[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article:gaikoku-kiroku":3},{"meta":4,"markdown":233,"quiz":234},{"type":5,"articleId":6,"slug":7,"title":8,"titleEn":9,"category":10,"order":11,"seriesLabel":12,"summary":13,"publishedAt":14,"image":15,"tags":16,"vocabulary":22,"quizId":229,"source":230},"article","kjh-k1-h04-gaikoku-kiroku","gaikoku-kiroku","課題Ⅰ 第４編③ 外国にある第三者への提供の制限・記録義務・確認義務（法28条〜30条）","Restrictions on Cross-Border Transfer, Record-Keeping Obligations, and Confirmation Duties (Articles 28–30)","kojin-joho-hogo\u002Fkadai-1",1043,"課題Ⅰ 第４編③","Self-contained deep-dive into cross-border data transfer restrictions (Art. 28) — three lawful routes, the 2022 information-provision amendment, and the Japan-EU adequacy decision; record-keeping obligations when providing data (Art. 29) — record items, retention periods, methods, and exceptions; and confirmation\u002Frecord duties when receiving data (Art. 30) — the list-broker countermeasure, confirmation items, and the paired relationship with Art. 29.","2026-04-26T00:00:00Z","https:\u002F\u002Fimages.yamiyomi.com\u002Fkjh-k1-h04-gaikoku-kiroku.png",[17,18,19,20,21],"exam:個人情報保護士","topic:外国提供","law:法28条","law:法29条","law:法30条",[23,28,32,36,40,44,49,53,57,61,65,69,73,77,81,85,89,93,97,101,105,109,113,117,121,125,129,133,137,141,145,149,153,157,161,165,169,173,177,181,185,189,193,197,201,205,209,213,217,221,225],{"word":24,"reading":25,"meaning":26,"level":27},"外国","がいこく","foreign country","N2",{"word":29,"reading":30,"meaning":31,"level":27},"第三者","だいさんしゃ","third party",{"word":33,"reading":34,"meaning":35,"level":27},"制限","せいげん","restriction",{"word":37,"reading":38,"meaning":39,"level":27},"移転","いてん","transfer",{"word":41,"reading":42,"meaning":43,"level":27},"同等","どうとう","equivalent",{"word":45,"reading":46,"meaning":47,"level":48},"法制度","ほうせいど","legal system","N1",{"word":50,"reading":51,"meaning":52,"level":48},"要件","ようけん","requirement",{"word":54,"reading":55,"meaning":56,"level":27},"同意","どうい","consent",{"word":58,"reading":59,"meaning":60,"level":48},"措置","そち","measures",{"word":62,"reading":63,"meaning":64,"level":48},"規程","きてい","regulations",{"word":66,"reading":67,"meaning":68,"level":27},"改正","かいせい","amendment, revision",{"word":70,"reading":71,"meaning":72,"level":27},"義務","ぎむ","obligation, duty",{"word":74,"reading":75,"meaning":76,"level":27},"実施","じっし","implementation",{"word":78,"reading":79,"meaning":80,"level":27},"定期的","ていきてき","periodic, regular",{"word":82,"reading":83,"meaning":84,"level":27},"記録","きろく","record",{"word":86,"reading":87,"meaning":88,"level":27},"作成","さくせい","creation",{"word":90,"reading":91,"meaning":92,"level":27},"保存","ほぞん","retention, preservation",{"word":94,"reading":95,"meaning":96,"level":48},"根拠","こんきょ","basis, grounds",{"word":98,"reading":99,"meaning":100,"level":48},"電磁的","でんじてき","electronic",{"word":102,"reading":103,"meaning":104,"level":48},"一括","いっかつ","collective, batch",{"word":106,"reading":107,"meaning":108,"level":48},"受領者","じゅりょうしゃ","recipient",{"word":110,"reading":111,"meaning":112,"level":27},"取得","しゅとく","acquisition",{"word":114,"reading":115,"meaning":116,"level":48},"経緯","けいい","circumstances, background",{"word":118,"reading":119,"meaning":120,"level":27},"不正","ふせい","illicit, fraudulent",{"word":122,"reading":123,"meaning":124,"level":27},"流通","りゅうつう","circulation, distribution",{"word":126,"reading":127,"meaning":128,"level":27},"防止","ぼうし","prevention",{"word":130,"reading":131,"meaning":132,"level":48},"趣旨","しゅし","purpose, intent",{"word":134,"reading":135,"meaning":136,"level":48},"適法","てきほう","lawful, legitimate",{"word":138,"reading":139,"meaning":140,"level":27},"整備","せいび","establishment, maintenance",{"word":142,"reading":143,"meaning":144,"level":27},"認定","にんてい","certification, recognition",{"word":146,"reading":147,"meaning":148,"level":48},"十分性","じゅうぶんせい","adequacy, sufficiency",{"word":150,"reading":151,"meaning":152,"level":27},"相互","そうご","mutual, reciprocal",{"word":154,"reading":155,"meaning":156,"level":48},"締結","ていけつ","conclusion (of a