where a business operator handling personal information is requested by a person to discontinue using or to erase such retained personal data as may lead to the identification of the person on the ground that the retained personal data is being handled in violation of Article 16 or has been acquired in violation of Article 17, and where it is found that the request has a reason, the business operator shall discontinue using or erase the retained personal data concerned without delay to the extent necessary for redressing the violation. However, this provision shall not apply to cases in which it costs large amount or otherwise difficult to discontinue using or to erase the retained personal data and in which the business operator takes necessary alternative measures to protect the rights and interests of the person.

(2) Where a business operator handling personal information is requested by a person to discontinue providing to a third party such retained personal data as may lead to the identification of the person on the ground that the retained personal data is being provided to a third party in violation of paragraph (1) of Article 23, and where it is found that the request has a reason, the business operator shall discontinue providing the retained personal data to a third party without delay. However, this provision shall not apply to cases in which it costs large amount or otherwise difficult to discontinue providing the retained personal data concerned to a third party and in which the business operator takes necessary alternative measures to protect the rights and interests of the person.

(3) When a business operator handling personal information has discontinued using or has erased all or part of the retained personal data as requested under paragraph (1) or has decided not to discontinue using or not to erase the retained personal data or when a business operator handling personal information has discontinued providing all or part of the retained personal data to a third party as requested under the provision of the preceding paragraph or has decided not to discontinue providing the retained personal data to a third party, the business operator shall notify the person of that effect without delay.

(Explanation of Reasons)

Article 28 When a business operator handling personal information notifies a person requesting the business operator to take certain measures pursuant to the provisions of paragraph (3) of Article 24, paragraph (2) of Article 25, paragraph (2) of Article 26, or paragraph (3) of the preceding article that the business operator will not take all or part of the measures or that the business operator will take different measures, the business operator shall endeavor to explain the reasons.

(Procedures to Meet Requests for Disclosure and Others)

Article 29 (1) A business operator handling personal information may, as prescribed by a Cabinet Order, determine procedures for receiving requests that may be made pursuant to the provisions of paragraph (2) of Article 24, paragraph (1) of Article 25, paragraph (1) of Article 26 or paragraph (1) or paragraph (2) of Article 27 (hereinafter referred to as "a request for disclosure and others" in this article). In such a case, any person making a request for disclosure and others shall comply with the procedures.

(2) A business operator handling personal information may request a person making a request for disclosure and others to show sufficient items to identify the retained personal data in question. In this case, the business operator shall provide the information contributing to the identification of the retained personal data in question or take any other appropriate measures in consideration of the person's convenience so that the person can easily and accurately make a request for disclosure and others.

(3) A person may, as prescribed by a Cabinet Order, make a request for disclosure and others through a representative.

(4) When a business operator determine the procedures for meeting requests for disclosure and others under the provisions of the preceding three paragraphs, the business operator shall take into consideration that the procedures will not impose excessively heavy burden on the persons making requests for disclosure and others.

(Charges)

Article 30 (1) When a business operator handling personal information is requested to notify the Purpose of Utilization under the provision of paragraph (2) of Article 24 or to make a disclosure under the provision of paragraph (1) of Article 25, the business operator may collect charges for taking the measure.

(2) When a business operator handling personal information collects charges pursuant to the provision of the preceding paragraph, the business operator shall determine the amounts of charges within the scope considered reasonable in consideration of actual costs.

(Processing of Complaints by Entities Handling Personal Information)

Article 31 (1) A business operator handling personal information shall endeavor to appropriately and promptly process complaints about the handling of personal information.

(2) A business operator handling personal information shall endeavor to establish a system necessary for achieving the purpose set forth in the preceding paragraph.

(Collection of Reports)

Article 32 The competent minister may have a business operator handling personal information make a report on the handle of personal information to the extent necessary for implementation of the provisions of this section.

(Advice)

Article 33 The competent minister may advise a business operator handling personal information on the handle of personal information to the extent necessary for implementation of the provisions of this section.

