No statutory DPO, ROPA, or DPIA requirement under APPI
Japan's Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended) does not impose a mandatory data protection officer (DPO) designation requirement, nor does it require organizations to maintain a formal record of processing activities (ROPA) or conduct data protection impact assessments (DPIAs) in the manner prescribed by the EU General Data Protection Regulation (GDPR). This marks a fundamental structural difference from EU-style data protection law.
No statutory DPO mandate. The APPI contains no provision equivalent to GDPR Article 37 that mandates the appointment of a privacy or data protection officer. A "personal information handling business operator" (the APPI's term for an entity that handles personal information in the course of business, defined in Article 16) is not required by statute to designate a named individual with defined responsibilities for data protection compliance.
The closest the APPI comes to a governance requirement is Article 23, which obligates business operators to "take necessary and proper measures for the prevention of leakage, loss or damage, and for other security control of personal data." Article 23 does not specify what organizational structures satisfy this obligation. The Personal Information Protection Commission (PPC)—Japan's independent supervisory authority established under Article 146—issues non-binding guidelines that recommend, as an organizational security measure, appointing a person responsible for supervising the handling of personal data. However, this is interpretive guidance on how to meet the Article 23 security standard, not a free-standing legal duty. An organization that does not appoint such a supervisor is not in per se violation of the APPI, but may face enforcement exposure under Article 23 if a breach reveals inadequate governance.
No ROPA-style processing inventory. The APPI does not contain an analogue to GDPR Article 30, which requires controllers and processors to maintain comprehensive written records describing their processing activities, including data categories, purposes, recipients, retention periods, and technical safeguards. Japanese business operators are not required to prepare or update a general inventory of personal data processing operations for supervisory review.
The APPI does impose narrower, context-specific recordkeeping obligations. Article 29 requires business operators to create and retain records when providing personal data to a third party. Article 30 requires parallel records when receiving personal data from a third party (with confirmation of the source and the lawfulness of the third party's acquisition). Both record obligations apply when the provision or receipt does not fall within the consent or statutory exceptions listed in Article 23. These records must be maintained "for a period of time prescribed by rules of the Personal Information Protection Commission" (Article 29(2) and Article 30(4)), but they document third-party transactions, not the full lifecycle of processing activity.
The APPI does not mandate a master register of processing purposes, data flows, retention schedules, or security measures in the manner of a GDPR ROPA.
No statutory DPIA trigger. The APPI does not require business operators to conduct a data protection impact assessment before undertaking processing that is "likely to result in a high risk to the rights and freedoms of natural persons," as GDPR Article 35 does. There is no obligation to document or consult the PPC about high-risk processing, even when handling "personal information requiring special care" (sensitive personal information defined in Article 2(3) to include race, creed, social status, medical history, criminal record, and other categories at risk of discriminatory use).
Sectoral regulations outside the APPI may impose analogous requirements. For example, the Telecommunications Business Act requires certain designated telecommunications carriers to appoint an information protection officer and conduct annual compliance reviews, but these obligations derive from sectoral statute, not the APPI itself.
Recordkeeping obligations under Articles 29 and 30. The third-party provision records required by Article 29 must include the date of provision, the categories or items of personal data provided, and the name or designation of the third-party recipient. The receipt records required by Article 30 must include the date of receipt, the third party's name, confirmation that the third party obtained the data lawfully, and the categories or items of data received. These records serve a traceability function—enabling the PPC to audit data flows in the event of a breach or investigation—but they do not replicate the holistic accountability framework of a ROPA.
Supervisory authority. The Personal Information Protection Commission, established by Chapter VII of the APPI, has authority to issue guidelines (Article 145), conduct on-site inspections (Article 147), demand reports (Article 146), issue recommendations and orders to business operators (Article 147), and, following the 2020 amendments, levy administrative fines for serious violations (Article 148). The PPC's enforcement practice emphasizes breach remediation, purpose-of-use compliance, and cross-border transfer safeguards. It does not systematically audit for the presence of a DPO or ROPA in the manner of certain EU supervisory authorities.
Practical note for cross-border operations. Organizations with EU establishments, EU data subjects, or business partners requiring GDPR-level accountability often voluntarily implement DPO designation, ROPA documentation, and DPIA protocols to satisfy GDPR extraterritorial obligations or contractual commitments, even when handling Japanese personal data under the APPI. The EU-Japan mutual adequacy framework (effective January 2019) facilitates these transfers but does not impose GDPR governance requirements on purely domestic Japanese processing.
Article 29 third-party provision records — content, retention, and access rights
Japan's Act on the Protection of Personal Information (APPI) imposes a recordkeeping obligation on business operators when they provide personal data to third parties, serving a traceability and audit function distinct from a comprehensive record of processing activities. Article 29 of the APPI, as amended in 2020 and effective April 1, 2022, requires the creation and retention of records documenting the date, recipient, and content of third-party data transfers that do not fall within the consent or statutory exceptions listed in Articles 23(1) and 23(5).