contract)",{"word":158,"reading":159,"meaning":160,"level":48},"策定","さくてい","formulation, establishment",{"word":162,"reading":163,"meaning":164,"level":27},"概要","がいよう","outline, overview",{"word":166,"reading":167,"meaning":168,"level":48},"監督機関","かんとくきかん","supervisory authority",{"word":170,"reading":171,"meaning":172,"level":27},"判明","はんめい","discovered, revealed",{"word":174,"reading":175,"meaning":176,"level":48},"頻出","ひんしゅつ","frequently appearing",{"word":178,"reading":179,"meaning":180,"level":27},"年月日","ねんがっぴ","date (year-month-day)",{"word":182,"reading":183,"meaning":184,"level":27},"代替","だいたい","substitute, alternative",{"word":186,"reading":187,"meaning":188,"level":27},"反復","はんぷく","repetition",{"word":190,"reading":191,"meaning":192,"level":48},"委託","いたく","outsourcing, entrustment",{"word":194,"reading":195,"meaning":196,"level":48},"事業承継","じぎょうしょうけい","business succession",{"word":198,"reading":199,"meaning":200,"level":27},"共同利用","きょうどうりよう","joint use",{"word":202,"reading":203,"meaning":204,"level":48},"名簿屋","めいぼや","list broker, name-list dealer",{"word":206,"reading":207,"meaning":208,"level":48},"抑止","よくし","deterrence, suppression",{"word":210,"reading":211,"meaning":212,"level":27},"追跡","ついせき","tracking, tracing",{"word":214,"reading":215,"meaning":216,"level":48},"立法","りっぽう","legislation, lawmaking",{"word":218,"reading":219,"meaning":220,"level":27},"子会社","こがいしゃ","subsidiary",{"word":222,"reading":223,"meaning":224,"level":27},"所在","しょざい","location, whereabouts",{"word":226,"reading":227,"meaning":228,"level":48},"核心","かくしん","core, essence","kjh-k1-h04-quiz",{"name":231,"url":232},"Personal Information Protection Commission","https:\u002F\u002Fwww.ppc.go.jp\u002Fpersonalinfo\u002Flegal\u002F","\n::heading\n[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}への[提供]{ていきょう:provision:N1}の[制限]{せいげん:restriction:N3}（[法]{ほう:law:N3}[第]{だい:ordinal:N1}28[条]{じょう:article:N1}）\n\n#en\nRestrictions on Provision to Third Parties in Foreign Countries (Article 28)\n::\n\n::para\n[個人情報]{こじんじょうほう:personal information:N2}[保護法]{ほごほう:protection law:N1}[第]{だい:ordinal prefix:N1}28[条]{じょう:article (law):N1}は、[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}に[個人]{こじん:personal:N2}データを[提供]{ていきょう:provision, transfer:N1}する[場合]{ばあい:case, situation:N3}の[制限]{せいげん:restriction:N3}を[定めて]{さだめて:to stipulate:N3}いる。[国内]{こくない:domestic:N3}の[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}（[法]{ほう:law:N3}27[条]{じょう:article:N1}）とは[別]{べつ:separate, distinct:N4}に、[外国]{がいこく:foreign country:N5}への[移転]{いてん:transfer:N2}には[追加]{ついか:additional:N3}の[要件]{ようけん:requirement:N3}が[課]{か:to impose:N2}される。その[趣旨]{しゅし:purpose, intent:N1}は、[外国]{がいこく:foreign country:N5}の[法制度]{ほうせいど:legal system:N3}が[日本]{にほん:Japan:N5}と[同等]{どうとう:equivalent:N3}の[保護]{ほご:protection:N1}[水準]{すいじゅん:level, standard:N2}を[確保]{かくほ:to ensure:N1}しているとは[限らない]{かぎらない:not necessarily:N3}ため、[本人]{ほんにん:the person themselves:N5}の[権利]{けんり:rights:N3}[利益]{りえき:interests:N1}を[守る]{まもる:to protect:N3}ことにある。\n\n#en\nArticle 28 of the Act on the Protection of Personal Information establishes restrictions on providing personal data to third parties located in foreign countries. In addition to the domestic third-party provision rules (Article 27), extra requirements are imposed on cross-border transfers. The purpose is to protect the rights and interests of the individual, because foreign legal systems do not necessarily ensure a level of protection equivalent to Japan’s.\n::\n\n::heading\n[適法]{てきほう:lawful:N3}な[越境]{えっきょう:cross-border:N2}[移転]{いてん:transfer:N2}の3つのルート\n\n#en\nThree routes for lawful cross-border transfer\n::\n\n::para\n[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}への[提供]{ていきょう:provision:N1}が[適法]{てきほう:lawful:N3}に[行える]{おこなえる:can be performed:N5}ルートは、[大]{おお:large:N5}きく[分けて]{わけて:divided into:N5}3つある。ルート1は[本人]{ほんにん:the person themselves:N5}の[同意]{どうい:consent:N4}を[得る]{える:to obtain:N3}[方法]{ほうほう:method:N3}、ルート2は[個人情報]{こじんじょうほう:personal information:N2}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}が[認めた]{みとめた:recognized:N3}[国]{くに:country:N5}への[提供]{ていきょう:provision:N1}、ルート3は[適切]{てきせつ:appropriate:N3}な[体制]{たいせい:system, structure:N3}を[整備]{せいび:establish, put in order:N1}した[外国]{がいこく:foreign:N5}の[事業者]{じぎょうしゃ:business operator:N4}への[提供]{ていきょう:provision:N1}である。