(Recommendations and Orders)

Article 34 (1) When a business operator handling personal information has violated any of the provisions of Article 16 to Article 18, Article 20 to Article 27, or paragraph (2) of Article 30, the competent Minister may recommend that the business operator handling personal information cease the violation and take other necessary measures to correct the violation when a competent Minister finds it necessary for protecting the rights and interests of individuals.

(2) Where a business operator handling personal information having received a recommendation under the provision of the preceding paragraph does not take the recommended measures without justifiable ground, and when the competent minister finds that the serious infringement on the rights and interests of individuals is imminent, the competent minister may order the business operator handling personal information to take the recommended measures.

(3) Notwithstanding the provisions of the preceding two paragraphs, where a business operator handling personal information has violated any of the provisions of Article 16, Article 17, Articles 20 to 22, or paragraph (1) of Article 23, and when the competent minister finds it necessary to take measures urgently as there is the fact of serious infringement of the rights and interests of individuals, the competent minister may order the business operator handling personal information to cease the violation and take other necessary measures to rectify the violation.

(Restrictions of the Exercise of Authority by the Competent Minister)

Article 35 (1) In collecting a report from, or giving an advice, a recommendation or an order to a business operator handling personal information pursuant to the provisions of the preceding three articles, the competent Minister shall not disturb freedom of expression, academic freedom, freedom of religion, or freedom of political activity.

(2) In light of the purport of the provision of the preceding paragraph, with respect to the act of a business operator handling personal information to provide an individual or business operator mentioned in each item of paragraph (1) of Article 50 (limited to cases in which the personal information is handled for a purpose as respectively provided in each of such items) with personal information, the competent Minister shall not exercise its authority.

(Competent Ministers)

Article 36 (1) The competent ministers under the provisions of this section shall be as specified below. However, for specific handling of personal information by a business operator handling personal information, the Prime Minister may designate a specific minister or the National Public Safety Commission (hereinafter referred to as "minister, etc ") as a competent minister when he or she considers it necessary for smooth implementation of the provisions of this section.

(i) For such handling of personal information by a business operator handling personal information as is related to employment management, Minister of Health, Labor and Welfare (for such handling of personal information as is related to the employment management of mariners, the Minister of Land, Infrastructure, Transport and Tourism) and the minister, etc. concerned with jurisdiction over the business of the business operator handling personal information

(ii) For such handling of personal information by a business operator handling personal information as is not falling under the preceding item, the minister, etc. concerned with jurisdiction over the business of the business operator handling personal information

(2) When the Prime Minister has designated a competent minister under the provision of the proviso to the preceding paragraph, he or she shall publicly notice that effect.

(3) Competent ministers shall maintain close liaison and cooperate with each other in implementing the provisions of this section.

Section 2 Promotion of the Protection of Personal Information by Private Organizations

(Authorization)

Article 37 (1) A juridical person (which includes an association or foundation that is not a juridical person with a specified representative or manager; the same applies in (b) of item (iii) of the next article) that intends to conduct any of the businesses enumerated in the following items for the purpose of ensuring the proper handling of personal information by a business operator handling personal information, may be authorized as such by the competent minister:

(i) The processing under the provision of Article 42 of complaints about the handling of personal information of such business operations handling personal information as are the targets of the business (hereinafter referred to as "target entities")

(ii) The provision of information for target entities about the matters contributing to ensuring the proper handling of personal information

(iii) In addition to what is listed in the preceding two items, any business necessary for ensuring the proper handling of personal information by target entities

(2) A business operator intending to receive authorization set forth in the preceding paragraph shall apply to the competent minister as prescribed by a Cabinet Order.

(3) When having granted authorization under paragraph (1), the competent minister shall publicly notice that effect.

