GDPR vs APPI in Japan: Does it affect Yengage?
How GDPR vs APPI differs and how the latest privacy regulation affects us at Yengage and our policy as a Data Processor.
GDPR vs APPI (General Data Protection Regulation versus Act on the Protection of Personal Information)
GDPR vs APPI, or why everyone has been sending out news Terms of Service and Privacy Policies these past couple weeks. The reason why: GDPR, or the European Union’s General Data Protection Regulation, went into effect May 25, 2018. How does this affect us at Yengage as a Japanese advertising agency?
While Japan is not a whitelisted jurisdiction, Japan has its own version of GDPR, called the Act on the Protection of Personal Information (APPI). That means while transfers of data between Japan and the EU require additional steps, many of the policies we follow are already GDPR compliant as we are APPI compliant.
In addition, we do not target EU data subjects. Various websites describe what that entails, but in short, we target in Japanese to Japanese customers living in Japan. As such, we are not Data Controllers for EU data subjects. This website lists out great differences between GDPR vs APPI.
That said, we are on occasion “Data Processors” for EU Data Subjects as an agency. Here is our official policy as an advertising agency and subsidiary of Digital Advertising Consortium (DAC).
Yengage GDPR: Compliance as a Data Processor
Note: This blog post is informational use only, following the resources outlined by GDPR EU. Their information portal is provided to the public for free to help firms and organizations prepare for new data protection requirements under the General Data Protection Regulation. It is independent of and not affiliated with the European Parliament, the European Council, or member state supervisory authorities. (https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/)
Requirements of the Data Processor
1. Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.
2. Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
3. Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
We are willing to put this into our terms and conditions with our EU customers.
4. Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
We are willing to put this into our terms and conditions with our EU customers
5. Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
6. Notify data controllers without undue delay upon learning of data breaches (33.2)
7. Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
We adhere to Japan’s Act on the Protection of Personal Information (APPI) provides that Personal Data may not be transferred to a foreign country unless:
(i) the data subject has given specific advance consent to the transfer of the data subject’s Personal Data to the entity in a foreign country;
(ii) the country in which the recipient is located has a legal system that is deemed equivalent to the Japanese personal data protection system, designated by the Japanese data protection authority; or
(iii) the recipient undertakes adequate precautionary measures for the protection of Personal Data, as specified by the Japanese data protection authority.
Please reach out to info[at]yengage.net for any questions or concerns.