[以下]{いか:below:N4}、[各]{かく:each:N2}ルートを[詳しく]{くわしく:in detail:N1}[見て]{みて:to look at:N5}いく。\n\n#en\nThere are broadly three lawful routes for providing personal data to a third party in a foreign country. Route 1 is obtaining the individual’s consent. Route 2 is providing data to a country recognized by the Personal Information Protection Commission. Route 3 is providing data to a foreign business operator that has established an appropriate system of safeguards. Each route is examined in detail below.\n::\n\n::heading\nルート1：[本人]{ほんにん:individual:N5}の[同意]{どうい:consent:N4}（[情報]{じょうほう:information:N3}[提供]{ていきょう:provision:N1}[義務]{ぎむ:obligation:N1}[付き]{つき:with, attached:N3}）\n\n#en\nRoute 1: Individual consent (with information provision obligation)\n::\n\n::para\nルート1：[本人]{ほんにん:the person themselves:N5}の[同意]{どうい:consent:N4}。[原則]{げんそく:as a general rule:N2}として、[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}に[個人]{こじん:personal:N2}データを[提供]{ていきょう:provision:N1}するには、あらかじめ[本人]{ほんにん:the person themselves:N5}の[同意]{どうい:consent:N4}を[得]{え:to obtain:N3}なければならない。ただし、2022[年]{ねん:year:N5}[改正]{かいせい:amendment:N2}により、[単]{たん:simply:N3}に「[外国]{がいこく:foreign country:N5}の[第三者]{だいさんしゃ:third party:N1}に[提供]{ていきょう:provision:N1}してよいか」と[尋ねる]{たずねる:to ask:N1}だけでは[不十分]{ふじゅうぶん:insufficient:N4}となった。[同意]{どうい:consent:N4}を[取得]{しゅとく:obtain:N3}する[前]{まえ:before:N5}に、[移転]{いてん:transfer:N2}[先]{さき:destination:N5}の[外国]{がいこく:foreign country:N5}における[個人情報]{こじんじょうほう:personal information:N2}[保護]{ほご:protection:N1}[制度]{せいど:system:N3}に[関する]{かんする:concerning:N3}[情報]{じょうほう:information:N3}を[本人]{ほんにん:the person themselves:N5}に[提供]{ていきょう:provide:N1}する[義務]{ぎむ:obligation:N1}が[追加]{ついか:added:N3}された（[情報]{じょうほう:information:N3}[提供]{ていきょう:provision:N1}[義務]{ぎむ:obligation:N1}）。\n\n#en\nRoute 1: Consent of the individual. As a general rule, providing personal data to a third party in a foreign country requires the prior consent of the individual. However, under the 2022 amendment, simply asking \"may we provide your data to a third party abroad?\" is no longer sufficient. Before obtaining consent, the operator must now provide the individual with information about the personal information protection regime in the destination country (the information provision obligation).\n::\n\n::para\n[具体的]{ぐたいてき:specifically:N3}に[提供]{ていきょう:provide:N1}すべき[情報]{じょうほう:information:N3}は[次]{つぎ:following:N3}のとおりである。（a）[移転]{いてん:transfer:N2}[先]{さき:destination:N5}の[外国]{がいこく:foreign country:N5}の[名称]{めいしょう:name:N1}。（b）[当該]{とうがい:relevant:N1}[外国]{がいこく:foreign country:N5}における[個人]{こじん:personal:N2}データの[保護]{ほご:protection:N1}に[関する]{かんする:concerning:N3}[制度]{せいど:system:N3}の[概要]{がいよう:outline, overview:N1}（[例]{れい:example:N3}：[独立]{どくりつ:independent:N1}した[監督]{かんとく:supervisory:N1}[機関]{きかん:authority:N3}の[有無]{うむ:presence or absence:N4}、[本人]{ほんにん:individual:N5}の[権利]{けんり:rights:N3}に[関する]{かんする:concerning:N3}[制度]{せいど:system:N3}など）。（c）[提供]{ていきょう:provision:N1}[先]{さき:destination:N5}の[第三者]{だいさんしゃ:third party:N1}が[講ずる]{こうずる:to implement:N2}[個人情報]{こじんじょうほう:personal information:N2}の[保護]{ほご:protection:N1}のための[措置]{そち:measures:N1}に[関する]{かんする:concerning:N3}[情報]{じょうほう:information:N3}。これらの[情報]{じょうほう:information:N3}は[本人]{ほんにん:the person themselves:N5}が[合理的]{ごうりてき:rational, reasonable:N3}に[判断]{はんだん:judgment:N3}できる[程度]{ていど:degree:N3}に[具体的]{ぐたいてき:specific:N3}でなければならない。\n\n#en\nSpecifically, the information that must be provided is as follows. (a) The name of the destination foreign country. (b) An outline of the personal data protection regime in that country (e.g., whether an independent supervisory authority exists, the system of individual rights, etc.). (c) Information about the measures the destination third party takes for the protection of personal information. This information must be specific enough for the individual to make a reasonable judgment.\n::\n\n::heading\nルート2：[同等]{どうとう:equivalent:N3}[水準]{すいじゅん:level:N2}の[国]{くに:country:N5}（EU・[英国]{えいこく:UK:N4}）\n\n#en\nRoute 2: Countries with equivalent level (EU \u002F UK)\n::\n\n::para\nルート2：[個人情報]{こじんじょうほう:personal information:N2}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}が[認めた]{みとめた:recognized:N3}[国]{くに:country:N5}。