Act on the Protection of Personal Information (Any data that the title of a law indicates to be a "Tentative translation" has not yet been proofread or corrected by a native English speaker or legal translation expert; this data may be revised in the future.Tentative translation)
Act No. 57 of May 30, 2003
Table of Contents
Chapter I General Provisions (Articles 1 to 3)
Chapter II Responsibilities etc. of the Central and Local Governments (Articles 4 to 6)
Chapter III Measures etc. relating to the Protection of Personal Information
Section 1 Basic Policy on the Protection of Personal Information (Article 7)
Section 2 Measures by the Central Government (Articles 8 to 10)
Section 3 Measures by the Local Governments (Articles 11 to 13)
Section 4 Cooperation between the Central and Local Governments (Article 14)
Chapter IV Obligations etc. of a Personal Information Handling Business Operator
Section 1 Obligations of a Personal Information Handling Business Operator (Articles 15 to 35)
Section 2 Obligations of an Anonymously Processed Information Handling Business Operator etc. (Articles 36 to 39)
Section 3 Supervision (Articles 40 to 46)
Section 4 Private Sector Body's Promotion for the Protection of Personal Information (Article 47 to 58)
Chapter V Personal Information Protection Commission (Articles 59 to 74)
Chapter VI Miscellaneous Provisions (Article 75 to 81)
Chapter VII Penal Provisions (Article 82 to 88)
Supplementary Provisions
Chapter I General Provisions
(Purpose)
Article 1 This Act aims to protect an individual's rights and interests while considering the utility of personal information including that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and an enriched quality of life for the people of Japan; by setting forth the overall vision for the proper handling of personal information, creating a governmental basic policy with regard to this, and establishing other matters to serve as a basis for measures to protect personal information, as well as by clarifying the responsibilities etc. of the central and local governments and establishing obligations etc. that a personal information handling business operator shall fulfill, in light of the significantly expanded utilization of personal information as our advanced information- and communication-based society evolves.
(Definition)
Article 2 (1) "Personal information" in this Act means that information relating to a living individual which falls under any of each following item:
(i) those containing a name, date of birth, or other descriptions etc. (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (meaning an electronic, magnetic or other forms that cannot be recognized through the human senses; the same shall apply in the succeeding paragraph, item (ii)); the same shall apply in Article 18, paragraph (2)); hereinafter the same) whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual)
(ii) those containing an individual identification code
(2) An "individual identification code" in this Act means those prescribed by cabinet order which are any character, letter, number, symbol or other codes falling under any of each following item.
(i) those able to identify a specific individual that are a character, letter, number, symbol or other codes into which a bodily partial feature of the specific individual has been converted in order to be provided for use by computers
(ii) those character, letter, number, symbol or other codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated or electromagnetically recorded in a card or other document issued to an individual so as to be able to identify a specific user or purchaser, or recipient of issuance by having made the said codes differently assigned or, stated or recoded for the said user or purchaser, or recipient of issuance
(3) "Special care-required personal information" in this Act means personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.
(4) A "personal information database etc." in this Act means those set forth in the following which are a collective body of information comprising personal information (excluding those prescribed by cabinet order as having little possibility of harming an individual's rights and interests considering their utilization method).
(i) those systematically organized so as to be able to search for particular personal information using a computer;
(ii) besides those set forth in the preceding item, those prescribed by cabinet order as having been systematically organized so as to be able to easily search for particular personal information.
(5) A "personal information handling business operator" in this Act means a person providing a personal information database etc. for use in business; however, excluding a person set forth in the following;
(i) a central government organization;
(ii) a local government;
(iii) an incorporated administrative agency etc. (meaning an independent administrative agency etc. prescribed in Article 2, paragraph (1) of the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (Act No. 59 of 2003); hereinafter the same);
(iv) a local incorporated administrative agency (meaning a local incorporated administrative agency prescribed in Article 2, paragraph (1) of the Local Incorporated Administrative Agencies Act (Act No. 118 of 2003); hereinafter the same);
(6) "Personal data" in this Act means personal information constituting a personal information database etc.
(7) "Retained personal data" in this Act means personal data which a personal information handling business operator has the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of, and which shall be neither those prescribed by cabinet order as likely to harm the public or other interests if their presence or absence is made known nor those set to be deleted within a period of no longer than one year that is prescribed by cabinet order.
(8) A "principal" in relation to personal information in this Act means a specific individual identifiable by personal information.
(9) "Anonymously processed information" in this Act means information relating to an individual that can be produced from processing personal information so as neither to be able to identify a specific individual by taking action prescribed in each following item in accordance with the divisions of personal information set forth in each said item nor to be able to restore the personal information.
(i) personal information falling under paragraph (1), item (i); Deleting a part of descriptions etc. contained in the said personal information (including replacing the said part of descriptions etc. with other descriptions etc. using a method with no regularity that can restore the said part of descriptions etc.)
(ii) personal information falling under paragraph (1), item (ii); Deleting all individual identification codes contained in the said personal information (including replacing the said individual identification codes with other descriptions etc. using a method with no regularity that can restore the said personal identification codes)
(10) An "anonymously processed information handling business operator" in this Act means a person who provides for use in business a collective body of information comprising anonymously processed information which has been systematically organized so as to be able to search using a computer for specific anonymously processed information or similar others prescribed by cabinet order as systematically organized so as to be able to search easily for specific anonymously processed information (referred to as an "anonymously processed information database etc." in Article 36, paragraph (1)). However, a person set forth in each item of paragraph (5) is excluded.
(Overall Vision)
Article 3 Personal information, considering it should be carefully handled under the vision of respecting the personality of an individual, shall be made subject to proper handling.
Chapter II Responsibilities etc. of the Central and Local Governments
(Responsibilities of the Central Government)
Article 4 The central government shall have the responsibilities for comprehensively developing and implementing necessary measures to ensure the proper handling of personal information in conformity with the purport of this Act.
(Responsibilities of the Local Governments)
Article 5 The local governments shall have the responsibilities for developing and implementing necessary measures to ensure the proper handling of personal information based on the characteristics of their local area in conformity with the purport of this Act.
(Legislative Action etc.)
Article 6 The government shall, considering the nature and utilization method of personal information, take necessary legislative and other action so as to be able to take discreet action for protecting personal information that especially requires ensuring the strict implementation of its proper handling in order to seek enhanced protection of an individual's rights and interests, and shall take necessary action in collaboration with the governments in other countries to construct an internationally conformable system concerning personal information through fostering cooperation with an international organization and other international framework.
Chapter III Measures etc. for the Protection of Personal Information
Section 1 Basic Policy on the Protection of Personal Information
Article 7 (1) The government shall establish a basic policy on the protection of personal information (hereinafter referred to as a "basic policy") in order to seek to comprehensively and integrally promote measures concerning the protection of personal information.
(2) A basic policy shall prescribe those matters set forth in the following.
(i) a basic direction for promoting measures concerning the protection of personal information
(ii) a matter concerning action to be taken by the central government for the protection of personal information
(iii) a basic matter concerning action to be taken by a local government for the protection of personal information
(iv) a basic matter concerning action to be taken by an incorporated administrative agency etc. for the protection of personal information
(v) a basic matter concerning action to be taken by a local incorporated administrative agency for the protection of personal information
(vi) a basic matter concerning action to be taken by a personal information handling business operator, an anonymously processed information handling business operator and an accredited personal information protection organization prescribed in Article 50, paragraph (1) for the protection of personal information
(vii) a matter concerning dealing smoothly with a complaint about the handling of personal information
(viii) other important matters concerning promoting measures for the protection of personal information.
