Sanno Park Tower 12F (Reception) and 14F,
11-1, Nagatacho 2-chome, Chiyoda-ku,
Tokyo 100-6114, Japan

Tokyo Metro Ginza Line: G06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Nanboku Line: N06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Chiyoda Line: C07 Kokkai-gijido-mae Station, Exit 5 (3 minutes’ walk)

Tokyo Metro Marunouchi Line: M14 Kokkai-gijido-mae Station, Exit 5 (10 minutes’ walk through Chiyoda Line platform)



Hiroyasu Kageshima delivered a lecture on the Personal Information Protection Act.

Host: Mizuho Research & Technologies, Ltd.
Available Period: Tuesday, May 10, 2022 – Friday, June 10, 2022
Sign-up Period: Wednesday, March 30, 2022 – Tuesday, May 24, 2022
Venue: Online (on demand)

Basic Matters of the Personal Information Protection Act and Business Operations to Handle and Manage Personal Information

[Based on the amended Act] You can master the basics of “handling” and “managing” personal information.

The seminar provides explanations covering essential basic knowledge and points for practical consideration based on the amended Act and the guidelines.

Practical considerations regarding personal information range from acquisition and use of personal information, administration of outsourced companies, data exchanges with outsiders, and responses to requests for disclosure or deletion of personal data, and use of the cloud in a foreign country. It is essential to understand practical issues which persons in charge frequently face, including key points of the amended Personal Information Protection Act which was enforced in April 2022. The lecturer explains the points on regulations and practical considerations under the Act and the guidelines, with the points to be noted in certain situations. This seminar is also useful for beginners and those who wish to reconfirm the basic matters or the manner of operations adopted by their companies.


1. “Personal information” and the Personal Information Protection Act

(1) Overall picture of the Personal Information Protection Act

– What are the five obligations of a company?

– Personal Information Protection Commission

– Acts subject to penal provisions

(2) Concept of “personal information”

– What information is categorized as “personal information”?

– In what situations can information “be easily collated with other information”?

(3) Personal information database, etc./personal data/retained personal data

– Differences between personal information and personal data

(4) Sensitive personal information

– Do statements like “I do not feel well with sickness” or “I have a broken bone” constitute sensitive personal information?

(5) Involvement of the principal in retained personal data

– Requests for disclosure, deletion, etc. by the principal

2. Acquisition and use of personal information

(1) Designation of the purpose of use

– Points in tighter regulations of the amended Act

(2) Notification or announcement of the purpose of use

– Cautions that should be given when collecting personal information at a customer service desk, by questionnaire, etc.

(3) Notification of the purpose of use, etc., regarding retained personal data

– What is “external environment”?

(4) Prohibition of use for other purposes

(5) Change of the purpose of use

(6) Appropriate acquisition

(7) Prohibition on inappropriate use

3. Management of personal data

(1) Safety control measures

– Seven measures stipulated in the Guidelines

– How to determine the “extent” of management

(2) Supervision of outsourced companies

– Three obligations stipulated in the Guidelines

(3) Actions to take in case of information leakage

– Notice to the principal, report to the Personal Information Protection Commission/competent minister for the business

4. Providing personal data to a third party

(1) Consent of the principal

– A case where certain information does not constitute personal data at the company providing such information, but clearly constitutes personal data at the company receiving it

(2) Outsourcing/shared use

– The basis for distinguishing “outsourcing information processing” from “providing information to a third party”

– Points to note when “sharing” HR information within group companies

(3) Obligation of confirmation and recording for traceability

– Points of operation concerning the obligation of confirmation and recording

(4) Sharing personal data with a third party in a foreign country

– Matters necessary to outsource information management to a company in a foreign country under the amended Act

(5) Regulations on providing/acquiring individual-linked information under the amended act

5. Responses to requests for disclosure, etc.

(1) Announcement of the purpose of use, etc.

(2) Request for disclosure, request for suspension of use, etc., request for suspension of providing information to third parties

(3) Outline of the amendment

6. Anonymized Information and pseudonymized information

(1) What is anonymized information?

(2) Outline of pseudonymized information introduced in the amended act