Mandatory Breach Notification under the 2022 APPI
The amended APPI (effective April 2022) made it mandatory to report personal data breaches to the Personal Information Protection Commission (PPC) and notify affected individuals (Article 26).
Previously a best-efforts obligation, it is now a legal duty. Violations trigger administrative orders (Article 145) → criminal penalties (Article 173: up to 1 year imprisonment or ¥1 million fine).
Reportable Incidents
Not every breach triggers a notification obligation. Four categories are covered (Enforcement Regulations, Article 7):
| Category | Examples |
|---|---|
| Sensitive personal information leaked | Health info, criminal records, disability info, etc. |
| Suspected improper motive | Unauthorized access, internal misconduct |
| Unauthorized access-related | Cyberattacks, unauthorized logins |
| Large-scale (1,000+ individuals) | Large database leaks |
Note: Even accidental incidents (misdirected emails, lost devices) trigger reporting if they fall into these categories.
Free Tool Related to This Article
Contract Risk Checker
Try our free simulator related to this topic.
Try for free →Reporting Timeline and Content
Preliminary Report (First Report)
Submit promptly after learning of the breach — the PPC guideline indicates approximately 3–5 days.
Minimum content: - Outline of the incident - Categories of personal data affected - Estimated number of individuals - Known circumstances of the incident - Current response status
Final Report
Submit within 30 days of the preliminary report (or 60 days for unauthorized access incidents).
Final report content: - Date/time of breach occurrence and discovery - Categories and confirmed count of affected individuals - Cause of the breach - Secondary damage risk and prevention measures - Status of individual notification - Recurrence prevention measures
Individual Notification Obligation
Notification to affected individuals is also required in principle (Article 26(2)).
Method: Individual notification (email, written notice) is the default.
Substitute Measures When Direct Notification Is Impracticable
Alternatives (website posting, press release) are permitted when: - Contact information for affected individuals is unknown - Notification would interfere with the investigation
Practical Points
Uncertain Breach Count
At the preliminary report stage, estimates are acceptable. Confirm accurate figures in the final report.
Breach at a Data Processor (Vendor)
When a subcontractor/processor experiences a breach, the data controller (principal) bears the reporting obligation (related to Article 24 supervision duties).
Establish a system for receiving prompt breach reports from vendors.
Intra-Group Leaks
Even transfers within a corporate group — if between separate legal entities — may trigger reporting.
Internal Response Framework
Recommended preparation:
| Measure | Content |
|---|---|
| Incident response policy | Clear flow: detect → report → respond |
| Internal reporting channel | Easy for employees to report incidents |
| Response team | Security, legal, and management coordination |
| Evidence preservation | Log retention and anti-tampering procedures |
| Regular drills | At least annual incident response exercises |
Summary
The 2022 APPI established clear breach notification obligations: preliminary report within 3–5 days, final report within 30 days (60 for unauthorized access). Preparing an incident response policy and designated team in advance is essential for meeting these tight deadlines.