[日本]{にほん:Japan:N5}と[同等]{どうとう:equivalent:N3}の[水準]{すいじゅん:level:N2}にあると[認められた]{みとめられた:recognized:N3}[外国]{がいこく:foreign country:N5}への[提供]{ていきょう:provision:N1}は、[国内]{こくない:domestic:N3}の[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}と[同様]{どうよう:same, similar:N3}に[取り扱う]{とりあつかう:to handle:N1}ことができる。[現在]{げんざい:currently:N3}、[個人情報]{こじんじょうほう:personal information:N2}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}が[認定]{にんてい:certification, recognition:N3}しているのは、EU（[欧州]{おうしゅう:Europe:N2}[連合]{れんごう:union:N3}）および[英国]{えいこく:United Kingdom:N4}のみである。つまり、ルート2で[提供]{ていきょう:provision:N1}できる[国]{くに:country:N5}は[非常]{ひじょう:very, extremely:N3}に[限定的]{げんていてき:limited:N3}であり、それ[以外]{いがい:other than:N4}の[国]{くに:country:N5}への[提供]{ていきょう:provision:N1}はルート1またはルート3によらなければならない。\n\n#en\nRoute 2: Countries recognized by the Personal Information Protection Commission. Provision to a foreign country recognized as having a level of protection equivalent to Japan’s can be handled in the same manner as domestic third-party provision. Currently, the only countries recognized by the Commission are the EU (European Union) and the United Kingdom. This means the countries available under Route 2 are extremely limited, and provision to other countries must follow Route 1 or Route 3.\n::\n\n::callout\n[日]{にち:Japan:N5}EU[相互]{そうご:mutual:N3}[認証]{にんしょう:certification, recognition:N1}：2019[年]{ねん:year:N5}1[月]{がつ:month:N5}に[日本]{にほん:Japan:N5}とEUは[相互]{そうご:mutual:N3}に[十分]{じゅうぶん:adequate, sufficient:N5}な[保護]{ほご:protection:N1}[水準]{すいじゅん:level:N2}を[有する]{ゆうする:to have:N4}と[認]{みと:to recognize:N3}め[合った]{あった:mutually:N3}（[十分性]{じゅうぶんせい:adequacy:N3}[認定]{にんてい:decision, certification:N3}）。したがって、EU[域内]{いきない:within the region:N2}の[企業]{きぎょう:company:N1}への[提供]{ていきょう:provision:N1}はルート2（[同等]{どうとう:equivalent:N3}[水準]{すいじゅん:level:N2}の[国]{くに:country:N5}）に[該当]{がいとう:to apply:N1}し、ルート1の[同意]{どうい:consent:N4}は[不要]{ふよう:unnecessary:N3}である。[同様]{どうよう:similarly:N3}に、EU[側]{がわ:side:N3}からも[日本]{にほん:Japan:N5}は[十分性]{じゅうぶんせい:adequacy:N3}[認定]{にんてい:decision:N3}を[受けて]{うけて:received:N3}おり、GDPR[上]{じょう:under:N5}の[制限]{せいげん:restrictions:N3}なくデータを[移転]{いてん:transfer:N2}できる。[試験]{しけん:exam:N4}では「[相互]{そうご:mutual:N3}[認証]{にんしょう:certification:N1}」「[十分性]{じゅうぶんせい:adequacy:N3}[認定]{にんてい:decision:N3}」「2019[年]{ねん:year:N5}」のキーワードがよく[問われる]{とわれる:asked about:N4}。\n\n#en\nJapan-EU mutual recognition: In January 2019, Japan and the EU mutually recognized each other as having an adequate level of protection (adequacy decision). Therefore, provision to companies within the EU falls under Route 2 (country with equivalent level), and consent under Route 1 is not required. Similarly, Japan has received an adequacy decision from the EU side, allowing data transfer without restrictions under the GDPR. The exam frequently tests the keywords \"mutual recognition,\" \"adequacy decision,\" and \"2019.\"\n::\n\n::heading\nルート3：[体制]{たいせい:system:N3}を[整備]{せいび:establish:N1}した[外国]{がいこく:foreign:N5}[事業者]{じぎょうしゃ:operator:N4}\n\n#en\nRoute 3: Foreign operators with an established system\n::\n\n::para\nルート3：[体制]{たいせい:system, structure:N3}を[整備]{せいび:establish:N1}した[外国]{がいこく:foreign:N5}の[事業者]{じぎょうしゃ:business operator:N4}。[提供]{ていきょう:provision:N1}[先]{さき:destination:N5}の[外国]{がいこく:foreign:N5}[事業者]{じぎょうしゃ:operator:N4}が、[日本]{にほん:Japan:N5}の[個人情報]{こじんじょうほう:personal information:N2}[保護法]{ほごほう:protection law:N1}と[同等]{どうとう:equivalent:N3}の[措置]{そち:measures:N1}を[継続的]{けいぞくてき:continuously:N1}に[講じている]{こうじている:implementing:N2}[場合]{ばあい:case:N3}は、[本人]{ほんにん:individual:N5}の[同意]{どうい:consent:N4}なく[提供]{ていきょう:provide:N1}できる。[具体的]{ぐたいてき:specifically:N3}には、APEC・CBPRシステムの[認証]{にんしょう:certification:N1}を[取得]{しゅとく:obtain:N3}している[場合]{ばあい:case:N3}や、[提供]{ていきょう:provision:N1}[元]{もと:source:N4}との[間]{あいだ:between:N5}で[個人]{こじん:personal:N2}データの[取扱い]{とりあつかい:handling:N1}に[関する]{かんする:concerning:N3}[契約]{けいやく:contract:N1}を[締結]{ていけつ:conclusion (of a contract):N1}している[場合]{ばあい:case:N3}、グループ[企業]{きぎょう:company:N1}[内]{ない:within:N3}の[規程]{きてい:regulations:N3}（BCR: Binding Corporate Rules）を[策定]{さくてい:formulation:N1}している[場合]{ばあい:case:N3}などが[該当]{がいとう:applicable:N1}する。