(Clause of Disqualification)

Article 38 A business operator falling under any of the following items may not receive authorization set forth in paragraph (1) of the preceding article:

(i) A business operator having received a sentence pursuant to the provisions of this Act with not exceeding two years after the business operator served out the sentence or was exempted from the execution of the sentence

(ii) A business operator whose authorization was rescinded pursuant to the provision of paragraph (1) of Article 48 with not exceeding two years after the rescission

(iii) A business operator with an officer (including the representative or manager of an association or foundation which is not a juridical person with a specified representative or manager. Hereinafter the same shall apply in this article.) conducting the business who falls under any of the following categories:

(a) An individual sentenced to imprisonment or a heavier punishment, or having received a sentence pursuant to the provision of this Act, with not exceeding two years after the individual served out the sentence or was exempted from the execution of the sentence

(b) In the case of a juridical person whose authorization was rescinded pursuant to the provision of paragraph (1) of Article 48, an individual who was an officer of the juridical person within at least 30 days before the rescission, with not exceeding two years after the rescission

(Authorization Standard)

Article 39 The competent minister shall not grant authorization unless he or she considers that an application for authorization filed under paragraph (1) of Article 37 conforms every requirement enumerated in the following items:

(i) The applicant shall have established a business execution method necessary for properly and soundly conducting the business mentioned in any of the items of paragraph (1) of Article 37.

(ii) The applicant shall have sufficient knowledge, abilities, and financial base for properly and soundly conducting the business mentioned in any of the items of paragraph (1) of Article 37.

(iii) When the applicant conducts any business other than the businesses mentioned in the items of paragraph (1) of Article 37, by conducting the business, the applicant shall not be likely to impede the fair execution of the businesses mentioned in the same items of the same paragraph.

(Notification of Abolition)

Article 40 (1) When a business operator authorized under paragraph (1) of Article 37 (hereinafter referred to as "authorized personal information protection organization") intends to abolish the business pertaining to the authorization (hereinafter referred to as "authorized business"), it shall notify the competent minister of that effect in advance as prescribed by a Cabinet Order.

(2) When having received a notification under the provision of the preceding paragraph, the competent minister shall publicly notice to that effect.

(Target Entities)

Article 41 (1) Each target business operator of an authorized personal information protection organization shall be a business operator handling personal information that is a member of the authorized personal information protection organization or a business operator handling personal information that has agreed to become a target of the authorized businesses.

(2) Each authorized personal information protection organization shall publicly announce the names of its target entities.

(Handling of Complaints)

Article 42 (1) When an authorized personal information protection organization is requested by a person, etc. to solve a complaint about the handling of personal information by a target business operator, corresponding to the request, the organization shall give the person, etc. necessary advice, investigate the circumstances pertaining to the complaint and request the target business operator to solve the complaint promptly by notifying the target business operator of the content of the complaint.

(2) When an authorized personal information protection organization finds it necessary for settling complaints offered under the preceding paragraph, the organization may request the target business operator to explain in writing or orally, or request it to submit relevant materials.

(3) When a target business operator has received a request under the provision of the preceding paragraph from an authorized personal information protection organization, the target business operator shall not reject the request without justifiable ground.

(Personal Information Protection Guidelines)

Article 43 (1) In order to ensure the proper handling of personal information by its target entities, each authorized personal information protection organization shall endeavor to draw up and publicly announce guidelines (hereinafter referred to as "personal information protection guidelines") in conformity with the purport of the provisions of this Act, concerning the specification of the Purpose of Utilization, security control measures, procedures for complying with individuals' requests, and other matters.

(2) When an authorized personal information protection organization has publicly announced its personal information protection guidelines pursuant to the provision of the preceding paragraph, the organization shall endeavor to provide guidance, give recommendations, and take other measures necessary in order to have its target entities observe the personal information protection guidelines.

(Prohibition of Utilization Other Than for Intended Purposes)

Article 44 An authorized personal information protection organization shall not utilize any information acquired in the course of conducting its authorized businesses for purposes other than that for the authorized business.