(3) The Prime Minister shall call for a cabinet decision on a basic policy developed by the Personal Information Protection Commission.
(4) The Prime Minister shall, when a cabinet decision was made pursuant to the provisions of the preceding paragraph, disclose a basic policy to the public without delay.
(5) The provisions under the preceding two paragraphs shall apply mutatis mutandis when altering a basic policy.
Section 2 Measures by the Central Government
(Support to a Local Government etc.)
Article 8 The central government shall provide information, develop guidelines to ensure the proper and effective implementation of action to be taken by a business operator etc., and take other necessary action in order to support measures for the protection of personal information developed or implemented by a local government and activities undertaken by a Japanese citizen, or a business operator etc. in relation to seeking the proper handling of personal information.
(Action for Dealing with a Complaint)
Article 9 The central government shall take necessary action to seek the proper and prompt dealing of a complaint caused between a business operator and a principal about the handling of personal information.
(Action for Ensuring the Proper Handling of Personal Information)
Article 10 The central government shall, through the appropriate division of roles between a local government and itself, take necessary action prescribed in the succeeding Chapter in order to ensure the proper handling of personal information by a personal information handling business operator.
Section 3 Measures by the Local Governments
(Protection of Personal Information Retained by a Local Government etc.)
Article 11 (1) A local government shall, considering the nature of personal information it retains, the purpose of retaining the personal information, and so on, strive to take necessary action so as to ensure the proper handling of the retained personal information.
(2) A local government shall, in response to the characteristics and business contents of a local incorporated administrative agency that it has established, strive to take necessary action so as to ensure the proper handling of personal information that the agency retains.
(Support to a Business Operator etc. in a Local Area)
Article 12 A local government shall, in order to ensure the proper handling of personal information, strive to take necessary action to support a business operator and a resident in a local area.
(Mediation etc. for Dealing with a Complaint)
Article 13 A local government shall, in order for a complaint caused between a business operator and a principal about the handling of personal information to be dealt with appropriately and promptly, strive to mediate dealing with the complaint and take other necessary action.
Section 4 Cooperation between the Central and Local Governments
Article 14 The central and local governments shall cooperate with one another in implementing measures relating to the protection of personal information.
Chapter IV Obligations etc. of a Personal Information Handling Business Operator
Section 1 Obligations of a Personal Information Handling Business Operator
(Specifying a Utilization Purpose)
Article 15 (1) A personal information handling business operator shall, in handling personal information, specify the purpose of utilizing the personal information (hereinafter referred to as a "utilization purpose") as explicitly as possible.
(2) A personal information handling business operator shall, in case of altering a utilization purpose, not do so beyond the scope recognized reasonably relevant to the pre-altered utilization purpose.
(Restriction due to a Utilization Purpose)
Article 16 (1) A personal information handling business operator shall not handle personal information without obtaining in advance a principal's consent beyond the necessary scope to achieve a utilization purpose specified pursuant to the provisions under the preceding Article.
(2) A personal information handling business operator shall, in case of having acquired personal information accompanied with succeeding a business from another personal information handling business operator because of a merger or other reason, not handle the personal information without obtaining in advance a principal's consent beyond the necessary scope to achieve the pre-succession utilization purpose of the said personal information.
(3) The provisions under the preceding two paragraphs shall not apply to those cases set forth in the following.
(i) cases based on laws and regulations
(ii) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a principal's consent
(iii) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent
(iv) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs
(Proper Acquisition)
Article 17 (1) A personal information handling business operator shall not acquire personal information by deceit or other improper means.
(2) A personal information handling business operator shall, except in those cases set forth in the following, not acquire special care-required personal information without obtaining in advance a principal's consent.
(i) cases based on laws and regulations
(ii) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a principal's consent
(iii) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent
(iv) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs
(v) cases in which the said special care-required personal information is being open to the public by a principal, a government organization, a local government, a person set forth in each item of Article 76, paragraph (1) or other persons prescribed by rules of the Personal Information Protection Commission
(vi) other cases prescribed by cabinet order as equivalent to those cases set forth in each preceding item
(Notification etc. of a Utilization Purpose when Acquiring)
Article 18 (1) A personal information handling business operator shall, in case of having acquired personal information except in cases where a utilization purpose has been disclosed in advance to the public, promptly inform a principal of, or disclose to the public, the utilization purpose.
(2) A personal information handling business operator shall, notwithstanding the provisions under the preceding paragraph, in cases where it acquires, accompanied by concluding a contract with a principal, the principal's personal information stated in a written contract or other document (including an electromagnetic record; hereinafter the same in this paragraph) or other similar cases where it acquires directly from a principal his or her personal information stated in a written document, state a utilization purpose explicitly to the said principal. This, however, shall not apply in cases where there is an urgent need to protect a human life, body or fortune.
(3) A personal information handling business operator shall, in case of altering a utilization purpose, inform a principal of, or disclose to the public, a post-altered utilization purpose.
(4) The provisions of the preceding three paragraphs shall not apply in those cases set forth in the following.
(i) cases in which there is a possibility that informing a principal of, or disclosing to the public, a utilization purpose would harm a principal or third party's life, body, fortune or other rights and interests
(ii) cases in which there is a possibility that informing a principal of, or disclosing to the public, a utilization purpose would harm the rights or legitimate interests of the said personal information handling business operator
(iii) cases in which there is a need to cooperate in regard to a central government organization or a local government performing affairs prescribed by laws and regulations, and when there is a possibility that informing a principal of, or disclosing to the public, a utilization purpose would interfere with the performance of the said affairs
(iv) cases in which it can be recognized, judging from the acquisitional circumstances, that a utilization purpose is clear
(Assurance etc. about the Accuracy of Data Contents)
Article 19 A personal information handling business operator shall strive to keep personal data accurate and up to date within the scope necessary to achieve a utilization purpose, and to delete the personal data without delay when such utilization has become unnecessary.
(Security Control Action)
Article 20 A personal information handling business operator shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data.
(Supervision over Employees)
Article 21 A personal information handling business operator shall, in having its employees handle personal data, exercise necessary and appropriate supervision over the employees so as to seek the security control of the personal data.
(Supervision over a Trustee)
Article 22 A personal information handling business operator shall, in case of entrusting a whole or part of the handling of personal data, exercise necessary and appropriate supervision over an entrusted person so as to seek the security control of the personal data of which the handling has been entrusted.
(Restriction on Third Party Provision)
Article 23 (1) A personal information handling business operator shall, except in those cases set forth in the following, not provide personal data to a third party without obtaining in advance a principal's consent.
(i) cases based on laws and regulations
(ii) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a principal's consent
(iii) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent
(iv) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs
(2) A personal information handling business operator, in regard to personal data provided to a third party (excluding special care-required personal information; hereinafter the same in this paragraph), may, in cases where it is set to cease in response to a principal's request a third-party provision of personal data that can identify the principal and when pursuant to rules of the Personal Information Protection Commission it has in advance informed a principal of those matters set forth in the following or put them into a state where a principal can easily know, and notified them to the Personal Information Protection Commission, provide the said personal data to a third party notwithstanding the provisions of the preceding paragraph.
