Data transfer between the EU and Japan
Veröffentlicht von Dr. Andreas Kaiser am 16.05.2019
Adequacy does not mean that data protection laws in the EU and Japan are exactly the same. Special provisions in Japan, which go beyond the GDPR, are contained in Art. 36 APPI for anonymously processed data, which are stored in a special way, e.g. protected by a ban on re-identification and may therefore be processed more excessively than personal data. Data from the EU may only be considered as anonymously processed data if the data processor takes measures that make de-identification of the data subject irreversible for everyone.
The practical consequencesof the mutual recognition of data protection as equivalent facilitates the data exchange cross the border between Controllers and Processors. Controllers in the EU, therefore, do not require separate consent from the data subject and no additional safeguards including the use of binding corporate rules in a group of companies, standard data protection clauses adopted by the Commission or by a supervisory authority or contractual clauses between the transferring and the receiving organisation authorised by a supervisory authority are required.
EU data subjects may lodge an objection against the transfer of their data to Japan, or in the event of insufficient information from the Controller or Processor, or infringement of their rights under the GDPR to the competent supervisory authority or file an action against the supervisory authority or Controllers. Data subjects may file a complaintwith the PPC against violations of their privacy rights under Japanese law. The PPC is obliged to investigate the complaint and, if necessary, remedy the situation, to inform the complainant on the result and to inform him/her of any further available legal action.
Zuletzt geändert am: 16.05.2019 um 13:57