TL;DR (Updated May 2026)
- EU→Japan transfers: NO SCCs required. The EU-Japan mutual adequacy decision (January 2019) treats Japan as a "safe third country." You can transfer EU personal data to Japan without Standard Contractual Clauses or Binding Corporate Rules — but supplementary rules apply on the Japanese side.
- Japan→EU transfers: APPI Art. 28 applies. Sending personal data from Japan to an EU recipient still requires APPI compliance: either (a) individual consent with destination-country disclosure, (b) recipient's equivalent-protection framework, or (c) reliance on the adequacy decision.
- GDPR's extraterritorial reach catches most Japanese companies offering services to EU residents (Art. 3). Free services count. Behavioral analytics tracking EU users counts.
- Penalties are severe: GDPR fines reach €20 million or 4% of global annual revenue, whichever is higher. APPI penalties reach ¥100 million for organizations.
- 2022 APPI amendment tightened cross-border rules: Japanese controllers must now disclose the destination country's data protection framework to data subjects when obtaining consent for international transfers.
Quick Reference: GDPR vs Japan APPI
| Item | GDPR (EU) | APPI (Japan, 2022 amended) |
|---|---|---|
| Maximum penalty | €20M or 4% global revenue | ¥100M (org) / ¥1M (individual) |
| Extraterritorial reach | Yes (Art. 3) — EU residents | Yes (Art. 171) — Japan residents |
| Lawful basis required? | Yes — 6 enumerated bases (Art. 6) | No explicit list; "specified purpose" + appropriate handling |
| Right to erasure | Yes (Art. 17) | Yes for "retained personal data" (Art. 30) |
| Data Protection Officer | Required for large-scale processing | Not mandatory; "Personal Information Protection Manager" is best practice |
| 72-hour breach notification | Yes (Art. 33) | Yes (PPC Rule Art. 7), to PPC and data subjects |
| Cross-border transfer | SCCs / BCRs / adequacy | Consent + destination disclosure / equivalent framework / adequacy |
| Adequacy with each other | ✅ EU recognizes Japan (2019) | ✅ Japan recognizes EU (2019) |
---
Free Tool Related to This Article
Statute of Limitations Checker
Try our free simulator related to this topic.
Try for free →GDPR Overview
The General Data Protection Regulation (GDPR), effective May 2018, protects personal data of EU residents. Key features: - Fines up to €20 million or 4% of global annual revenue (whichever is higher) - Extraterritorial application: applies to non-EU companies offering goods/services to EU residents or monitoring their behavior - Enhanced individual rights (right to erasure, portability, access, etc.)
EU-Japan Mutual Adequacy Decision (2019)
In January 2019, the European Commission and Japan's Personal Information Protection Commission (PPC) granted mutual adequacy decisions: - EU side: Japan's APPI provides equivalent protection to GDPR - Japan side: EU data protection qualifies as a safe third country
Result: Japanese companies can receive personal data from the EU without Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
Supplementary Rules
Japanese companies receiving EEA resident data must comply with supplementary rules providing GDPR-equivalent protections, including expanded sensitive data categories and restrictions on onward transfers to non-EEA countries.
When Japanese Companies Are Subject to GDPR (Article 3)
- Companies with an establishment in the EU
- Companies offering goods/services to EU residents (including free services)
- Companies monitoring the behavior of EU residents (analytics, behavioral advertising)
Key GDPR Compliance Requirements
| Obligation | Details |
|---|---|
| Privacy policy | Disclose processing purposes, legal bases, retention periods |
| Consent | Explicit, freely given consent |
| Individual rights | Respond to access/deletion/portability requests |
| DPO designation | Required for large-scale processing |
| EU representative | Required for non-EU companies subject to GDPR |
| Data breach notification | Within 72 hours to supervisory authority |
2022 APPI Amendment: Cross-Border Transfer Rules
The amended APPI (effective April 2022) requires, when transferring personal data to foreign third parties: 1. Individual consent (with disclosure of the destination country's data protection framework), or 2. The recipient has established an equivalent protection framework, or 3. The destination country has received an adequacy decision (EU, UK, etc.)
Case Studies (Practical Patterns)
Case 1: SaaS Vendor in Tokyo Selling to German Customers
A 30-person Tokyo SaaS company hosts customer data in AWS Tokyo region and offers a project management tool to German engineering firms. GDPR exposure: Yes — Art. 3(2)(a) applies (offering services to EU residents). Required actions: (1) Update privacy notice with GDPR-compliant lawful bases and individual rights disclosure; (2) appoint an EU Representative under GDPR Art. 27 (typically a third-party service provider in Germany or Ireland, ~€2,000-5,000/year); (3) implement DPIA workflow if processing involves special categories; (4) configure 72-hour breach notification process. Adequacy benefit: customer data remains in Japan without requiring SCCs — significant cost saving compared to non-adequacy jurisdictions.
Case 2: Japanese E-commerce Site Using Google Analytics to Track Visitors Including from France
An online retailer in Osaka uses Google Analytics, Meta Pixel, and behavioral advertising tags. EU visitors land on the site occasionally. GDPR exposure: Yes — Art. 3(2)(b) applies (monitoring EU resident behavior). Required actions: (1) Cookie consent banner with EU-compliant opt-in (not just notice); (2) Privacy notice explaining tracking technologies, recipients, and retention periods; (3) Japan APPI cross-border transfer compliance for sending Cookie/Pixel data to non-adequacy countries (US Google/Meta servers may trigger additional consent obligations under 2022 APPI amendment). Practical note: combine GDPR consent and APPI external transmission notice (改正電気通信事業法 27-12) in one consent flow to avoid duplicate banners.