(i) to set a third-party provision as a utilization purpose
(ii) the categories of personal data provided to a third party
(iii) a method of a third-party provision
(iv) to cease, in response to a principal's request, a third-party provision of personal data that can identify the principal
(v) a method of receiving a principal's request
(3) A personal information handling business operator shall, in case of altering those matters set forth in item (ii), item (iii) or item (v) of the preceding paragraph, in advance inform a principal of the contents to be altered or put them into a state where a principal can easily know and notify them to the Personal Information Protection Commission pursuant to rules of the Personal Information Protection Commission.
(4) The Personal Information Protection Commission shall, when notified pursuant to paragraph (2), disclose to the public a matter relating to the notification pursuant to rules of the Personal Information Protection Commission. The same shall apply when notified pursuant to the preceding paragraph.
(5) In those cases set forth in the following, a person receiving the provision of the said personal data shall not fall under a third party in regard to applying the provisions of each preceding paragraph.
(i) cases in which personal data is provided accompanied by a personal information handling business operator entrusting a whole or part of the handling of the personal data within the necessary scope to achieve a utilization purpose
(ii) cases in which personal data is provided accompanied with business succession caused by a merger or other reason
(iii) cases in which personal data to be jointly utilized by a specified person is provided to the specified person, and when a principal has in advance been informed or a state has been in place where a principal can easily know to that effect as well as of the categories of the jointly utilized personal data, the scope of a jointly utilizing person, the utilization purpose for the utilizing person and the name or appellation of a person responsible for controlling the said personal data
(6) A personal information handling business operator shall, in case of altering a utilization purpose for a utilizing person or the name or appellation of a person responsible for controlling personal data prescribed in item (iii) of the preceding paragraph, in advance inform a principal of the contents to be altered or put them into a state where a principal can easily know.
(Restriction on Provision to a Third Party in a Foreign Country)
Article 24 A personal information handling business operator, except in those cases set forth in each item of the preceding Article, paragraph (1), shall, in case of providing personal data to a third party (excluding a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission as necessary for continuously taking action equivalent to the one that a personal information handling business operator shall take concerning the handling of personal data pursuant to the provisions of this Section; hereinafter the same in this Article) in a foreign country (meaning a country or region located outside the territory of Japan; hereinafter the same) (excluding those prescribed by rules of the Personal Information Protection Commission as a foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests; hereinafter the same in this Article), in advance obtain a principal's consent to the effect that he or she approves the provision to a third party in a foreign country. In this case, the provisions of the preceding Article shall not apply.
(Keeping etc. of a Record on a Third-Party Provision)
Article 25 (1) A personal information handling business operator shall, when having provided personal data to a third party (excluding a person set forth in each item of Article 2, paragraph (5); hereinafter the same in this Article and the succeeding Article), keep a record pursuant to rules of the Personal Information Protection Commission on the date of the personal data provision, the name or appellation of the third party, and other matters prescribed by rules of the Personal Information Protection Commission. This, however, shall not apply in cases where the personal data provision falls under any of each item of Article 23, paragraph (1) or paragraph (5) (this means, in case of a personal data provision pursuant to the provisions of the preceding Article, any of each item of Article 23, paragraph (1)).
(2) A personal information handling business operator shall maintain a record under the preceding paragraph for a period of time prescribed by rules of the Personal Information Protection Commission from the date when it kept the record.
(Confirmation etc. when Receiving a Third Party Provision)
Article 26 (1) A personal information handling business operator shall, when receiving the provision of personal data from a third party, confirm those matters set forth in the following pursuant to rules of the Personal Information Protection Commission. This, however, shall not apply in cases where the said personal data provision falls under any of each item of Article 23, paragraph (1) or paragraph (5).
(i) the name or appellation and address of the third party and, for a corporate body, the name of its representative (for a non-corporate body having appointed a representative or administrator, the said representative or administrator)
(ii) circumstances under which the said personal data was acquired by the said third party
(2) A third party under the preceding paragraph shall, in cases where a personal information handling business operator confirms pursuant to the provisions of the preceding paragraph, not deceive the personal information handling business operator on a matter relating to the confirmation.
(3) A personal information handling business operator shall, when having confirmed pursuant to the provisions of paragraph (1), keep a record pursuant to rules of the Personal Information Protection Commission on the date when it received the provision of personal data, a matter concerning the said confirmation, and other matters prescribed by rules of the Personal Information Protection Commission.
(4) A personal information handling business operator shall maintain a record under the preceding paragraph for a period of time prescribed by rules of the Personal Information Protection Commission from the date when it kept the record.
(Public Disclosure etc. on Matters relating to Retained Personal Data)
Article 27 (1) A personal information handling business operator shall, concerning its retained personal information, put those matters set forth in the following into a state where a principal can know (including those cases in which it, at the request of a principal, responds without delay).
(i) the name or appellation of the said personal information handling business operator
(ii) the utilization purpose of all retained personal data (excluding those cases falling under item (i) through item (iii) of Article 18, paragraph (4))
(iii) the procedures for responding to a request pursuant to the provisions of the succeeding paragraph or a demand pursuant to the provisions of the succeeding Article, paragraph (i); Article 29, paragraph (1); or Article 30, paragraph (1) or paragraph (3) (including, when the amount of a fee has been decided pursuant to the provisions of Article 33, paragraph (2), the amount of the fee)
(iv) besides those set forth under the preceding three items, those prescribed by cabinet order as a necessary matter to ensure the proper handling of retained personal data
(2) A personal information handling business operator shall, when requested by a principal to get informed of a utilization purpose of retained personal data that can identify the principal, inform the said principal thereof without delay. This, however, shall not apply in those cases falling under any of each following item.
(i) cases in which the utilization purpose of retained personal data that can identify the said principal is clear pursuant to the provisions of the preceding paragraph
(ii) cases falling under item (i) through item (iii) of Article 18, paragraph (4)
(3) A personal information handling business operator shall, when having been requested based on the provisions of the preceding paragraph but decided not to inform a principal of the utilization purpose of retained personal data, inform the principal to that effect without delay.
(Disclosure)
Article 28 (1) A principal may demand of a personal information handling business operator disclosing retained personal data that can identify him or herself.
(2) A personal information handling business operator shall, when having received a demand pursuant to the provisions of the preceding paragraph, disclose retained personal data to a principal without delay pursuant to a method prescribed by cabinet order. However, in cases where disclosing such data falls under any of each following item, a whole or part thereof may not be disclosed.
(i) cases in which there is a possibility of harming a principal or third party's life, body, fortune or other rights and interests
(ii) cases in which there is a possibility of interfering seriously with the said personal information handling business operator implementing its business properly
(iii) cases of violating other laws or regulations
(3) A personal information handling business operator shall, when having decided not to disclose a whole or part of retained personal data in connection with a demand pursuant to the provisions of paragraph (1) or when the retained personal data does not exist, inform a principal thereof without delay.
(4) In cases where a whole or part of retained personal data that can identify a principal is to be disclosed to the principal pursuant to the provisions of other laws or regulations using a method equivalent to that prescribed in the main clause of paragraph (2), the provisions of paragraph (1) and paragraph (2) shall not apply in regard to the said whole or part of retained personal data.
(Correction etc.)
Article 29 (1) A principal may, when the contents of retained personal data that can identify the principal are not factual, demand of a personal information handling business operator making a correction, addition or deletion (hereinafter referred to as a "correction etc." in this Article) in regard to the contents of the retained personal data.