\n\n#en\nRoute 3: Foreign business operators with an established system. If the destination foreign operator continuously implements measures equivalent to Japan’s Act on the Protection of Personal Information, data may be provided without the individual’s consent. Specifically, this includes cases where the foreign party has obtained APEC CBPR system certification, has concluded a contract with the provider concerning the handling of personal data, or has formulated intra-group regulations (BCR: Binding Corporate Rules).\n::\n\n::para\nルート3を[利用]{りよう:use:N3}する[場合]{ばあい:case:N3}、[提供]{ていきょう:provision:N1}[元]{もと:source:N4}の[事業者]{じぎょうしゃ:operator:N4}には2つの[継続的]{けいぞくてき:ongoing:N1}[義務]{ぎむ:obligation:N1}が[課される]{かされる:imposed:N2}。[第]{だい:ordinal:N1}[一]{いち:one:N5}に、[提供]{ていきょう:provision:N1}[先]{さき:destination:N5}の[外国]{がいこく:foreign:N5}[事業者]{じぎょうしゃ:operator:N4}が[引き続き]{ひきつづき:continuously:N3}[適切]{てきせつ:appropriate:N3}な[措置]{そち:measures:N1}を[講じている]{こうじている:implementing:N2}かどうかを[定期的]{ていきてき:periodically:N3}に[確認]{かくにん:verify:N3}しなければならない。[第]{だい:ordinal:N1}[二]{に:two:N5}に、[本人]{ほんにん:the person themselves:N5}の[求め]{もとめ:request:N3}に[応じて]{おうじて:in response to:N1}、[提供]{ていきょう:provision:N1}[先]{さき:destination:N5}の[措置]{そち:measures:N1}の[実施]{じっし:implementation:N1}[状況]{じょうきょう:status:N2}に[関する]{かんする:concerning:N3}[情報]{じょうほう:information:N3}を[本人]{ほんにん:individual:N5}に[提供]{ていきょう:provide:N1}しなければならない。[問題]{もんだい:problem:N4}が[判明]{はんめい:found, revealed:N3}した[場合]{ばあい:case:N3}は、[提供]{ていきょう:provision:N1}の[停止]{ていし:suspension:N2}を[含む]{ふくむ:including:N2}[必要]{ひつよう:necessary:N3}な[措置]{そち:measures:N1}を[講じる]{こうじる:to take:N2}[義務]{ぎむ:obligation:N1}がある。\n\n#en\nWhen using Route 3, two ongoing obligations are imposed on the providing operator. First, it must periodically verify whether the destination foreign operator continues to implement appropriate measures. Second, it must provide the individual, upon request, with information about the implementation status of the destination’s measures. If problems are discovered, the provider has an obligation to take necessary measures, including suspending the provision.\n::\n\n::callout\n「[外国]{がいこく:foreign country:N5}」の[定義]{ていぎ:definition:N1}に[注意]{ちゅうい:attention, caution:N4}が[必要]{ひつよう:necessary:N3}である。[法]{ほう:law:N3}28[条]{じょう:article:N1}の「[外国]{がいこく:foreign country:N5}」とは[日本]{にほん:Japan:N5}[以外]{いがい:other than:N4}の[国]{くに:country:N5}・[地域]{ちいき:region:N2}を[指す]{さす:to refer to:N3}。[外国]{がいこく:foreign:N5}[企業]{きぎょう:company:N1}であっても、[日本]{にほん:Japan:N5}[国内]{こくない:domestic:N3}に[所在]{しょざい:located:N3}する[事業所]{じぎょうしょ:office, establishment:N3}（[例]{れい:e.g.:N3}：[日本]{にほん:Japan:N5}[法人]{ほうじん:corporation:N3}である[子会社]{こがいしゃ:subsidiary:N4}）に[提供]{ていきょう:providing:N1}する[場合]{ばあい:case:N3}は、「[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}」には[該当]{がいとう:applicable:N1}しないため、[法]{ほう:law:N3}28[条]{じょう:article:N1}の[適用]{てきよう:application:N3}は[受けない]{うけない:does not receive:N3}。[逆]{ぎゃく:conversely:N2}に、[日本]{にほん:Japan:N5}[企業]{きぎょう:company:N1}の[海外]{かいがい:overseas:N4}[支店]{してん:branch:N3}に[提供]{ていきょう:providing:N1}する[場合]{ばあい:case:N3}は、[同一]{どういつ:same:N4}[法人]{ほうじん:corporation:N3}[内]{ない:within:N3}であっても[外国]{がいこく:foreign country:N5}にある[第三者]{だいさんしゃ:third party:N1}には[該当]{がいとう:applicable:N1}しない（[同一]{どういつ:same:N4}[法人]{ほうじん:corporation:N3}なので「[第三者]{だいさんしゃ:third party:N1}」ではない）。\n\n#en\nCaution is needed regarding the definition of \"foreign country.\" Under Article 28, \"foreign country\" refers to any country or region other than Japan. Even for a foreign company, if data is provided to its establishment located within Japan (e.g., a subsidiary that is a Japanese corporation), it does not constitute a \"third party in a foreign country,\" so Article 28 does not apply. Conversely, providing data to an overseas branch of a Japanese company does not constitute a \"third party in a foreign country\" either (because it is not a \"third party\" — it is the same legal entity).\n::\n\n::para\n[法]{ほう:law:N3}28[条]{じょう:article:N1}の[試験]{しけん:exam:N4}ポイントを[整理]{せいり:organize:N1}する。[第]{だい:ordinal:N1}[一]{いち:one:N5}に、3つのルートの[区別]{くべつ:distinction:N2}。[第]{だい:ordinal:N1}[二]{に:two:N5}に、2022[年]{ねん:year:N5}[改正]{かいせい:amendment:N2}で[追加]{ついか:added:N3}された[情報]{じょうほう:information:N3}[提供]{ていきょう:provision:N1}[義務]{ぎむ:obligation:N1}の[内容]{ないよう:content:N3}（a・b・c）。[第]{だい:ordinal:N1}[三]{さん:three:N5}に、ルート3の[場合]{ばあい:case:N3}の[継続的]{けいぞくてき:ongoing:N1}[確認]{かくにん:verification:N3}[義務]{ぎむ:obligation:N1}。