Article 29(1) triggering events. A "personal information handling business operator" (defined in Article 16 as an entity that handles a personal information database in the course of business) must prepare a record when it provides personal data to a third party. The record obligation applies unless the provision falls under one of the Article 23(1) exceptions (consent obtained, necessary based on laws and regulations, necessary for the protection of life/body/property and consent is difficult, necessary for cooperation with a state or local government organ, or necessary for public health or child development and consent is difficult) or the Article 23(5) exceptions (provision to a joint user with prior notice, provision in connection with business succession, or provision to an entrusted party for the purpose of achieving the purpose of use). When any of these exceptions applies, no Article 29 record is required.
Provision to a third party is defined by exclusion. Under Article 27(5), the following recipients do not constitute a "third party" and therefore do not trigger the Article 29 recordkeeping duty: (i) a party to whom the business operator entrusts the handling of personal data in whole or in part to the extent necessary to achieve the purpose of use; (ii) a party who acquires personal data as a result of business succession due to merger or other reasons; or (iii) a party who will jointly use personal data with the providing business operator, where the business operator has notified the principal in advance of the items of personal data to be jointly used, the scope of joint users, the purpose of use by the joint users, and the name of the party responsible for management of the personal data.
Required record contents. Article 29(1) specifies that the record must include (i) the date of provision, (ii) the name or other information identifying the third-party recipient, and (iii) "other matters prescribed by Order of the Personal Information Protection Commission." The Personal Information Protection Commission's Enforcement Rules (Rules of the Personal Information Protection Commission No. 3, 2016, as amended) expand the required contents at Article 12 to include the items or categories of personal data provided. The record does not need to include the purpose of the provision or the lawful basis, only the transactional facts of what, when, and to whom.
Retention period. Article 29(2) requires the business operator to "maintain a record under the preceding paragraph for a period of time prescribed by rules of the Personal Information Protection Commission from the date when it prepared the record." Article 14 of the PPC Enforcement Rules prescribes a three-year retention period as the general rule, measured from the last date on which personal data relating to the record was provided. Two narrower retention periods apply to specific recordkeeping methods: (i) if the record is kept using the method prescribed in Article 12(3) of the Enforcement Rules (an automated recording method integrated into the data-transfer system that captures provision details in real time), the retention period is one year from the last date of provision relating to the record; (ii) if the record is kept using the simplified method described in the proviso to Article 12(2) (a ledger format in which multiple provisions to the same recipient are aggregated under periodic entries rather than recorded transaction by transaction), the retention period is three years from the last date of provision relating to the record. In practice, the three-year period is the compliance baseline for most business operators not using advanced automated recording systems.
Data subject access rights. Data subjects have a statutory right to request disclosure of the third-party provision records that relate to them. Article 33(1) of the APPI grants the principal (the individual to whom the personal data pertains) the right to demand that a business operator disclose "the fact of provision to a third party" and related records concerning retained personal data. The Article 33(5) cross-reference confirms that the disclosure rights in Articles 33(1)–(3) apply mutatis mutandis to Article 29 records. The business operator must respond to a disclosure demand "without delay" under Article 33(2), and may charge a fee that does not exceed the actual cost of providing the disclosure, as prescribed in Article 33(4) and notified to the principal under Article 32(1)(iii). Refusal is permitted only if disclosure would harm the life, body, property, or other rights and interests of the principal or a third party; would significantly impede the proper execution of the business operator's operations; or would violate other laws and regulations (Article 33(2), items (i)–(iii)).
Supervisory enforcement. The Personal Information Protection Commission, Japan's independent supervisory authority established under Article 145 of the APPI, may demand reports (Article 146), conduct on-site inspections (Article 147), and issue recommendations and orders to business operators (Articles 147–148). The PPC's enforcement practice routinely audits third-party provision records during breach investigations and cross-border transfer assessments to verify compliance with the Article 27 consent requirement and the Article 28 cross-border transfer safeguards. Failure to create or retain Article 29 records constitutes a violation of the APPI's security-control and accountability obligations under Article 23, which can result in a recommendation, an order, or, following the 2020 amendments, an administrative fine of up to 100 million yen for a business operator (Article 178) and criminal penalties for officers who fail to comply with a PPC order (up to one year of detention or a fine of up to 1 million yen, Article 176).
Practical context. The Article 29 recordkeeping obligation is the closest APPI analogue to a controller-processor accountability register. It does not, however, replicate the comprehensive lifecycle documentation required by GDPR Article 30 (record of processing activities). Article 29 records are transaction-specific, capturing outbound data flows to third parties, but do not document the categories of processing, retention schedules, technical safeguards, or international transfers. Article 30 imposes a parallel recordkeeping obligation on the recipient of personal data from a third party, requiring confirmation of the source's identity and the lawfulness of the source's acquisition. Together, Articles 29 and 30 create a bilateral traceability framework, but they do not constitute a general processing register. Organizations with EU establishments or contractual GDPR commitments often maintain a GDPR Article 30 ROPA voluntarily to meet extraterritorial obligations, even when handling purely domestic Japanese personal data under the APPI.