(Restriction on Use of the Name)

Article 45 A business operator that is not an authorized personal information protection organization shall not use the name "authorized personal information protection organization" or any other name that might be mistaken for it.

(Collection of Reports)

Article 46 The competent minister may have an authorized personal information protection organization make a report on the authorized businesses to the extent necessary for implementation of the provisions of this section.

(Orders)

Article 47 The competent minister may order an authorized personal information protection organization to improve the method of conducting its authorized businesses, to amend its personal information protection guidelines, or to take any other necessary measures to the extent necessary for implementation of the provisions of this section.

(Rescission of Authorization)

Article 48 (1) If an authorized personal information protection organization falls under any of the following items, the competent minister may rescind its authorization:

(i) Cases of falling under item (i) or (iii) of Article 38

(ii) Cases of falling not to conform with any of the items of Article 39

(iii) Cases of violating the provisions of Article 44

(iv) Cases of not complying with orders in the preceding article

(v) Cases of having received the authorization in paragraph (1) of Article 37 by a dishonest means

(2) When having rescinded authorization pursuant to the provision of the preceding paragraph, the competent minister shall publicly notice that effect.

(Competent Ministers)

Article 49 (1) The competent ministers under the provisions of this section shall be as specified below. However, when the Prime Minister considers it necessary for smooth implementation of the provisions of this section, he or she may designate a specific minister, etc. as a competent minister for specific entities that intend to apply for authorization under paragraph (1) of Article 37.

(i) For authorized personal information protection organization (including entities that intend to be authorized under paragraph (1) of Article 37. This applies in the next item.) established under permission or approval, the competent minister shall be the minister, etc. that has granted the permission or approval.

(ii) For authorized personal information protection organization other than those mentioned in the preceding item, the competent minister shall be the minister, etc. having jurisdiction over the business conducted by the target entities of the authorized personal information protection organizations concerned.

(2) When the Prime Minister has designated a competent minister pursuant to the provision of the proviso to the preceding paragraph, he or she shall publicly notice that effect.

Chapter V Miscellaneous Provisions

(Exclusion from Application)

Article 50 (1) With respect to entities handling personal information, being the entities enumerated in each of the items below, if all or part of the purpose of handling personal information is a purpose respectively prescribed in each of the items, the provisions of the preceding chapter shall not be applied.

(i) Broadcasting institutions, newspaper publishers, communication agencies and the other press (including individuals engaged in news report as their business); the purpose for news report

(ii) A business operator who conduct literary work as their business; the purpose for literary work

(iii) Colleges, universities, other institutions or organizations engaged in academic studies, or entities belonging to them: The purpose for academic studies

(iv) Religious organizations: The purpose for religious activities (including activities incidental thereto)

(v) Political organizations: The purpose for political activities (including activities incidental thereto)

(2) "News report" as mentioned in item (i) of the preceding paragraph shall mean informing many and unspecified individuals or entities of objective facts as the facts (including to state opinions or views based on such facts).

(3) Entities handling personal information enumerated in the items of paragraph (1) shall endeavor to take by themselves the necessary and appropriate measures for controlling the security of personal data, and the necessary measures for the processing of complaints about the handling of personal information and the other necessary measures for ensuring the proper handling of personal information, and shall also endeavor to publicly announce the content of those measures concerned.

(Affairs Handled by Local Governments)

Article 51 The affairs belonging to the authority of a competent minister provided by this Act may be handled by the heads of local governments or by other executive agencies as prescribed by a Cabinet Order.

(Delegation of Authority or Affairs)

Article 52 The matters belonging to the authority or the affairs of a competent minister may be delegated to his/her staffs as prescribed by a Cabinet Order.