[第]{だい:ordinal:N1}[四]{よん:four:N5}に、[日]{にち:Japan:N5}EU[相互]{そうご:mutual:N3}[認証]{にんしょう:certification:N1}はルート2に[該当]{がいとう:applicable:N1}するという[点]{てん:point:N3}。これらは[択一]{たくいつ:multiple choice:N1}[式]{しき:format:N3}の[問題]{もんだい:question:N4}で[頻出]{ひんしゅつ:frequently appearing:N1}する。\n\n#en\nLet us organize the exam points for Article 28. First, the distinction among the three routes. Second, the content of the information provision obligation added by the 2022 amendment (items a, b, c). Third, the ongoing verification obligation under Route 3. Fourth, the point that the Japan-EU mutual recognition falls under Route 2. These are frequently tested in multiple-choice questions.\n::\n\n::heading\n[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}[義務]{ぎむ:obligation:N1}（[法]{ほう:law:N3}[第]{だい:ordinal:N1}29[条]{じょう:article:N1}）\n\n#en\nObligation to Create Records (Article 29)\n::\n\n::para\n[法]{ほう:law:N3}[第]{だい:ordinal prefix:N1}29[条]{じょう:article:N1}は、[個人]{こじん:personal:N2}データを[第三者]{だいさんしゃ:third party:N1}に[提供]{ていきょう:provision:N1}した[場合]{ばあい:case:N3}に、[提供]{ていきょう:provision:N1}[側]{がわ:side:N3}の[事業者]{じぎょうしゃ:operator:N4}に[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}を[義務付けて]{ぎむづけて:to obligate:N1}いる。この[記録]{きろく:record:N2}[義務]{ぎむ:obligation:N1}は、[個人]{こじん:personal:N2}データが[誰]{だれ:who:N3}から[誰]{だれ:who:N3}に[渡った]{わたった:passed, transferred:N3}のかを[追跡]{ついせき:track, trace:N2}できるようにするトレーサビリティ[確保]{かくほ:ensuring:N1}の[一環]{いっかん:part:N1}である。\n\n#en\nArticle 29 obligates the providing business operator to create records when personal data is provided to a third party. This record-keeping obligation is part of ensuring traceability — the ability to track who personal data was transferred from and to.\n::\n\n::para\n[記録]{きろく:record:N2}すべき[事項]{じこう:matters:N1}は[以下]{いか:below:N4}のとおりである。（a）[個人]{こじん:personal:N2}データを[提供]{ていきょう:provided:N1}した[年月日]{ねんがっぴ:date:N5}。（b）[提供]{ていきょう:provision:N1}[先]{さき:destination:N5}の[第三者]{だいさんしゃ:third party:N1}の[氏名]{しめい:name:N1}または[名称]{めいしょう:title:N1}（[法人]{ほうじん:corporation:N3}の[場合]{ばあい:case:N3}は[代表者]{だいひょうしゃ:representative:N3}の[氏名]{しめい:name:N1}も[含む]{ふくむ:include:N2}）。（c）[提供]{ていきょう:provided:N1}した[個人]{こじん:personal:N2}データの[項目]{こうもく:items, categories:N1}。オプトアウト（[法]{ほう:law:N3}27[条]{じょう:article:N1}2[項]{こう:paragraph:N1}）に[基づく]{もとづく:based on:N1}[提供]{ていきょう:provision:N1}の[場合]{ばあい:case:N3}は、[上記]{じょうき:above:N3}に[加えて]{くわえて:in addition to:N3}「[法]{ほう:law:N3}27[条]{じょう:article:N1}の[規定]{きてい:provision:N3}による[旨]{むね:to the effect:N1}」および[本人]{ほんにん:individual:N5}の[氏名]{しめい:name:N1}も[記録]{きろく:record:N2}しなければならない。\n\n#en\nThe matters to be recorded are as follows. (a) The date on which the personal data was provided. (b) The name or title of the destination third party (for corporations, including the name of the representative). (c) The categories of personal data provided. In the case of provision based on the opt-out mechanism (Article 27, Paragraph 2), in addition to the above, \"to the effect that it is pursuant to Article 27\" and the individual’s name must also be recorded.\n::\n\n::para\n[記録]{きろく:record:N2}の[保存]{ほぞん:retention:N1}[期間]{きかん:period:N3}は[提供]{ていきょう:provision:N1}の[根拠]{こんきょ:basis:N1}や[方法]{ほうほう:method:N3}によって[異なる]{ことなる:to differ:N1}。[本人]{ほんにん:individual:N5}の[同意]{どうい:consent:N4}に[基づく]{もとづく:based on:N1}[提供]{ていきょう:provision:N1}：3[年]{ねん:year:N5}。オプトアウトに[基づく]{もとづく:based on:N1}[提供]{ていきょう:provision:N1}：3[年]{ねん:year:N5}。[契約書]{けいやくしょ:contract:N1}[等]{とう:etc.:N3}の[代替]{だいたい:substitute, alternative:N2}[記録]{きろく:record:N2}（[既存]{きそん:existing:N1}[書類]{しょるい:documents:N3}を[記録]{きろく:record:N2}に[代える]{かえる:to substitute:N4}[場合]{ばあい:case:N3}）：[最後]{さいご:last:N3}の[提供]{ていきょう:provision:N1}から3[年]{ねん:year:N5}。[一括]{いっかつ:batch:N1}[記録]{きろく:record:N2}（[同一]{どういつ:same:N4}の[第三者]{だいさんしゃ:third party:N1}に[反復]{はんぷく:repeatedly:N2}して[提供]{ていきょう:providing:N1}する[場合]{ばあい:case:N3}）：[最後]{さいご:last:N3}の[提供]{ていきょう:provision:N1}から3[年]{ねん:year:N5}。[試験]{しけん:exam:N4}では[保存]{ほぞん:retention:N1}[期間]{きかん:period:N3}の[数字]{すうじ:numbers:N3}がよく[問われる]{とわれる:asked about:N4}ので、[正確]{せいかく:accurate:N3}に[覚えて]{おぼえて:to memorize:N3}おくこと。