Article 30 third-party receipt records — confirmation, content, and retention obligations
Japan's Act on the Protection of Personal Information (APPI) imposes a complementary recordkeeping obligation on business operators when they receive personal data from a third party, creating the inbound half of a bilateral traceability framework. Article 30 of the APPI, as amended in 2020 and effective April 1, 2022, requires the receiving business operator to confirm the source's identity and the lawfulness of the source's acquisition, and to document these confirmations in a record retained for a prescribed period.
Article 30(1) triggering event and confirmation duty. A "personal information handling business operator" (defined in Article 16 as an entity that handles a personal information database in the course of business) must, when receiving personal data from a third party, confirm the matters specified in Article 30(1), items (i) and (ii): (i) the name and address of the third party (if the third party is a corporation, the name of its representative), and (ii) the background of the acquisition of the personal data by the third party. This confirmation obligation does not apply if the receipt falls within one of the Article 27(1) or Article 27(5) exceptions—the same exceptions that govern third-party provision under Article 23. Specifically, the Article 30 confirmation duty is excused when the receipt is based on the principal's consent, is necessary pursuant to laws and regulations, is necessary for the protection of life/body/property where consent is difficult to obtain, is necessary for cooperation with a state or local government organ, is necessary for public health or child development, or falls within the joint-use, business-succession, or processing-subcontract exceptions that exclude the transferring party from "third party" status.
The "background of acquisition" confirmation in Article 30(1)(ii) requires the receiving operator to verify that the third party obtained the data lawfully—in practice, by confirming that the third party's acquisition satisfied the APPI's purpose-of-use notice requirements (Article 18), lawful-acquisition prohibition (Article 20), and consent requirements for sensitive personal information (Article 20). Article 30(2) reinforces this verification duty by prohibiting the third party from deceiving the receiving operator "on a matter relating to the confirmation." This creates a paired obligation: the third party must truthfully disclose how it acquired the data, and the receiving operator must confirm that disclosure before accepting the data.
Required record contents and retention period. Article 30(3) requires the receiving operator to prepare a record of the confirmation conducted under Article 30(1), documenting the fact and substance of the verification. The statute cross-references "rules of the Personal Information Protection Commission" for the specific record contents and format. Article 13 of the PPC Enforcement Rules (Rules of the Personal Information Protection Commission No. 3, 2016, as amended) implements this mandate, requiring the record to include (i) the date of receipt, (ii) the name and address of the third party (and the representative's name if the third party is a corporation), (iii) the background of the third party's acquisition of the personal data, and (iv) the items or categories of personal data received.
Article 13(2) of the Enforcement Rules permits a simplified ledger format when the business operator receives personal data continuously or repeatedly from the same third party, or when it anticipates such continuous or repeated receipt. Rather than creating a new record for each transaction, the operator may maintain a single aggregated record covering multiple receipts, reducing compliance burden for ongoing data-sharing relationships (e.g., B2B data feeds, affiliate-network arrangements, or recurring vendor deliveries).
Article 13(3) of the Enforcement Rules provides a further accommodation: when the receipt occurs "in connection with supplying the principal with goods or services," and the required Article 13(1) record contents are already stated in a contract or other document produced in connection with that supply, the contract or document may substitute for a separate Article 30 receipt record. This exception streamlines compliance for consumer-facing transactions where the commercial documentation already evidences the source and lawfulness of the data flow.
Article 30(4) requires the business operator to retain the Article 30(3) record "for a period of time prescribed by rules of the Personal Information Protection Commission from the date when it kept the record." Article 14 of the PPC Enforcement Rules, which governs retention periods for both Article 29 provision records and Article 30 receipt records, prescribes a three-year retention period as the general rule, measured from the last date on which personal data relating to the record was received. Two shorter periods apply to specific recordkeeping methods mirroring the Article 29 framework: (i) one year from the last date of receipt if the record is kept using an automated recording method integrated into the data-transfer system (Article 12(3) method applied mutatis mutandis), and (ii) three years if using the simplified aggregated-ledger method under Article 13(2). In practice, three years is the compliance baseline for most operators not using advanced automated systems.
Data subject access rights and supervisory enforcement. Data subjects have a statutory right to request disclosure of third-party receipt records that relate to them. Article 33(5) of the APPI applies the general disclosure framework in Articles 33(1)–(3) mutatis mutandis to Article 30(3) receipt records, granting the principal the right to demand disclosure of "the fact of provision to a third party" and related records. The business operator must respond "without delay" under Article 33(2), may charge a fee capped at actual cost under Article 33(4), and may refuse only if disclosure would harm the life, body, property, or other rights of the principal or a third party; would significantly impede the operator's business; or would violate other laws (Article 33(2), items (i)–(iii)).
