2.2.1 - Definition of personal information2.2.2 - Definition of personal data2.2.3 - Definition of retained personal data2.2.4 - Definition of anonymously processed personal information2.2.5 - Definition of Personal Information Handling Business Operator (PIHBO)2.2.6 - Concepts of controller and processor2.2.7 - Sectoral exclusions
2.3.1 - Purpose limitation2.3.2. - Lawfulness and fairness of processing2.3.3. - Data accuracy and minimisation2.3.4. - Storage limitation2.3.5. - Data security2.3.6. - Transparency2.3.7. - Special categories of data2.3.8. - Accountability2.3.9. - Restrictions on onward transfers2.3.10. - Individual rights
3.1 - General legal framework3.2 - Access and use by Japanese public authorities for criminal law enforcement purposes3.2.1 - Legal basis and applicable limitations/safeguards3.2.1.1 - Compulsory investigation based on a court warrant3.2.1.2 - Request for voluntary disclosure based on an "enquiry sheet"3.2.1.3 - Further use of the information collected3.2.2 - Independent oversight3.2.3 - Individual redress3.3 - Access and use by Japanese public authorities for national security purposes3.3.1 - Legal basis and applicable limitations/safeguards
3.3.2 - Independent oversight
3.3.3 - Individual redress
6
PERIODIC REVIEW OF THE ADEQUACY FINDING
(180)
In application of Article 45(3) of Regulation (EU) 2016/679 (150), and in the light of the fact that the level of protection afforded by the Japanese legal order may be liable to change, the Commission, following the adoption of this Decision, should periodically check whether the findings relating to the adequacy of the level of protection ensured by Japan are still factually and legally justified.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
(182)
To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.
(183)
On the basis of the Joint Review, the Commission should prepare a public report to be submitted to the European Parliament and the Council.
