GDPR vs APPI (General Data Protection Regulation versus Act on the Protection of Personal Information)

 

GDPR vs APPI, or why everyone has been sending out news Terms of Service and Privacy Policies these past couple weeks. The reason why: GDPR, or the European Union’s General Data Protection Regulation, went into effect May 25, 2018. How does this affect us at Yengage as a Japanese advertising agency?

 

While Japan is not a whitelisted jurisdiction, Japan has its own version of GDPR, called the Act on the Protection of Personal Information (APPI). That means while transfers of data between Japan and the EU require additional steps, many of the policies we follow are already GDPR compliant as we are APPI compliant.

 

In addition, we do not target EU data subjects. Various websites describe what that entails, but in short, we target in Japanese to Japanese customers living in Japan. As such, we are not Data Controllers for EU data subjects. This website lists out great differences between GDPR vs APPI.

 

That said, we are on occasion “Data Processors” for EU Data Subjects as an agency. Here is our official policy as an advertising agency and subsidiary of Digital Advertising Consortium (DAC).

 

Yengage GDPR: Compliance as a Data Processor

 

Note: This blog post is informational use only, following the resources outlined by GDPR EU. Their information portal is provided to the public for free to help firms and organizations prepare for new data protection requirements under the General Data Protection Regulation. It is independent of and not affiliated with the European Parliament, the European Council, or member state supervisory authorities. (https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/)

 

Requirements of the Data Processor

We meet the following requirements, either outlined in the DAC Privacy Policy here or to be included in the terms and conditions of the contract.

 

1. Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.

See 2 of DAC’s privacy policy. Types of acquired personal information, method of acquisition, and purpose of use

 

2. Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)

See 4 of DAC’s privacy policy. Provision of personal information to third parties

 

3. Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)

We are willing to put this into our terms and conditions with our EU customers.

 

4. Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)

We are willing to put this into our terms and conditions with our EU customers

 

5. Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)

See 5 of DAC’s privacy policy. Management of personal information

 

6. Notify data controllers without undue delay upon learning of data breaches (33.2)

See 9 of DAC’s privacy policy. Handling of accidents related to personal information protection

 

7. Restrict personal data transfer to a third country only if legal safeguards are obtained (46)

We adhere to Japan’s Act on the Protection of Personal Information (APPI) provides that Personal Data may not be transferred to a foreign country unless:
(i) the data subject has given specific advance consent to the transfer of the data subject’s Personal Data to the entity in a foreign country;
(ii) the country in which the recipient is located has a legal system that is deemed equivalent to the Japanese personal data protection system, designated by the Japanese data protection authority; or
(iii) the recipient undertakes adequate precautionary measures for the protection of Personal Data, as specified by the Japanese data protection authority.

 

Please reach out to info[at]yengage.net for any questions or concerns.

 

By: Justin Endo. First Published: June 8, 2018.

Contact Us

Interested in hearing more about what we can do for you? Send your questions to Yengage here or click on the right to fill out a form. We'll get back to you as soon as we can!