The Personal Information Protection Commission, Japan's independent supervisory authority established under Article 145 of the APPI, may demand reports (Article 146), conduct on-site inspections (Article 147), and issue recommendations and orders (Articles 147–148). The PPC's enforcement practice routinely audits Article 30 receipt records in parallel with Article 29 provision records during breach investigations, cross-border transfer assessments, and purpose-of-use compliance reviews. Failure to confirm the source and background of acquisition, or to create and retain the required records, constitutes a violation of the APPI's accountability obligations under Article 23 (security control of personal data). Such violations can result in a PPC recommendation or order and, following the 2020 amendments, an administrative fine of up to 100 million yen for a business operator (Article 178) and criminal penalties for officers who fail to comply with a PPC order (up to one year of detention or a fine of up to 1 million yen, Article 176).
Bilateral traceability framework. Article 30 and Article 29 together create a comprehensive audit trail for third-party data flows. Article 29 captures outbound transfers (who the operator provided data to, when, and what categories), while Article 30 captures inbound receipts (who the operator received data from, when, what categories, and the lawfulness of the source's acquisition). This bilateral recordkeeping regime does not, however, replicate the comprehensive lifecycle documentation required by GDPR Article 30 (record of processing activities). The APPI's Articles 29 and 30 are transaction-specific, documenting third-party data movements rather than the full inventory of processing purposes, retention schedules, technical safeguards, and international transfers. Organizations with EU establishments or contractual GDPR commitments often voluntarily maintain a GDPR Article 30 ROPA to satisfy extraterritorial obligations, even when processing purely domestic Japanese personal data under the APPI.
Practical note for cross-border operations. The Article 30 confirmation-of-lawful-acquisition duty is particularly salient in cross-border data-sharing arrangements. When a Japanese business operator receives personal data from a foreign affiliate, vendor, or data broker, Article 30(1)(ii) requires the operator to verify the "background of acquisition"—in effect, to confirm that the foreign transferor obtained the data lawfully under the applicable foreign law (e.g., GDPR consent, CCPA opt-out respect, or LGPD lawful basis) before transferring it to Japan. This due-diligence obligation is separate from, and in addition to, the Article 28 cross-border transfer safeguards that apply when the Japanese operator subsequently transfers the data out of Japan to a third country. The PPC's enforcement practice emphasizes that Article 30 is not satisfied by a boilerplate contractual representation; the receiving operator must conduct reasonable inquiry into the source's acquisition method and document the substance of that inquiry in the Article 30(3) record.
Article 23 security control obligation — PPC Guidelines on organizational measures and recommended privacy-officer designation
Japan's Act on the Protection of Personal Information (APPI) does not mandate the appointment of a data protection officer (DPO) in the manner of GDPR Article 37, but it imposes a comprehensive security control obligation under Article 23 that the Personal Information Protection Commission (PPC) interprets through detailed Guidelines to include organizational governance measures—among them the recommended designation of a person responsible for supervising personal data handling. This interpretive guidance creates a practical governance expectation that resembles a DPO-lite function, even absent a statutory appointment mandate.
Article 23 security control obligation. Article 23 of the APPI requires every "personal information handling business operator" (defined in Article 16 as an entity that handles a personal information database in the course of business) to "take necessary and proper measures for the prevention of leakage, loss or damage, and for other security control of personal data." The statute itself does not prescribe what organizational structures, technical safeguards, or procedural controls satisfy this obligation. The language is deliberately flexible, permitting the PPC to issue interpretive guidelines that evolve with technology and breach patterns.
The Article 23 obligation is subject-neutral—it applies equally to small operators handling a modest customer database and to large-scale platforms processing millions of records. There is no de minimis exception, no employee-count threshold, and no processing-volume trigger. Any entity that maintains a personal information database "for the purpose of facilitating search for specific personal information" (Article 16) must comply with Article 23's security-control mandate.
PPC Guidelines on security control measures. The Personal Information Protection Commission issues Guidelines for the Act on the Protection of Personal Information (General Rules) (Notice of the Personal Information Protection Commission No. 65, as amended) that elaborate the Article 23 obligation into four categories of required or recommended measures: organizational, human, physical, and technical security control. These Guidelines are not binding law in the sense that a business operator cannot be criminally prosecuted for non-compliance with a Guideline provision that goes beyond the statute, but the PPC treats the Guidelines as authoritative interpretations of Article 23's "necessary and proper measures" standard. In enforcement practice, the PPC issues recommendations and orders under Articles 146–148 of the APPI when an operator's breach reveals inadequate security control, and the PPC's assessment of adequacy is benchmarked against the Guidelines.
