Accountability

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

As mentioned in footnote 34 (recital 49), PIHBOs are required, under Article 26(1) of the APPI, to verify the identity of a third party providing personal data to them and the "circumstances" under which such data was acquired by the third party (in case of personal data covered by this Decision, according to the APPI and Supplementary Rule (3) those circumstances shall include the fact that the data originates from the European Union as well as the purpose of the original data transfer). Among others, that measure aims at ensuring the lawfulness of data processing throughout the chain of PIHBOs handling the personal data. Furthermore, under Article 26(3) of the APPI, PIHBOs are required to keep a record of the date of receipt and the (mandatory) information received from the third party pursuant to paragraph 1, as well as the name of the individual concerned (data subject), the categories of data processed and, to the extent relevant, the fact that the data subject has given consent for sharing his/her personal data. As specified in Article 18 of the PPC Rules, those records must be preserved for a period of at least one to three years, depending on the circumstances. In the exercise of its tasks, the PPC can require the submission of such records (39).

Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).

Accredited personal information protection organisations submit annual reports on their operations. According to the "Overview of the Implementation Status [of] the APPI in FY 2015" published by the PPC, accredited personal information protection organisations received a total of 442 complaints, required 123 explanations from business operators under their jurisdiction, requested documents from these operators in 41 cases, gave 181 instructions and made two recommendations (45).