MyData-TRUST
APPI
Japan
Act on the Protection of Personal Information
Comply with Japan’s APPI, one of Asia’s most advanced data protection laws.
APPI applies to all companies established in Japan as well as to foreign companies that handle personal information of individuals located in Japan.

Key Requirements

Consent required for sensitive data
• Purpose of use principle: companies need to identify and share the purpose of using each type of information
  • User rights: access, correction, erasure, cease of use
  • Cross-border transfers subject to adequacy, consent, or contracts
• Data Security: companies must implement specific technical and organizational measures as listed under the PPC guidelines.

Our Experts Are Here To Help You!

Ensure your compliance with Japanese laws on personal data protection

How MyData-TRUST Can Support You

APPI gap assessments and remediation
• Data protection policies and procedures tailored to APII
• Data protection due diligence for ‘entrusted persons’ and contract review
• Data breach advice and support
• ICF review
 • Cross-border transfer compliance evaluation

Why Compliance Matters for Life Sciences

• ⚖️ Necessary for clinical, pharmacovigilance, or research activities in Japan
• 🔬 Ensures high standards in patient confidentiality and trial data use
• 🔒 Supports collaboration with EU and US sponsors
• 🌐 Aligns local practices with global compliance efforts

Why Choose MyData-TRUST?

• ✅ Privacy advisors experienced in Japan-EU/APAC transfers
• 🌍 Coordination of global trials and vendor obligations
• 🔬 Clinical and regulatory expertise
• 🔐 Proven frameworks for compliant operations

Frequently asked questions

APPI is Japan’s main privacy law for private-sector and public sector organizations. It applies to all companies who handle personal information of people located in Japan. The processing of anonymized or pseudonymized information also falls under the scope of APPI, however the obligations vary depending on type of personal information. No regional privacy legislation exists.
Do I need to appoint a DPO?
Although under APPI no such role is envisaged, according to the PPC (supervisory authority) guidelines, the appointment of a person responsible for dealing with personal information is one example of the security measures companies must take under the APPI.
We provide legal advice, privacy documentation, DPO support services, training, and compliance assessments covering APPI.
In principle, due to the ‘’purpose of use’’ principle established under article 17 of the APPI, secondary use is not allowed. The Act on Anonymized Medical Data That Are Meant to Contribute to Research and Development in the Medical Field (Act No. 28 of May 12, 2017) resolves partially this issue and allows further use for research purposes , but only for anonymized medical data.  
Need more information about MyData-TRUST? Get in touch with our experts.

MyData-TRUST offers global coverage

Overview of other regional regulations

flag-argentina

Argentina – LPDP

Read more

flag-usa

U.S.A – HIPAA

Read more

flag-georgia

Georgia – Law of Georgia

Read more

Powered by MyData-TRUST

Want to subscribe to our newsletter ?

Name(Required)
Privacy(Required)