\n\n#en\nThe retention period for records varies depending on the basis and method of provision. Provision based on the individual’s consent: 3 years. Provision based on opt-out: 3 years. Substitute records using contracts, etc. (when existing documents serve as the record): 3 years from the last provision. Batch records (when repeatedly providing to the same third party): 3 years from the last provision. The exam frequently tests these retention period figures, so they should be memorized precisely.\n::\n\n::para\n[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}[方法]{ほうほう:method:N3}は3つ[認められて]{みとめられて:permitted:N3}いる。[第]{だい:ordinal:N1}[一]{いち:one:N5}に、[文書]{ぶんしょ:document:N4}（[紙]{かみ:paper:N4}の[記録]{きろく:record:N2}）。[第]{だい:ordinal:N1}[二]{に:two:N5}に、[電磁的]{でんじてき:electronic:N1}[記録]{きろく:record:N2}（データベースやファイルなど）。[第]{だい:ordinal:N1}[三]{さん:three:N5}に、マイクロフィルム。また、[同一]{どういつ:same:N4}の[第三者]{だいさんしゃ:third party:N1}に[継続的]{けいぞくてき:continuously:N1}に[提供]{ていきょう:providing:N1}する[場合]{ばあい:case:N3}は、[提供]{ていきょう:provision:N1}のたびに[個別]{こべつ:individual:N2}の[記録]{きろく:record:N2}を[作成]{さくせい:create:N3}する[必要]{ひつよう:necessity:N3}はなく、[一括]{いっかつ:batch:N1}して[記録]{きろく:record:N2}を[作成]{さくせい:create:N3}できる。さらに、[契約書]{けいやくしょ:contract:N1}などの[既存]{きそん:existing:N1}[書類]{しょるい:documents:N3}に[必要]{ひつよう:necessary:N3}な[事項]{じこう:matters:N1}がすでに[記載]{きさい:stated:N1}されていれば、それを[記録]{きろく:record:N2}に[代える]{かえる:to substitute:N4}ことも[認められる]{みとめられる:permitted:N3}。\n\n#en\nThree methods of creating records are permitted. First, documents (paper records). Second, electronic records (databases, files, etc.). Third, microfilm. Additionally, when continuously providing data to the same third party, there is no need to create individual records for each provision — batch record-keeping is permitted. Furthermore, if existing documents such as contracts already contain the required matters, they may serve as a substitute for the record.\n::\n\n::para\n[重要]{じゅうよう:important:N3}な[例外]{れいがい:exception:N3}として、[委託]{いたく:outsourcing:N1}、[事業]{じぎょう:business:N4}[承継]{しょうけい:succession:N1}、[共同]{きょうどう:joint:N3}[利用]{りよう:use:N3}（[法]{ほう:law:N3}27[条]{じょう:article:N1}5[項]{こう:paragraph:N1}）による[提供]{ていきょう:provision:N1}の[場合]{ばあい:case:N3}は、[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}[義務]{ぎむ:obligation:N1}は[適用]{てきよう:application:N3}されない。これは、これらの[場合]{ばあい:case:N3}が[法律]{ほうりつ:law:N2}[上]{じょう:under:N5}「[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}」に[該当]{がいとう:to constitute:N1}しないためである。したがって、[法]{ほう:law:N3}29[条]{じょう:article:N1}の[記録]{きろく:record:N2}[義務]{ぎむ:obligation:N1}が[発生]{はっせい:arise:N4}するのは、[本人]{ほんにん:individual:N5}の[同意]{どうい:consent:N4}またはオプトアウトに[基づいて]{もとづいて:based on:N1}[第三者]{だいさんしゃ:third party:N1}に[提供]{ていきょう:providing:N1}した[場合]{ばあい:case:N3}に[限られる]{かぎられる:limited to:N3}。\n\n#en\nAs an important exception, the record-keeping obligation does not apply when provision is based on outsourcing, business succession, or joint use (Article 27, Paragraph 5). This is because these cases do not legally constitute \"third-party provision.\" Therefore, the record-keeping obligation under Article 29 arises only when data is provided to a third party based on the individual’s consent or through the opt-out mechanism.\n::\n\n::para\n[法]{ほう:law:N3}29[条]{じょう:article:N1}の[試験]{しけん:exam:N4}ポイント：[記録]{きろく:record:N2}[事項]{じこう:matters:N1}の3つ（[年月日]{ねんがっぴ:date:N5}・[氏名]{しめい:name:N1}・[項目]{こうもく:categories:N1}）、オプトアウト[時]{じ:time, occasion:N5}の[追加]{ついか:additional:N3}[事項]{じこう:matters:N1}、[保存]{ほぞん:retention:N1}[期間]{きかん:period:N3}の[区分]{くぶん:classification:N2}、[記録]{きろく:record:N2}[方法]{ほうほう:method:N3}の3[種類]{しゅるい:types:N3}、そして[委託]{いたく:outsourcing:N1}・[事業]{じぎょう:business:N4}[承継]{しょうけい:succession:N1}・[共同]{きょうどう:joint:N3}[利用]{りよう:use:N3}は[記録]{きろく:record:N2}[不要]{ふよう:unnecessary:N3}であるという[例外]{れいがい:exception:N3}を[正確]{せいかく:accurately:N3}に[押さえる]{おさえる:to grasp:N3}こと。\n\n#en\nExam points for Article 29: the three record items (date, name, categories), the additional items required for opt-out, the classification of retention periods, the three methods of record-keeping, and the exception that outsourcing, business succession, and joint use do not require records. These must be grasped precisely.