Organizational security control measures. The PPC Guidelines on organizational measures recommend that business operators:
- Establish a basic policy on the protection of personal data, setting out the organization's commitment to compliance with the APPI, the scope of personal data handled, and the allocation of responsibility for security control.
- Designate a person responsible for supervising the handling of personal data ("personal data supervisor" or similar title—the Guidelines do not mandate the term "DPO" or "Chief Privacy Officer"). This designated supervisor is responsible for developing internal rules, overseeing security measures, handling breach response, and serving as the point of contact for data-subject requests and PPC inquiries. The Guidelines recommend that the supervisor have authority commensurate with the scale and sensitivity of the operator's data processing, but do not prescribe qualifications, independence guarantees, or resource commitments in the manner of GDPR Article 38.
- Define the scope of personal data and handling personnel. The operator should identify which employees, contractors, and business units handle personal data, and should limit access on a need-to-know basis.
- Adopt internal rules governing the acquisition, use, provision, retention, and disposal of personal data, aligned with the purposes of use disclosed under Article 18 and the consent requirements under Articles 23 and 27.
- Implement supervision and audit mechanisms to monitor compliance with internal rules, including periodic self-assessment, logging of access to sensitive personal data, and incident-response protocols.
The PPC's 2018 survey of business operators (cited in the PPC's Every-Three-Year Review report) found that 68.5% of all operators and 86.0% of large-scale operators reported having established a division or designated personnel responsible for supervising company-wide personal information protection. This voluntary adoption rate reflects industry understanding that the Article 23 security-control obligation, as interpreted through the PPC Guidelines, effectively requires some form of governance structure even when the APPI does not use the word "DPO."
Human security control measures. The Guidelines recommend regular training and education for employees who handle personal data, covering the operator's internal rules, the APPI's requirements, and breach-prevention techniques. Training should be tailored to the employee's role—front-line customer-service staff need different instruction than database administrators or data scientists. The operator should document training completion and conduct refresher sessions when internal rules or statutory requirements change.
The Guidelines also recommend that the operator include confidentiality and security obligations in employment contracts, contractor agreements, and business-succession arrangements, and that the operator enforce disciplinary measures when employees violate internal data-protection rules.
Technical and physical security control measures. The PPC Guidelines recommend that operators implement technical safeguards such as access control (authentication, authorization, least-privilege principles), encryption of personal data in transit and at rest, logging and monitoring of access to personal data, protection against unauthorized external access (firewalls, intrusion detection, vulnerability patching), and backup and disaster-recovery procedures.
Physical safeguards should include secure storage of documents and electronic media containing personal data, access restrictions to server rooms and filing cabinets, and procedures to prevent theft, loss, or inadvertent disclosure during transport or disposal of media. The PPC's Privacy Awareness Week campaigns (2024, 2025) emphasize that a significant share of reported breaches in Japan involve human error—wrong delivery of mail, loss of USB drives, misdirected emails—and that physical and procedural controls are as critical as firewalls and encryption.
No statutory DPIA or ROPA requirement, but Guidelines recommend documentation. The APPI does not require a data protection impact assessment (DPIA) before high-risk processing, nor does it mandate a comprehensive record of processing activities (ROPA) in the manner of GDPR Article 30. However, the PPC Guidelines' recommendation that operators "establish a basic policy" and "adopt internal rules" implicitly calls for documentation of processing purposes, data categories, retention periods, and security measures. Operators with EU establishments or contractual GDPR commitments often maintain a GDPR-compliant ROPA and DPIA framework voluntarily to satisfy extraterritorial obligations, and then apply the same documentation discipline to their Japanese processing as a matter of consistent governance.
Enforcement practice and the Article 23 reasonableness standard. The PPC's enforcement approach emphasizes remediation over punishment. When a breach occurs, the PPC conducts an investigation (Articles 146–147) and assesses whether the operator's security measures were "necessary and proper" under Article 23 given the volume, sensitivity, and nature of the personal data at issue. If the PPC concludes that the operator's measures were inadequate, it issues a recommendation under Article 147 directing the operator to take corrective action—appoint a supervisor, revise internal rules, implement access controls, retrain staff, or adopt technical safeguards. If the operator fails to comply with the recommendation, the PPC may issue a legally binding order under Article 147. Non-compliance with a PPC order can result in an administrative fine of up to 100 million yen for the business operator (Article 178, added by the 2020 amendments and effective April 1, 2022) and criminal penalties for officers who obstruct PPC inspections or fail to comply with orders (up to one year of detention or a fine of up to 1 million yen, Article 176).
The PPC's 2025 Privacy Awareness Week materials report that in the first half of fiscal year 2024 (April 1 to September 30, 2024), 7,735 personal data breach cases were directly reported to the PPC, a sharp increase from 4,938 in the same period of 2023. The leading causes included incorrect delivery and loss of documents by hospitals and pharmacies, phishing scams, and incorrect delivery of credit cards. The PPC's public statements emphasize that "to reduce human error-related leaks, it is essential not only to provide education on personal information protection through training but also to establish an organizational framework that prevents leaks from occurring"—language that echoes the Guidelines' recommendation for a designated supervisor and internal rules.