(2) A personal information handling business operator shall, in case of having received a demand pursuant to the provisions of the preceding paragraph except in cases where special procedure concerning a correction etc. of the contents is prescribed by the provisions of other laws or regulations, conduct a necessary investigation without delay to the extent necessary to achieve a utilization purpose and, based on the result thereof, make a correction etc. of the contents of the retained personal data.
(3) A personal information handling business operator shall, when having made a correction etc. on a whole or part of the contents of the retained personal data in connection with a demand pursuant to the provisions under paragraph (1) or when having made a decision not to make a correction etc., inform a principal without delay to that effect (including, when having made a correction etc., the contents thereof).
(Utilization Cease etc.)
Article 30 (1) A principal may, when retained personal data that can identify the principal is being handled in violation of the provisions of Article 16 or has been acquired in violation of the provisions of Article 17, demand of a personal information handling business operator a utilization cease or deletion (hereinafter referred to as a "utilization cease etc." in this Article) of the retained personal data.
(2) A personal information handling business operator shall, in case of having received a demand pursuant to the provisions of the preceding paragraph and when it has become clear that there is a reason in the demand, fulfill a utilization cease etc. of the said retained personal data to the extent necessary to redress a violation without delay. This, however, shall not apply in cases where a utilization cease etc. of the said retained personal data requires a large amount of expenses or other cases where it is difficult to fulfil a utilization cease etc. and when necessary alternative action is taken to protect a principal's rights and interests.
(3) A principal may, when retained personal data that can identify the principal is being provided to a third party in violation of the provisions of Article 23, paragraph (1) or Article 24, demand of a personal information handling business operator ceasing a third-party provision of the retained personal data.
(4) A personal information handling business operator shall, in case of having received a demand pursuant to the provisions of the preceding paragraph and when it has become clear that there is a reason in the demand, cease a third-party provision of the retained personal data without delay. This, however, shall not apply in cases where ceasing a third-party provision of the said retained personal data requires a large amount of expenses or other cases where it is difficult to cease a third-party provision and when necessary alternative action is taken to protect a principal's rights and interests.
(5) A personal information handling business operator shall, when having fulfilled a utilization cease etc. or decided not to fulfill a utilization cease etc. of a whole or part of retained personal data in connection with a demand pursuant to the provisions of paragraph (1), or when having ceased a third-party provision or decided not to cease a third-party provision of a whole or part of retained personal data in connection with a demand pursuant to the provisions of paragraph (3), inform a principal to that effect without delay.
(Explanation of Reason)
Article 31 A personal information handling business operator shall, in case of informing a principal to the effect that, as regards a whole or part of action requested or demanded by the principal pursuant to the provisions of Article 27, paragraph (3); Article 28, paragraph (3); Article 29, paragraph (3); or the preceding Article, paragraph (5), the action will not be taken, or to the effect that different action from the said action will be taken, strive to explain a reason therefor to the said principal.
(Procedure for Responding to a Demand etc. for Disclosure etc.)
Article 32 (1) A personal information handling business operator may, as regards a request pursuant to the provisions of Article 27, paragraph (2) or a demand pursuant to the provisions of Article 28, paragraph (1); Article 29, paragraph (1); Article 30, paragraph (1) or paragraph (3) (hereinafter referred to as a "demand etc. for disclosure etc." in this Article and Article 53, paragraph (1)), decide on a method of receiving a request or demand pursuant to those prescribed by cabinet order. In this case, a principal shall make a demand etc. for disclosure etc. in accordance with the method.
(2) A personal information handling business operator may, as regards a demand etc. for disclosure etc., request a principal to present a matter sufficient to specify retained personal data subject to the demand etc. In this case, a personal information handling business operator shall take appropriate action in consideration of a principal's convenience such as providing information conducive to specify the retained personal data so that the principal would be able to easily and precisely make a demand etc. for disclosure etc.
(3) A demand etc. for disclosure etc. may be made through an agent pursuant to those prescribed by cabinet order.
(4) A personal information handling business operator shall, in establishing a procedure for responding to a demand etc. for disclosure etc. based on the provisions of the preceding three paragraphs, give consideration so as not to impose excessive burden on a principal.
(Fee)
Article 33 (1) A personal information handling business operator may, when having been requested to inform of a utilization purpose pursuant to the provisions of Article 27, paragraph (2) or when having received a demand for disclosure pursuant to the provisions of Article 28, paragraph (1), collect a fee in relation to taking such action.
(2) A personal information handling business operator shall, in case of collecting a fee pursuant to the provisions of the preceding paragraph, decide on the amount of the fee within a range recognized as reasonable considering actual expenses.
(Advance Demand)
Article 34 (1) A principal may, when intending to file a lawsuit in connection with a demand pursuant to the provisions of Article 28, paragraph (1); Article 29, paragraph (1); or Article 30, paragraph (1) or paragraph (3), not file the lawsuit unless the principal had previously issued the demand against a person who should become a defendant in the lawsuit and two weeks have passed from the delivery day of the issued demand. This, however, shall not apply when the person who should become a defendant in the lawsuit has rejected the demand.
(2) A demand under the preceding paragraph is deemed as having been delivered at the time when such a demand should have normally been delivered.
(3) The provisions of the preceding two paragraphs shall apply mutatis mutandis to a petition for a provisional disposition order in connection with a demand pursuant to the provisions of Article 28, paragraph (1); Article 29, paragraph (1); or Article 30, paragraph (1) or paragraph (3).
(Personal Information Handling Business Operator's Dealing with a Complaint)
Article 35 (1) A personal information handling business operator shall strive to deal appropriately and promptly with a complaint about the handling of personal information.
(2) A personal information handling business operator shall strive to establish a system necessary to achieve a purpose under the preceding paragraph.
Section 2 Duties of an Anonymously Processed Information Handling Business Operator etc.
(Production etc. of Anonymously Processed Information)
Article 36 (1) A personal information handling business operator shall, when producing anonymously processed information (limited to those constituting anonymously processed information database etc.; hereinafter the same), process personal information in accordance with standards prescribed by rules of the Personal Information Protection Commission as those necessary to make it impossible to identify a specific individual and restore the personal information used for the production.
(2) A personal information handling business operator, when having produced anonymously processed information, shall, in accordance with standards prescribed by rules of the Personal Information Protection Commission as those necessary to prevent the leakage of information relating to those descriptions etc. and individual identification codes deleted from personal information used to produce the anonymously processed information, and information relating to a processing method carried out pursuant to the provisions of the preceding paragraph, take action for the security control of such information.
(3) A personal information handling business operator, when having produced anonymously processed information, shall, pursuant to rules of the Personal Information Protection Commission, disclose to the public the categories of information relating to an individual contained in the anonymously processed information.
(4) A personal information handling business operator, when having produced anonymously processed information and providing the anonymously processed information to a third party, shall, pursuant to rules of the Personal Information Protection Commission, in advance disclose to the public the categories of information concerning an individual contained in anonymously processed information to be provided to a third party and its providing method, and state to the third party explicitly to the effect that the information being provided is anonymously processed information.
(5) A personal information handling business operator shall, when having produced anonymously processed information and making itself handle the anonymously processed information, not collate the said anonymously processed information with other information in order to identify a principal concerned with personal information used to produce the said anonymously processed information.