(Public Announcement of the Status of Enforcement)

Article 53 (1) The Prime Minister may collect reports on the status of enforcement of this Act from the heads of relevant administrative organs (the organs established in the Cabinet under the provisions of laws (except the Cabinet Office), organs under the supervision of the Cabinet, the Cabinet Office, the Imperial Household Agency, the institutions prescribed in paragraphs (1) and (2) of Article 49 of the Act for Establishment of the Cabinet Office (Act No. 89 of 1999), and the institutions prescribed in paragraph (2) of Article 3 of the National Government Organization Law (Act No. 120 of 1948); this applies in the next article).

(2) Each year the Prime Minister shall compile the reports set forth in the preceding paragraph and publicly announce their outline.

(Liaison and Cooperation)

Article 54 The Prime Minister and the heads of the administrative organs involved in the enforcement of this Act shall maintain close liaison and cooperate with each other.

(Delegation to Cabinet Orders)

Article 55 The matters necessary for implementation of this Act, in addition to those prescribed in this Act, shall be prescribed by Cabinet Orders.

Chapter VI Penal Provisions

Article 56 A business operator who violates orders issued under paragraph (2) or (3) of Article 34 shall be sentenced to imprisonment with work of not more than six months or to a fine of not more than 300,000 yen.

Article 57 A business operator who does not make a report required by Article 32 or 46 or who has made a false report shall be sentenced to a fine of not more than 300,000 yen.

Article 58 (1) If any representative of a juridical person (which includes an association or foundation which is not a juridical person with a specified representative or manager; hereinafter the same shall apply in this paragraph), or any agent, employee or other workers of a juridical person or of an individual commits any of the violations prescribed in the preceding two articles concerning the business of the juridical person or individual, then not only shall the performer be punished but also the juridical person or individual shall be sentenced to the fine prescribed in the corresponding article.

(2) When the provision of the preceding paragraph applies to an association or foundation which is not a juridical person, its representative or manager shall represent the association or foundation which is not a juridical person in its procedural action, and the provisions of the acts concerning criminal suits in which a juridical person is the accused or suspect shall be apply mutatis mutandis.

Article 59 A business operator who falls under any of the following items shall be sentenced to a civil fine of not more than 100,000 yen:

(i) A business operator who does not make a notification required by paragraph (1) of Article 40 or who has made a false notification

(ii) A business operator who violates the provision of Article 45

Supplementary Provisions [Extract]

(Effective Date)

Article 1 This Act shall come into force as from the day of promulgation. However, the provisions of Chapter IV to Chapter VI and Article 2 to Article 6 of the supplementary Provisions shall become effective as of the date specified by a Cabinet Order within a period not exceeding two years from the day of promulgation.

(Transitional Measures Concerning a Consent of a Person)

Article 2 Where a person has given consent to the handling of his/her personal information prior to enforcement of this Act, and where the consent is equivalent to the consent that allows the personal information to be handled for a purpose other than the Purpose of Utilization specified under paragraph (1) of Article 15, then it shall be deemed that there is such consent as is prescribed in paragraph (1) or (2) of Article 16.

Article 3 Where a person has given consent to the handling of his/her personal information prior to enforcement of this Act, and where the consent is equivalent to the consent that allows the personal data to be provided to a third party under paragraph (1) of Article 23, then it shall be deemed that there is such consent as is prescribed in the same paragraph.

(Transitional Measures Concerning Notices)

Article 4 If an individual has been notified, prior to enforcement of this Act, of the matters that shall be notified to the individual or be put in a readily accessible condition for the individual under paragraph (2) of Article 23, then it shall be deemed that the notice concerned has been given under the provision of the same paragraph.

Article 5 If an individual has been notified, prior to enforcement of this Act, of the matters that shall be notified to the individual or be put in a readily accessible condition for the individual under item (iii) of paragraph (4) of Article 23, then it shall be deemed that the notice concerned has been given under the provision of the same paragraph.

(Transitional Measures Concerning the Restriction on Use of the Name)

Article 6 The provisions of Article 45 shall not apply, for six months after the provision of the same article is enforced, to any business operator actually using the name "authorized personal information protection organization" or a name that might be mistaken for it at the time when this Act is enforced.