Contrast with GDPR Article 37 DPO mandate. Under GDPR Article 37(1), a controller or processor must designate a DPO when (a) processing is carried out by a public authority, (b) core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale, or (c) core activities consist of large-scale processing of special-category or criminal-offense data. The GDPR prescribes the DPO's tasks (Article 39: monitor compliance, advise on DPIAs, serve as contact point for supervisory authorities and data subjects, report directly to highest management), independence guarantees (Article 38: no instructions regarding exercise of tasks, no dismissal or penalty for performing tasks), and qualifications (Article 37(5): professional qualities and expert knowledge of data protection law).
The APPI imposes none of these requirements. Article 23's security-control obligation is outcome-based, not role-based. The PPC Guidelines recommend appointing a supervisor as an organizational measure to achieve the Article 23 security standard, but they do not mandate that the supervisor possess legal qualifications, report to the board, operate independently of business management, or maintain a public contact registry. An operator that does not appoint a supervisor is not in per se violation of the APPI, but if a breach occurs and the PPC investigation reveals that the operator lacked any governance structure to oversee compliance, the PPC may conclude that the operator failed to take "necessary and proper measures" under Article 23 and issue a recommendation or order to establish such a structure.
Practical guidance for cross-border operations. Organizations operating in both Japan and the EU face overlapping but non-identical governance obligations. A GDPR-mandated DPO can serve double duty as the APPI-recommended personal-data supervisor, provided the organization documents the supervisor's responsibilities under Japanese law (Article 23 compliance oversight, breach reporting to the PPC under APPI breach-notification rules, response to data-subject access requests under Article 33) and ensures the supervisor has working knowledge of the APPI, PPC Guidelines, and PPC enforcement practice. The GDPR DPO's independence and reporting-line protections under Article 38 exceed what the APPI requires, so layering GDPR governance onto Japanese operations raises the compliance floor, which the PPC treats as a positive factor in breach assessments.
Conversely, a Japan-only operator that has not designated a supervisor should assess its Article 23 exposure by reference to the PPC's 2018 survey benchmark (68.5% of operators, 86% of large-scale operators, have done so) and the breach statistics (7,735 reported incidents in six months, with human error as the leading cause). The regulatory signal is clear: the PPC expects organizational governance, and the absence of a designated supervisor is a red flag in any post-breach investigation.
Article 25 supervision of entrusted persons — due diligence, contract clauses, and ongoing audit obligations
Japan's Act on the Protection of Personal Information (APPI) imposes a mandatory supervision obligation on business operators when they entrust the handling of personal data to processors, subcontractors, or service providers. Article 25 of the APPI creates the closest Japanese analogue to GDPR controller-processor accountability, requiring the data controller ("personal information handling business operator") to exercise "necessary and appropriate supervision" over the entrusted party to ensure security control of the outsourced personal data. This obligation applies to any entrustment arrangement—cloud hosting, payroll processing, IT support, marketing agencies, call centers, and data analytics vendors—and operates independently of the third-party provision rules in Article 27.
Article 25 statutory text. Article 25 of the APPI provides: "If a business handling personal information entrusts another person with all or part of the handling of personal data, it must exercise the necessary and adequate supervision over the person it entrusts, pursuant to the provisions of Article 25 of the Act, so as to ensure the secure management of the personal data with whose handling it entrusts that person." The statute does not prescribe specific supervision measures, leaving the Personal Information Protection Commission (PPC) to elaborate the standard through Guidelines and enforcement practice.
What constitutes "entrustment." The PPC's sectoral guidelines (Financial Sector Guidelines, Article 10, published on japaneselawtranslation.go.jp) define "entrustment" broadly as "the entirety of contracts, irrespective of the form or type thereof, under which a business handling personal information has another entity carry out the whole or part of the handling of personal data." Entrustment includes not only formal outsourcing agreements but also cloud service subscriptions, software-as-a-service arrangements, affiliate data-sharing agreements where the affiliate acts on the controller's instructions, and any contractual relationship under which the entrusted party processes personal data on behalf of and at the direction of the business operator. The definition is functional, not formal—the critical element is that the entrusted party handles personal data to achieve the business operator's purpose of use, rather than for its own independent business purpose.