(6) A personal information handling business operator shall, when having produced anonymously processed information, strive to take itself necessary and appropriate action for the security control of the anonymously processed information and necessary action for ensuring the proper handling of the anonymously processed information such as dealing with a complaint about the handling, including producing, of the said anonymously processed information, and strive to disclose to the public the contents of such action taken.
(Provision of Anonymously Processed Information)
Article 37 An anonymously processed information handling business operator, when providing anonymously processed information (excluding those which it produced itself by processing personal information; hereinafter the same in this Section) to a third party, shall, pursuant to rules of the Personal Information Protection Commission, in advance disclose to the public the categories of personal information contained in anonymously processed information to be provided to a third party and state to the third party explicitly to the effect that the provided information is anonymously processed information.
(Prohibition against the Act of Identifying)
Article 38 An anonymously processed information handling business operator, shall, in handling anonymously processed information, neither acquire information relating to those descriptions etc. or individual identification codes deleted from the personal information and information relating to a processing method carried out pursuant to the provisions of Article 36, paragraph (1), nor collate the said anonymously processed information with other information in order to identify a principal concerned with personal information used to produce the anonymously processed information.
(Security Control Action etc.)
Article 39 An anonymously processed information handling business operator shall strive to take itself necessary and appropriate action for the security control of anonymously processed information and necessary action to ensure the proper handling of anonymously processed information such as dealing with a complaint about the handling of anonymously processed information, and shall strive to disclose to the public the contents of such action taken.
Section 3 Supervision
(Report and Onsite Inspection)
Article 40 (1) The Personal Information Protection Commission may, to the extent necessary to implement the provisions under the preceding two Sections and this Section, require a personal information handling business operator or anonymously processed information handling business operator (hereinafter referred to collectively as a "personal information handling business operator etc.") to submit necessary information or material relating to the handling of personal information or anonymously processed information (hereinafter referred to collectively as "personal information etc."), or have its officials enter a business office or other necessary place of a personal information handling business operator etc., inquire about the handling of personal information etc., or inspect a book, document and other property.
(2) An official who conducts an onsite inspection pursuant to the provisions of the preceding paragraph shall carry a certificate for identification, and present it when requested by a person concerned.
(3) An onsite inspection authority pursuant to the provisions of paragraph (1) shall not be construed as granted for a criminal investigation.
(Guidance and Advice)
Article 41 The Personal Information Protection Commission may, to the extent necessary to implement the provisions under the preceding two Sections, provide a personal information handling business operator etc. with necessary guidance or advice on the handling of personal information etc.
(Recommendation and Order)
Article 42 (1) The Personal Information Protection Commission may, when recognizing there is a need for protecting an individual's rights and interests in cases where a personal information handling business operator has violated the provisions under Article 16 through Article 18, Article 20 through Article 22, Article 23 (excluding paragraph (4)), Article 24, Article 25, Article 26 (excluding paragraph (2)), Article 27, Article 28 (excluding paragraph (1)), Article 29, paragraph (2) or (3), Article 30 (2), paragraph (4) or (5), Article 33, paragraph (2) or Article 36 (excluding paragraph (6)) or in cases where an anonymously processed information handling business operator has violated the provisions under Articles 37 or 38, recommend the personal information handling business operator etc. to suspend the act of violating or take other necessary action to rectify the violation.
(2) The Personal Information Protection Commission may, when recognizing that a serious infringement of an individual's rights and interests is imminent in cases where a personal information handling business operator etc. having received a recommendation pursuant to the provisions under the preceding paragraph did not take action in line with the recommendation without legitimate ground, order the personal information handling business operator etc. to take action in line with the said recommendation.
(3) The Personal Information Protection Commission may, notwithstanding the provisions under the preceding two paragraphs when recognizing there is a need to take urgent action because there is a fact that seriously harms an individual's rights and interests in cases where a personal information handling business operator has violated the provisions of Article 16, Article 17, Article 20 through Article 22, Article 23, paragraph (1), Article 24 or Article 36, paragraph (1), paragraph (2) or paragraph (5) or in cases where an anonymously processed information handling business operator has violated the provisions under Article 38, order the personal information handling business operator etc. to take necessary action to rectify the violation such as suspending the act of violation.
(Restriction on the Personal Information Protection Commission's Exercising the Authority)
Article 43 (1) The Personal Information Protection Commission shall, in the course of requiring the submission of a report or material from, conducting an onsite inspection of, or giving a guidance, advice, recommendation or order to, a personal information handling business operator etc., not hinder the freedom of expression, freedom of academia, freedom of religion, and freedom of political activity.
(2) In light of the purport of the provisions of the preceding paragraph, the Personal Information Protection Commission shall not exercise the authorities in regard to a personal information handling business operator's act of providing personal information etc. to a person set forth in each item of Article 76, paragraph (1) (limited to those cases where each person handles personal information etc. for a respective purpose stipulated in each said item).
(Delegation of Authority)
Article 44 (1) The Personal Information Protection Commission may, when recognizing that there is a need for effectively giving a personal information handling business operator a recommendation or order pursuant to the provisions of Article 42 because there is a need to urgently and intensively seek ensuring the proper handling of personal information etc. or similar other circumstances prescribed by cabinet order, delegate an authority under the provisions of Article 40, paragraph (1) to a business jurisdictional minister as prescribed by cabinet order.
(2) A business jurisdictional minister shall, when having exercised an authority delegated pursuant to the provisions of the preceding paragraph, report the results thereof to the Personal Information Protection Commission as prescribed by cabinet order.
(3) A business jurisdictional minister may, as prescribed by cabinet order, delegate a whole or part of an authority delegated pursuant to the provisions of paragraph (1) or a whole or part of an authority pursuant to the provisions of the preceding paragraph to a head of a local branch bureau under Article 43 of the Act for Establishment of the Cabinet Office (Act No.89 of 1999) or other bureau or organ prescribed by cabinet order.
(4) The Prime Minister delegates an authority delegated pursuant to the provisions of paragraph (1) and an authority under the provisions of paragraph (2) (limited to those relating to the Financial Services Agency's jurisdiction and excluding those prescribed by cabinet order) to a Commissioner of the Financial Services Agency.
(5) A Commissioner of the Financial Services Agency may, as prescribed by cabinet order, delegate part of an authority delegated pursuant to the provisions of the preceding paragraph to the Securities and Exchange Surveillance Commission.
(6) A Commissioner of the Financial Services Agency may, as prescribed by cabinet order, delegate part of an authority delegated pursuant to the provisions of paragraph (4) (excluding those delegated to the Securities and Exchange Surveillance Commission pursuant to the provisions of the preceding paragraph) to a Director-General of a local finance bureau or local finance branch bureau.
(7) The Securities and Exchange Surveillance Commission may, as prescribed by cabinet order, delegate part of an authority delegated pursuant to the provisions of paragraph (5) to a Director-General of a local finance bureau or local finance branch bureau.
(8) As for administrative affairs relating to an authority delegated to a Director-General of a local finance bureau or local finance branch bureau pursuant to the provisions of the preceding paragraph, the Securities and Exchange Surveillance Commission directs and supervises a Director-General of a local finance bureau or local finance branch bureau.
(9) In case of paragraph (5), a request for administrative review concerning the Securities and Exchange Surveillance Commission's requiring the submission of a report or material (including those cases in which a Director-General of a local finance bureau or local finance branch bureau do so pursuant to the provisions of paragraph (7)) may only be filed against the Securities and Exchange Surveillance Commission.
