2.2.1 - Definition of personal information2.2.2 - Definition of personal data2.2.3 - Definition of retained personal data2.2.4 - Definition of anonymously processed personal information2.2.5 - Definition of Personal Information Handling Business Operator (PIHBO)2.2.6 - Concepts of controller and processor2.2.7 - Sectoral exclusions
2.3.1 - Purpose limitation2.3.2. - Lawfulness and fairness of processing2.3.3. - Data accuracy and minimisation2.3.4. - Storage limitation2.3.5. - Data security2.3.6. - Transparency2.3.7. - Special categories of data2.3.8. - Accountability2.3.9. - Restrictions on onward transfers2.3.10. - Individual rights
3.1 - General legal framework3.2 - Access and use by Japanese public authorities for criminal law enforcement purposes3.2.1 - Legal basis and applicable limitations/safeguards3.2.1.1 - Compulsory investigation based on a court warrant3.2.1.2 - Request for voluntary disclosure based on an "enquiry sheet"3.2.1.3 - Further use of the information collected3.2.2 - Independent oversight3.2.3 - Individual redress3.3 - Access and use by Japanese public authorities for national security purposes3.3.1 - Legal basis and applicable limitations/safeguards
3.3.2 - Independent oversight
3.3.3 - Individual redress
4
CONCLUSION: ADEQUATE LEVEL OF PROTECTION FOR PERSONAL DATA TRANSFERRED FROM THE EUROPEAN UNION TO BUSINESS OPERATORS IN JAPAN
(171)
The Commission considers that the APPI as complemented by the Supplementary Rules contained in Annex I, together with the official representations, assurances and commitments contained in Annex II, ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.
(172)
Moreover, the Commission considers that, taken as a whole, the oversight mechanisms and redress avenues in Japanese law enable infringements by recipient PIHBOs to be identified and punished in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data.
(173)
Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.
(174)
Therefore, in the light of the findings of this Decision, the Commission considers that Japan ensures an adequate level of protection for personal data transferred from the European Union to PIHBOs in Japan that are subject to the APPI, except in those cases where the recipient falls within one of the categories listed in Article 76(1) APPI and all or part of the purposes of processing correspond(s) to one of the purposes prescribed in that provision.
(175)
On this basis, the Commission concludes that the adequacy standard of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union, in particular in the Schrems judgment (146), is met.