Distinction from third-party provision. Article 25 entrustment and Article 27 third-party provision are mutually exclusive categories. Article 27(5)(i) provides that an "entrusted person" (a party to whom the business operator entrusts the handling of personal data in whole or in part to the extent necessary to achieve the purpose of use) does not constitute a "third party" for purposes of the consent requirement in Article 27(1). When a business operator entrusts data processing to a vendor acting solely on the operator's behalf and under the operator's instructions, the transaction is governed by Article 25's supervision obligation, not Article 27's consent requirement. The operator need not obtain data-subject consent before transferring personal data to the entrusted party, but the operator remains fully liable for the entrusted party's data handling and must exercise active supervision. Conversely, when the business operator provides personal data to a recipient that will use the data for its own purposes (e.g., selling a customer list to a marketing broker, or sharing employee data with a co-venturer for the co-venturer's independent HR purposes), the transaction is a third-party provision under Article 27, requiring consent or an Article 27(1) statutory exception, and triggering the Article 29 recordkeeping obligation.
Required supervision measures — PPC Guidelines framework. The PPC's Financial Sector Guidelines (Article 10) and the general-rules Guidelines elaborate Article 25's "necessary and appropriate supervision" standard into three sequential duties: (1) appropriate selection of the entrusted party (due diligence), (2) contractual specification of security measures, and (3) ongoing monitoring and audit of the entrusted party's compliance. The Guidelines emphasize that the level of supervision must correspond to the risk arising from the scale and nature of the entrusted business, the sensitivity of the personal data, and the volume of records, in light of the potential harm to data subjects if the data is leaked, lost, or damaged.
1. Due diligence and appropriate selection. Before entrusting personal data processing to a third party, the business operator must assess whether the prospective entrusted party has the organizational capacity, technical infrastructure, and track record to handle personal data securely. The Financial Sector Guidelines recommend that operators establish written selection criteria covering the entrusted party's organizational structure, basic security policies, internal handling rules, employee training programs, incident-response protocols, and compliance history. The operator should review the prospective vendor's information-security certifications (e.g., ISO/IEC 27001, Privacy Mark), conduct on-site inspections or questionnaire assessments, and confirm that the vendor's security measures align with the operator's own Article 23 security-control obligations. This due-diligence obligation applies at the outset of the entrustment relationship and when the contract is renewed or the scope of processing is expanded.
2. Contractual security requirements. The business operator must incorporate into the entrustment contract binding clauses that obligate the entrusted party to implement security measures equivalent to those the operator itself must maintain under Article 23. The Financial Sector Guidelines recommend that the contract specify: (i) the purpose and scope of the entrusted processing (what categories of personal data, for what business function, under what retention schedule); (ii) a prohibition on the entrusted party using the personal data for any purpose other than the entrusted task; (iii) a prohibition on the entrusted party providing the personal data to a third party without the operator's prior written consent; (iv) organizational, human, physical, and technical security measures the entrusted party must implement (access controls, encryption, logging, employee confidentiality agreements, secure disposal protocols); (v) an obligation to report any personal data breach, unauthorized access, or security incident to the operator immediately; (vi) a right for the operator to audit the entrusted party's security practices, either directly or through a third-party auditor; (vii) cooperation with the operator in responding to data-subject access requests, correction demands, or PPC investigations; and (viii) secure return or destruction of personal data upon termination of the contract.
The PPC's enforcement practice treats the absence of these contractual clauses as evidence that the operator failed to exercise "necessary and appropriate supervision" under Article 25. A contractual boilerplate is not sufficient—the clauses must be tailored to the nature of the entrusted processing and actually enforced through audit and remediation.
3. Ongoing monitoring and audit. The business operator's Article 25 duty does not end when the contract is signed. The operator must conduct periodic monitoring to verify that the entrusted party is complying with the contractual security requirements and applicable APPI obligations. The Financial Sector Guidelines recommend that operators: (i) require the entrusted party to submit periodic compliance reports documenting security incidents, access logs, employee training completion, and any changes to security infrastructure; (ii) conduct periodic on-site inspections or third-party audits of the entrusted party's facilities, information systems, and handling procedures; (iii) review the entrusted party's breach-notification records and incident-response timelines; and (iv) update the entrustment contract and security requirements when the operator's risk assessment changes (e.g., when the entrusted party begins processing sensitive personal information under Article 20, or when the volume of records increases by an order of magnitude).
The frequency and depth of monitoring should be proportionate to the risk. For a vendor processing low-volume, non-sensitive customer-contact data (e.g., a call center handling product inquiries), annual self-certification questionnaires and breach-notification reporting may suffice. For a cloud infrastructure provider hosting millions of medical records, health insurance claims, or financial account data, the operator should conduct quarterly compliance reviews, annual penetration testing, and real-time breach alerts.
Sub-outsourcing (re-entrustment) supervision. When the entrusted party intends to sub-outsource (re-entrust) the handling of personal data to a further entrusted party (e.g., a cloud provider hiring a data-center operator, or a payroll processor engaging a backup-tape storage vendor), the Financial Sector Guidelines state that it is "desirable" that the original business operator confirm that (i) the entrusted party will appropriately supervise the sub-entrusted party in accordance with Article 25, and (ii) the sub-entrusted party will implement the same Article 23 security measures that the first-tier entrusted party must maintain. The Guidelines recommend that the original operator require the entrusted party to obtain the operator's prior written approval before sub-outsourcing, provide advance notice of the sub-entrusted party's identity and the scope of re-entrusted processing, and conduct its own audits of the sub-entrusted party (or permit the operator to audit the sub-entrusted party directly). The same supervision framework applies recursively to further layers of sub-outsourcing.