(Request by Business Jurisdictional Minister)
Article 45 A business jurisdictional minister may, when recognizing that there is a need for ensuring the proper handling of personal information etc. by a personal information handling business operator etc. including that there is an act of a personal information handling business operator etc. violating the provisions under the preceding two Sections, request the Personal Information Protection Commission to take appropriate action in accordance with the provisions of this Act.
(Business Jurisdictional Minister)
Article 46 A business jurisdictional minister in the provisions of this Section shall be as follows.
(i) as for those relating to employment management involved in the handling of personal information etc. by a personal information handling business operator etc.; a Minister of Health, Labor and Welfare (as for those relating to a mariner's employment management; a Minister of Land, Infrastructure, Transport and Tourism), and a minister having jurisdiction over a business conducted by a said personal information handling business operator or the National Public Safety Commission (referred to collectively as a "Minister etc." in the succeeding item)
(ii) as for those other than the ones set forth in the preceding item involved in the handling of personal information etc. by a personal information handling business operator etc.; a Minister etc. having jurisdiction over a business conducted by a said personal information handling business operator
Section 4 Private-Sector Body's Promotion for the Protection of Personal Information
(Accreditation)
Article 47 (1) A corporation (including a non-corporate body which has appointed a representative or administrator; the same shall apply in the succeeding Article, item (iii), (b)) which intends to render the following services in order to ensure the proper handling of personal information etc. by a personal information handling business operator etc. may receive an accreditation from the Personal Information Protection Commission.
(i) dealing with a complaint under the provisions of Article 52 about the handling of personal information etc. by a personal information handling business operator covered by the services (hereinafter referred to as a "covered business operator")
(ii) providing a covered business operator with information concerning a matter contributory to ensuring the proper handling of personal information etc.
(iii) besides those set forth in the preceding two items, rendering necessary services related to ensuring the proper handling of personal information etc. by a covered business operator
(2) A person who intends to receive an accreditation under the preceding paragraph shall, as prescribed by cabinet order, apply to the Personal Information Protection Commission.
(3) The Personal Information Protection Commission shall, when having granted an accreditation under the paragraph (1), announce to the public to that effect.
(Disqualification)
Article 48 A person falling under any of each following item shall not receive an accreditation under the paragraph (1) of the preceding Article.
(i) a person who has been sentenced to imprisonment pursuant to the provisions of this Act and for whom two years have not elapsed since the date of either the completion of, or the conclusion of being subject to, the execution of the sentence
(ii) a person whose accreditation was rescinded pursuant to the provisions of Article 58, paragraph (1) and for whom two years have not elapsed since the date of the rescission
(iii) those of which the directors rendering the said services (including a representative or administrator of a non-corporate body which has appointed a representative or administrator; hereinafter the same in this Article) encompass a person who falls under any of the following
(a) a person who has been sentenced to imprisonment or a severer punishment or who has been sentenced pursuant to the provisions of this Act and for whom two years have not elapsed since the date of either the completion of, or the conclusion of being subject to, the execution of the sentence
(b) a person who was a director of a corporation whose accreditation was rescinded pursuant to the provisions of Article 58, paragraph (1) within thirty days prior to the date of the rescission and for whom two years have not elapsed since the date of the rescission
(Accreditation Standards)
Article 49 The Personal Information Protection Commission shall not grant an accreditation unless it recognizes that an accreditation application under Article 47, paragraph (1) conforms to all of each following item.
(i) a service-rendering method has been devised necessary to perform properly and assuredly those services set forth in each item of Article 47, paragraph (1)
(ii) knowledge, capability and financial base have been demonstrated as sufficient to perform properly and assuredly those services set forth in each item of Article 47, paragraph (1)
(iii) in cases where services other than those services set forth in each item of Article 47, paragraph (1) are being rendered, there is no possibility that rendering such other services disturb the fairness of those services set forth in each item of the said paragraph
(Notification of Termination)
Article 50 (1) A person who has received an accreditation under Article 47, paragraph (1) (hereinafter referred to as an "accredited personal information protection organization") shall, when intending to terminate services concerning the accreditation (hereinafter referred to as "accredited services"), in advance notify the Personal Information Protection Commission to that effect as prescribed by cabinet order.
(2) The Personal Information Protection Commission shall, when notified pursuant to the provisions of the preceding paragraph, announce to the public to that effect.
(Covered Business Operator)
Article 51 (1) An accredited personal information protection organization shall make its covered business operators composed of a personal information handling business operator etc. who is a constituent of the said accredited personal information protection organization or who has consented to becoming covered by the accredited services.
(2) An accredited personal information protection organization shall announce to the public the name or appellation of its covered business operators.
(Dealing with a Complaint)
Article 52 (1) An accredited personal information protection organization shall, when petitioned by a principal or other concerned person to resolve a complaint about its covered business operator's handling of personal information etc., hold consultation, give necessary advice to the petitioner and investigate circumstances surrounding the complaint, as well as inform the covered business operator of the complaint contents and request its expeditious resolution.
(2) An accredited personal information protection organization may, when recognizing that there is a need in regard to the resolution of a complaint in connection with a petition under the preceding paragraph, request the covered business operator to provide a written or oral explanation or submit a referential material.
(3) A covered business operator shall, when requested by an accredited personal information protection organization pursuant to the provisions of the preceding paragraph, not refuse the request without a justifiable reason.
(Personal Information Protection Guideline)
Article 53 (1) An accredited personal information protection organization shall, for the purpose of ensuring a covered business operator's proper handling of personal information etc., strive to develop a guideline conformable to the purport of the provisions of this Act (hereinafter referred to as a "personal information protection guideline") by asking a person representing consumers or other concerned person for their opinion in regard to a matter related to personal information including utilization purpose specification, security control action and procedures for responding to a demand etc. for disclosure etc. as well as a matter related to anonymously processed information including its production method and security control action for such information.
(2) An accredited personal information protection organization shall, when having developed a personal information protection guideline pursuant to the provisions of the preceding paragraph, notify without delay the Personal information Protection Commission of the personal information protection guideline pursuant to rules of the Personal Information Protection Commission. When this has been modified, the same shall apply.
(3) The Personal Information Protection Commission shall, when having been notified of a personal information protection guideline under the provisions of the preceding paragraph, announce to the public the personal information protection guideline pursuant to rules of the Personal Information Protection Commission.
(4) An accredited personal information protection organization shall, when a personal information protection guideline has been announced to the public pursuant to the provisions of the preceding paragraph, take action against a covered business operator such as providing guidance or recommendation necessary to make the covered business operator follow the said personal information protection guideline.
(Prohibition of Utilization for Unintended Purpose)
Article 54 An accredited personal information protection organization shall not utilize information obtained in the course of rendering accredited services for the other purposes than for use in such accredited services.
(Restriction on Use of Appellation)
Article 55 A person who is not an accredited personal information protection organization shall not use the appellation of the accredited personal information protection organization or any other confusing appellation therewith.
(Calling for a Report)
Article 56 The Personal Information Protection Commission may, to the extent necessary to implement the provisions under this section, call for an accredited personal information protection organization to report on its accredited services.
(Order)
Article 57 The Personal Information Protection Commission may, to the extent necessary to implement the provisions of this section, order an accredited personal information protection organization to improve a method of rendering accredited services, amend a personal information protection guideline, or take any other necessary action.