Case 3: German Manufacturer Sending Employee Data to Japan HQ
A German automotive parts subsidiary sends HR records to its Japanese parent for global payroll and performance management. GDPR side: EU→Japan transfer is permitted under the adequacy decision — no SCCs needed. Japanese parent's obligations: handle EEA-resident data per APPI's supplementary rules (expanded sensitive data categories including trade union membership and criminal records; restrictions on onward transfer to non-EEA countries). Outcome: significantly streamlined compliance compared to US-based parents who must implement SCCs + Transfer Impact Assessments.
Frequently Asked Questions
Q1. Do I need SCCs to transfer personal data from the EU to Japan?
No — for transfers to Japan-based controllers and processors. The 2019 mutual adequacy decision treats Japan as providing equivalent protection, eliminating SCC/BCR requirements. However, this only covers Japan-based recipients; if data is then onward-transferred from Japan to a third country, separate transfer mechanisms may apply.
Q2. Are Japanese companies always subject to GDPR if they have EU customers?
Subject to GDPR Art. 3(2): yes, if you (a) offer goods/services to EU residents (including free ones, with EU language or currency support indicating intent), or (b) monitor EU resident behavior (analytics, behavioral ads). Mere accessibility of your Japanese-language site to EU users does NOT trigger GDPR — there must be evidence of targeting.
Q3. What are the supplementary rules under the Japan adequacy decision?
When Japanese controllers receive personal data from the EEA, they must comply with additional rules beyond standard APPI: (1) treat criminal records, trade union membership, and certain other categories as 要配慮個人情報 (sensitive); (2) limit onward transfer to non-EEA third countries; (3) honor data subject rights via direct mechanisms. These rules are enforceable by PPC against Japanese recipients.
Q4. Does the 2022 APPI amendment require us to redo our cross-border transfer disclosures?
Likely yes if you transfer personal data abroad. The 2022 amendment introduced an obligation to disclose the destination country's data protection framework to data subjects when obtaining consent. Generic "we may transfer your data internationally" language is insufficient — you must name the country (or "EEA," "USA," etc.) and summarize its legal protections (or absence thereof). Privacy notices written before April 2022 likely need an update.
Q5. Do we need an EU Representative even with adequacy?
Adequacy and EU Representative are separate questions. Adequacy addresses the legality of the transfer flow. EU Representative (GDPR Art. 27) is required for non-EU controllers/processors subject to GDPR who lack an EU establishment — adequacy doesn't change this. Most Japanese companies actively selling to EU residents need an EU Representative regardless of the adequacy benefit.
Q6. What is the penalty for non-compliance?
GDPR: fines up to €20 million or 4% of global annual revenue, whichever is higher (Art. 83). Recent enforcement against Japanese companies has been limited but the legal exposure exists. Japan APPI (2022 amended): fines up to ¥100 million for legal entities (Art. 178) and administrative orders by the PPC. Reputational harm and customer/partner contract breaches typically exceed statutory fines.
Q7. Should our Japanese HQ appoint a DPO?
GDPR Art. 37 requires a DPO when (a) you're a public authority, (b) core activities involve large-scale systematic monitoring, or (c) core activities involve large-scale processing of special categories or criminal data. Many Japanese B2B SaaS companies fall short of "large-scale" but appoint a DPO voluntarily as a market-trust signal. Japan APPI doesn't require a DPO but PPC guidance recommends a "Personal Information Protection Manager."
Q8. How does Brexit affect this?
The UK granted Japan adequacy in 2019 (inherited from EU) and Japan granted the UK adequacy in 2023. Functionally, transfers between Japan and UK now mirror Japan-EU flows. Verify the UK's separate International Data Transfer Agreement (IDTA) if a UK recipient onward-transfers to a non-adequacy country.
Practical Compliance Checklist for Japanese Companies
- ☐ Map all data flows involving EU/EEA residents — incoming and outgoing
- ☐ Determine GDPR applicability under Art. 3 (establishment, offering, monitoring)
- ☐ Update privacy notice with GDPR Art. 13/14 disclosures (lawful basis, retention, individual rights)
- ☐ Implement Art. 27 EU Representative if applicable
- ☐ Configure 72-hour breach notification process (GDPR + APPI both require)
- ☐ Review and update 2022 APPI-compliant destination disclosures for all cross-border transfers
- ☐ Apply supplementary rules to EEA-origin data (sensitive category expansion, onward-transfer restriction)
- ☐ Train staff on dual-regime compliance; document training for accountability defense
- ☐ Reassess DPO appointment and DPIA workflows for high-risk processing
- ☐ Update vendor and intra-group contracts with GDPR/APPI dual-clauses
Important Notes
- This article is for general information, not legal advice for a specific case. GDPR and APPI both involve fact-specific analysis — consult qualified legal counsel for transfers involving special categories, regulated industries, or cross-border M&A.
- Last updated: May 18, 2026. EU enforcement priorities and PPC guidance evolve frequently; major shifts (e.g., new adequacy decisions, court rulings on AI processing) may affect compliance posture.
- Practice area: Data protection, privacy law, international compliance, technology law.
- For consultation regarding GDPR/APPI dual compliance, cross-border data transfer strategy, or privacy notice drafting, contact our office through the inquiry form.