The PPC's enforcement posture is that the original business operator remains liable under Article 23 for any breach or security failure by the sub-entrusted party, even when the sub-entrustment occurred without the operator's knowledge. The operator's Article 25 supervision duty includes verifying that the entrusted party has a robust sub-vendor management program and contractually prohibiting unauthorized re-entrustment.
Risk-based supervision standard. The Financial Sector Guidelines expressly state that "the supervision is to correspond to risks arising from the scale and nature of the entrusted business, the handling status of personal data and other factors, in consideration of the significance of infringement of rights and interests that may be suffered by the identifiable person in the event of the leaking, etc. of personal data." This risk-based framework permits (and requires) operators to calibrate their supervision intensity to the sensitivity and volume of the outsourced data. Processing sensitive personal information under Article 20 (race, creed, social status, medical history, criminal record) or large-scale databases of financial or health data triggers heightened supervision obligations—more frequent audits, stricter contractual controls, mandatory breach-notification escalation, and technical measures such as encryption-at-rest and role-based access controls. Low-risk entrustment (e.g., outsourcing bulk-mail printing of marketing postcards that contain only name and mailing address) permits lighter-touch supervision, but the operator must document the risk assessment that justifies the reduced oversight.
Enforcement consequences and operator liability. The Personal Information Protection Commission may demand reports (Article 146), conduct on-site inspections (Article 147), and issue recommendations and orders to business operators (Article 147) when a breach investigation reveals that the operator failed to exercise "necessary and appropriate supervision" over an entrusted party under Article 25. The PPC's enforcement practice holds the business operator (not the entrusted party) primarily accountable for breaches caused by the entrusted party's security failures. This vicarious-liability principle reflects the statutory design: Article 25 does not impose direct APPI obligations on the entrusted party (who may not even be a "personal information handling business operator" under Article 16 if it processes data solely on behalf of the principal operator), but instead obligates the principal operator to ensure that the entrusted party adheres to the same security standards the operator itself must meet under Article 23.
Following the 2020 amendments (effective April 1, 2022), the PPC may levy administrative fines of up to 100 million yen on a business operator that fails to comply with a PPC order (Article 178). Criminal penalties (up to one year of detention or a fine of up to 1 million yen, Article 176) apply to officers who obstruct PPC inspections or fail to comply with a PPC order. In practice, the PPC's enforcement approach emphasizes remediation—when a breach occurs due to an entrusted party's security lapse, the PPC issues a recommendation directing the operator to revise its vendor-selection criteria, strengthen contractual security clauses, terminate the non-compliant vendor, enhance audit procedures, and report back to the PPC on corrective measures. Operators that demonstrate robust Article 25 supervision programs—documented due diligence, contractual security requirements, periodic audits, and prompt breach response—typically receive lighter sanctions than operators that had no vendor-oversight process in place.
Practical guidance for cross-border operations and GDPR alignment. Organizations subject to both the APPI and the GDPR face overlapping processor-supervision obligations. GDPR Article 28 requires controllers to use only processors that provide "sufficient guarantees" of GDPR compliance, to execute a written contract specifying the processor's data-protection obligations (Article 28(3)), and to ensure the processor implements "appropriate technical and organisational measures" (Article 32). APPI Article 25 imposes a parallel supervision duty, though the APPI does not mandate the specific contract clauses enumerated in GDPR Article 28(3) (subject-matter, duration, nature and purpose of processing, type of personal data, data-subject rights assistance, deletion or return of data, audit rights). A GDPR-compliant data processing agreement (DPA) that includes the Article 28(3) mandatory clauses will typically satisfy the APPI Article 25 contractual-supervision requirement, provided the DPA also addresses the APPI-specific obligations: purpose-of-use limitation (Article 18), security control (Article 23), breach notification to the operator (so the operator can assess whether Article 26 breach reporting to the PPC is required), and prohibition on unauthorized third-party provision (Article 27).
Controllers operating in both jurisdictions should template their processor contracts to the higher of the two standards (GDPR Article 28(3) is generally more prescriptive), conduct unified vendor due-diligence assessments covering both GDPR Article 32 and APPI Article 23 security measures, and maintain a single vendor-audit schedule that satisfies the ongoing-supervision requirement under both regimes. The PPC has signaled in enforcement guidance that it views GDPR-compliant processor-management programs favorably as evidence of "necessary and appropriate supervision" under Article 25, particularly when the operator can demonstrate documented vendor risk assessments, annual audit reports, and prompt breach-escalation procedures.