(Rescinding the Accreditation)
Article 58 (1) The Personal Information Protection Commission may, when an accredited personal information protection organization falls under any of each following item, rescind the accreditation.
(i) when having led to falling under Article 48, item (i) or item (iii)
(ii) when having become unconformable to any of each item of Article 49
(iii) when having violated the provisions of Article 54
(iv) when disobeying an order under the preceding Article
(v) when having received an accreditation under Article 47, paragraph (1) by improper means
(2) The Personal Information Protection Commission shall, when having rescinded an accreditation pursuant to the provisions of the preceding paragraph, announce to the public to that effect.
Chapter V The Personal Information Protection Commission
(Establishment)
Article 59 (1) The Personal Information Protection Commission (hereinafter referred to as the "Commission") is to be established based on the provisions of Article 49, paragraph (3) of the Act for Establishment of the Cabinet Office.
(2) The Commission belongs to the jurisdiction of the Prime Minster.
(Duties)
Article 60 The Commission is to assume the duties of pursuing ensuring the proper handling of personal information (including taking action such as giving guidance and advice to an individual number utilizing business etc. related implementer (meaning an individual number utilizing business etc. related implementer prescribed in Article 12 of the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013; hereinafter referred to as the "Numbers Use Act"))) in order to protect an individual's rights and interests while considering the utility of personal information including that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and an enriched quality of life for the people of Japan.
(Jurisdictional Affairs)
Article 61 The Commission is to administer the following affairs in order to fulfil the duties under the preceding Article.
(i) affairs related to the formulation and promotion of a basic policy
(ii) affairs related to supervision over the handling of personal information and anonymously processed information, and those related to necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint (excluding those set forth in item (iv))
(iii) affairs related to an accredited personal information protection organization
(iv) affairs related to monitoring and supervision over the handling of specific personal information (meaning specific personal information prescribed in Article 2, paragraph (8) of the Numbers Use Act; the same shall apply in Article 63, paragraph (4)) and those related to necessary mediation on a lodged complaint and cooperation offered to a business operation who deals with the complaint
(v) affairs related to specific personal information protection assessment (meaning specific personal information protection assessment prescribed in Article 27, paragraph (1) of the Numbers Use Act)
(vi) affairs related to public relations and an enlightenment campaign on the protection of, and the proper and effective application of, personal information
(vii) affairs related to an investigation or research necessary to administer those affairs set forth in each preceding item
(viii) affairs related to international cooperation on the jurisdictional affairs
(ix) besides those set forth in each preceding item, those affairs which have been made by law (including an order based thereon) to belong to the Commission
(Independence on Exercising the Authority)
Article 62 A chairperson and commissioners of the Commission are to exercise their official authority independently.
(Organization etc.)
Article 63 (1) The Commission is to be composed of a chairperson and eight commissioners.
(2) Four of the commissioners are to serve on a part-time basis.
(3) A chairperson and a commissioner are to be appointed by the Prime Minister with consent of both Houses of the Diet from among those with high character and deep insight.
(4) A chairperson and commissioners are to encompass a person who has academic experience concerning the protection of, and the proper and effective application of, personal information, a person who has sufficient knowledge and experience concerning the protection of consumers, a person who has academic experience concerning information processing technologies, a person who has academic experience concerning public administrative fields utilizing specific personal information, a person who has sufficient knowledge and experience concerning private-sector business practices, and a person recommended by a federate organization (meaning a federate organization under Article 263-3, paragraph (1) of the Local Autonomy Act (Act No.67 of 1947) that has given a notification pursuant to the provisions of the said paragraph).
(Term of Office etc.)
Article 64 (1) The term of office for a chairperson and a commissioner is to be five years; however, the term of office of a chairperson or a commissioner appointed to fill a vacancy shall be the remaining term of office of his or her predecessor.
(2) A chairperson and a commissioner may be reappointed.
(3) When the term of office for a chairperson or a commissioner has expired, the chairperson or commissioner are to continue to fulfil their duties until their successor is appointed.
(4) In cases where the term of office of a chairperson or a commissioner has expired or where a vacancy has occurred, when consent by both Houses of the Diet cannot be obtained due to the closing of the Diet or the dissolution of the House of Representatives, the Prime Minister may, notwithstanding the provisions of the preceding Article, paragraph (3), appoint a chairperson or a commissioner from among those persons who have those qualifications prescribed in the said paragraph.
(5) In those cases under the preceding paragraph, an ex post facto approval by both Houses of the Diet shall be obtained in the first Diet session after the appointment. In this case, when the ex post facto approval cannot be obtained by both Houses of the Diet, the Prime Minister shall immediately dismiss the chairperson or the commissioner.
(Guarantee of Status)
Article 65 A chairperson and a commissioner shall not be dismissed against their will while in office except in those cases falling under any of each following item.
(i) when having received a decision on the commencement of bankruptcy proceedings
(ii) when having been punished in violation of this Act or the Numbers Use Act
(iii) when having been punished by imprisonment without work or severer sentence
(iv) when, by the Commission, having been recognized to be incapable of fulfilling his or her duties because of a mental or physical disorder, or having been recognized to be committing a violation of obligation in the course of duties or other misconduct unbecoming to a chairperson or a commissioner
(Dismissal)
Article 66 The Prime Minister shall, when a chairperson or a commissioner falls under any of each item of the preceding Article, dismiss the chairperson or the commissioner.
(Chairperson)
Article 67 (1) A chairperson is to preside over the rules and proceedings of the Commission and represent the Commission.
(2) The Commission shall designate in advance from among full-time commissioners a person to be an acting chairperson in cases where the chairperson is in an accident.
(Meeting)
Article 68 (1) A meeting of the Commission is to be called by a chairperson.
(2) The Commission may, unless a chairperson and four or more commissioners are present, neither hold a meeting nor make a decision.
(3) A decision of the Commission is to be adopted by a majority of attendees, and when in a tie, a chairperson is to make a decision.
(4) A recognition pursuant to the provisions of Article 65, item (iv), notwithstanding the provisions of the preceding paragraph, shall be allowed with the unanimous concurrence of all commissioners except for the commissioner concerned.
(5) With regard to applying the provisions of this Article, paragraph (2) in cases where a chairperson is in an accident, a person to be an acting chairperson prescribed in the preceding Article, paragraph (2) shall be deemed as a chairperson.
(Specialist Commissioner)
Article 69 (1) In the Commission may a specialist commissioner be posited to have a specialized matter investigated.
(2) A specialist commissioner is to be appointed by the Prime Minister based on a proposal made by the Commission.
(3) A specialist commissioner shall be relieved of his or her post when an investigation into the specialized matter has been finished.
(4) A specialist commissioner is to serve on a part-time basis.
(Secretariat)
Article 70 (1) For the purpose of having commissionary affairs administered, a secretariat is to be posited.
(2) In a secretariat are a secretary general and other staff to be posited.
(3) A secretary general is to administer secretarial affairs under the order of a chairperson.
(Prohibition of a Political Campaign etc.)
Article 71 (1) A chairperson and commissioners shall, while in office, neither become a director of a political party or other political organization nor actively conduct a political campaign.
(2) A chairperson and a full-time commissioner shall, while in office except in those cases where there has been permission from the Prime Minister, not engage in any other duties paying remuneration, operate a profit-making business, or perform other services for the purpose of gaining monetary profit.
(Confidentiality Obligation)
Article 72 A chairperson, commissioner, specialist commissioner and secretarial staff shall not divulge or use by stealth any secret that may have come to their knowledge in the course of duties. The same shall also apply after they have left their position.
(Remuneration)
Article 73 The remuneration of a chairperson and a commissioner shall be prescribed separately by law.
(Establishment of Rules)
Article 74 The Commission may establish rules of the Personal Information Protection Commission regarding its jurisdictional affairs in order to enforce a law or cabinet order, or on the basis of a special delegation under a law or cabinet order.
Chapter VI Miscellaneous Provisions
(Scope of Application)
Article 75 The provisions of Article 15, Article 16, Article 18 (excluding paragraph (2)), Article 19 through Article 25, Article 27 thorough Article 36, Article 41, Article 42, paragraph (1), Article 43 and the following Article shall also apply in those cases where a personal information handling business operator who in relation to supplying a good or service to a person in Japan has acquired personal information relating to the person being as a principal handles in a foreign country the personal information or anonymously processed information produced by using the said personal information.
(Exclusion from Application)
Article 76 (1) To a person set forth in each following item who is a personal information handling business operator shall the provisions of Chapter IV not apply when a whole or part of the purpose of handling personal information etc. is a purpose prescribed in each said item respectively.
(i) a broadcasting institution, newspaper publisher, communication agency and other press organization (including an individual engaged in the press as his or her business): a purpose of being provided for use in the press
(ii) a person who practices writing as a profession: a purpose of being provided for use in writing
(iii) a university and other organization or group aimed at academic studies, or a person belonging thereto: a purpose of being provided for use in academic studies
(iv) a religious body: a purpose of being provided for use in a religious activity (including those activities accessory thereto)
(v) a political body: a purpose of being provided for use in a political activity (including those activities accessory thereto)
(2) The "press" prescribed in item (1) of the preceding paragraph means informing a large number of unspecified people of an objective fact as such (including stating an opinion or view based thereon).
(3) A personal information handling business operator etc. set forth in each item of paragraph (1) shall strive to take itself necessary and appropriate action for the security control of personal data or anonymously processed information and necessary action to ensure the proper handling of personal information etc. such as dealing with a complaint about the handling of personal information etc., as well as announce to the public the contents of such action taken.
(Affairs Administered by a Local Government)
Article 77 Administrative affairs belonging to the Commission's authority prescribed in this Act and an authority delegated to a business jurisdictional minister or a Commissioner of the Financial Services Agency pursuant to the provisions of Article 44, paragraph (1) or paragraph (4) may be managed by a head of a local government or other executive agency as prescribed by cabinet order.
(Information Provision to the Foreign Enforcement Authorities)
Article 78 (1) The Commission may provide the foreign authorities enforcing those foreign laws and regulations equivalent to this Act (hereinafter referred to as the "foreign enforcement authorities" in this Article) with information recognized as contributory to fulfilling their duties (limited to those equivalent to the Commission's duties prescribed in this Act; the same shall apply in the succeeding paragraph).
(2) Concerning the provision of information pursuant to the preceding paragraph, appropriate action shall be taken so that the information is neither used for purposes other than for the foreign enforcement authorities fulfilling their duties nor used for a foreign criminal case investigation (limited to the one conducted after the criminal facts subject to the investigation have been specified) or adjudication (hereinafter collectively referred to as an "investigation etc.") without consent pursuant to the succeeding paragraph.
(3) The Commission may, when having received a request from the foreign enforcement authorities, consent that the information it provided pursuant to paragraph (1) be used for a foreign criminal case investigation etc. in connection with the request except for those cases falling under any of each following item.
(i) when a crime subject to the criminal case investigation etc. in connection with the said request is a political crime, or when the said request is recognized to have been made for the purpose of conducting the investigation etc. into a political crime
(ii) when an act relating to the crime subject to a criminal case investigation etc. in connection with the said request, if it were committed in Japan, shall not constitute a criminal offense according to the laws and regulations in Japan
(iii) when there is no assurance that the requesting country will accept the same kind of request from Japan
(4) The Commission shall, in case of consenting under the preceding paragraph, obtain a Minister of Justice's confirmation of the case not falling under item (i) and item (ii) of the preceding paragraph, and a Minister of Foreign Affairs' confirmation of the case not falling under item (iii) of the preceding paragraph respectively.
(Report to the Diet)
Article 79 The Commission shall annually report to the Diet through the Prime Minister the current status of administering its jurisdictional affairs, and announce to the public a summary thereof.
(Communication and Cooperation)
Article 80 The Prime Minister and a head of an administrative organization related to the implementation of this Act (meaning an organization established in the Cabinet based on the provisions of laws (excluding the Cabinet Office), an organization under the jurisdiction of the Cabinet, the Cabinet Office, the Imperial Household Agency, an organization prescribed in Article 49, paragraph (1) and paragraph (2) of the Act for Establishment of the Cabinet Office, and an organization prescribed in Article 3, paragraph (2) of the National Government Organization Act (Act No.120 of 1948)) shall closely communicate and cooperate with one another.
(Delegation to Cabinet Order)
Article 81 A matter necessary to implement this Act other than those prescribed in this Act is to be prescribed by cabinet order.
Chapter VII Penal Provisions
Article 82 A person who has divulged or used by stealth a secret in violation of the provisions of Article 72 shall be punished by imprisonment with work for not more than two years or a fine of not more than 1,000,000 yen.
Article 83 A personal information handling business operator (or its director, representative or administrator if it is a corporate body (including a non-corporate body having appointed a representative or administrator; the same shall apply in Article 87, paragraph (1)), its employee, or a person who used to be such a business operator or employee shall, when having provided or used by stealth personal information database etc. (including their wholly or partially duplicated or processed ones) that they handled in relation to their business for the purpose of seeking their own or a third party's illegal profits, be punished by imprisonment with work for not more than one year or a fine of not more than 500,000 yen.
Article 84 A person who has violated an order pursuant to the provisions of Article 42, paragraph (2) or paragraph (3) shall be punished by imprisonment with labor for not more than six months or a fine of not more than 300,000 yen.
Article 85 A person falling under any of each following item shall be punished by a fine of not more than 300,000 yen.
(i) a person who has failed to submit a report or material under the provisions of Article 40, paragraph (1) or did falsely submit a report or material, or who failed to answer a question posed by the staff concerned or did falsely answer a question, or refused, obstructed or evaded an inspection
(ii) a person who failed to submit a report under the provisions of Article 56, or did falsely submit a report
Article 86 The provisions of Article 82 and Article 83 shall apply to a person who has committed an offense under these Articles outside of Japan.
Article 87 (1) When a representative of a corporate body, or an agent, employee or other worker of a corporate body or natural person has committed a violating act under Article 83 through Article 85 in relation to the corporate body or natural person's business, the actor shall be punished, and a fine set forth in the respective Articles shall be imposed on the said corporate body or natural person.
(2) In cases where the provisions of the preceding paragraph apply to a non-corporate body, its representative or administrator shall represent the non-corporate body in regard to an act of litigation, and the provisions of a law on a criminal suit in the cases where a corporate body is a defendant or suspect shall apply mutatis mutandis.
Article 88 A person falling under any of each following item shall be punished by a non-criminal fine of not more than 100,000 yen.
(i) a person who has violated the provisions of Article 26, paragraph (2), or Article 55
(ii) a person who failed to submit a notification or did falsely submit a notification under the provisions of Article 50, paragraph (1)