\n::\n\n::heading\n[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}を[受ける]{うける:receive:N3}[際]{さい:occasion:N3}の[確認]{かくにん:confirmation:N3}[等]{とう:etc.:N3}（[法]{ほう:law:N3}[第]{だい:ordinal:N1}30[条]{じょう:article:N1}）\n\n#en\nConfirmation When Receiving Third-Party Provision (Article 30)\n::\n\n::para\n[法]{ほう:law:N3}[第]{だい:ordinal:N1}30[条]{じょう:article:N1}は、[第三者]{だいさんしゃ:third party:N1}から[個人]{こじん:personal:N2}データの[提供]{ていきょう:provision:N1}を[受ける]{うける:to receive:N3}[側]{がわ:side:N3}の[義務]{ぎむ:obligation:N1}を[規定]{きてい:stipulate:N3}している。[法]{ほう:law:N3}29[条]{じょう:article:N1}が[提供]{ていきょう:provision:N1}[側]{がわ:side:N3}の[義務]{ぎむ:obligation:N1}であるのに[対し]{たいし:in contrast:N3}、[法]{ほう:law:N3}30[条]{じょう:article:N1}は[受領]{じゅりょう:receipt:N2}[側]{がわ:side:N3}の[義務]{ぎむ:obligation:N1}であり、[両者]{りょうしゃ:both:N3}は[対]{つい:pair:N3}の[関係]{かんけい:relationship:N3}にある。この[二]{に:two:N5}つの[条文]{じょうぶん:provisions:N1}により、[個人]{こじん:personal:N2}データの[流通]{りゅうつう:circulation:N3}のトレーサビリティ（[追跡]{ついせき:tracking:N2}[可能性]{かのうせい:possibility:N3}）が[確保]{かくほ:ensured:N1}される。\n\n#en\nArticle 30 stipulates the obligations of the party receiving personal data from a third party. While Article 29 governs the provider’s obligations, Article 30 governs the recipient’s obligations — the two form a paired relationship. Together, these two provisions ensure the traceability (trackability) of personal data circulation.\n::\n\n::para\n[受領者]{じゅりょうしゃ:recipient:N2}がまず[行う]{おこなう:to perform:N5}べきなのは[確認]{かくにん:confirmation:N3}である。[確認]{かくにん:confirmation:N3}すべき[事項]{じこう:matters:N1}は2つある。（a）[提供者]{ていきょうしゃ:provider:N1}の[氏名]{しめい:name:N1}または[名称]{めいしょう:title:N1}および[住所]{じゅうしょ:address:N3}（[法人]{ほうじん:corporation:N3}の[場合]{ばあい:case:N3}は[代表者]{だいひょうしゃ:representative:N3}の[氏名]{しめい:name:N1}も[含む]{ふくむ:include:N2}）。（b）[提供者]{ていきょうしゃ:provider:N1}による[当該]{とうがい:relevant:N1}[個人]{こじん:personal:N2}データの[取得]{しゅとく:acquisition:N3}の[経緯]{けいい:circumstances, process:N1}。[特に]{とくに:especially:N4}（b）の[取得]{しゅとく:acquisition:N3}[経緯]{けいい:circumstances:N1}の[確認]{かくにん:confirmation:N3}は、[不正]{ふせい:illicit:N4}に[取得]{しゅとく:acquired:N3}されたデータが[流通]{りゅうつう:circulate:N3}するのを[防ぐ]{ふせぐ:to prevent:N2}ための[核心]{かくしん:core, essence:N1}[的]{てき:characteristic:N4}な[仕組み]{しくみ:mechanism:N3}である。\n\n#en\nThe first thing the recipient must do is carry out a confirmation. There are two matters to confirm. (a) The name or title and address of the provider (for corporations, including the name of the representative). (b) The circumstances under which the provider acquired the relevant personal data. Especially, the confirmation of (b) — the acquisition circumstances — is a core mechanism for preventing illicitly acquired data from entering circulation.\n::\n\n::para\n[確認]{かくにん:confirmation:N3}に[加えて]{くわえて:in addition to:N3}、[受領者]{じゅりょうしゃ:recipient:N2}は[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}・[保存]{ほぞん:retention:N1}[義務]{ぎむ:obligation:N1}も[負う]{おう:to bear:N3}。[記録]{きろく:record:N2}すべき[事項]{じこう:matters:N1}は[以下]{いか:below:N4}のとおりである。（a）[提供]{ていきょう:provision:N1}を[受けた]{うけた:received:N3}[年月日]{ねんがっぴ:date:N5}。（b）[確認]{かくにん:confirmed:N3}した[事項]{じこう:matters:N1}（[提供者]{ていきょうしゃ:provider:N1}の[情報]{じょうほう:information:N3}と[取得]{しゅとく:acquisition:N3}[経緯]{けいい:circumstances:N1}）。（c）[提供]{ていきょう:provided:N1}を[受けた]{うけた:received:N3}[個人]{こじん:personal:N2}データの[項目]{こうもく:items, categories:N1}。[保存]{ほぞん:retention:N1}[期間]{きかん:period:N3}は[法]{ほう:law:N3}29[条]{じょう:article:N1}と[同様]{どうよう:same:N3}の[基準]{きじゅん:standard:N1}が[適用]{てきよう:applied:N3}される。\n\n#en\nIn addition to the confirmation, the recipient also bears the obligation to create and retain records. The matters to be recorded are as follows. (a) The date on which the data was received. (b) The confirmed matters (provider information and acquisition circumstances). (c) The categories of personal data received. The same retention period standards as Article 29 apply.\n::\n\n::para\n[法]{ほう:law:N3}30[条]{じょう:article:N1}の[立法]{りっぽう:legislative:N3}[趣旨]{しゅし:purpose:N1}には[歴史的]{れきしてき:historical:N2}[背景]{はいけい:background:N3}がある。2015[年]{ねん:year:N5}[改正]{かいせい:amendment:N2}で[導入]{どうにゅう:introduction:N2}された[本]{ほん:this:N5}[条]{じょう:article:N1}は、いわゆる「[名簿]{めいぼ:list, directory:N1}[屋]{や:dealer:N4}」[問題]{もんだい:problem:N4}への[対策]{たいさく:countermeasure:N1}である。[名簿]{めいぼ:list:N1}[屋]{や:dealer:N4}とは、[個人]{こじん:personal:N2}データを[収集]{しゅうしゅう:collection:N3}・[販売]{はんばい:sale:N2}する[業者]{ぎょうしゃ:operator, dealer:N4}のことであり、[不正]{ふせい:illicit:N4}に[取得]{しゅとく:acquired:N3}された[個人]{こじん:personal:N2}データが[大量]{たいりょう:large quantities:N2}に[売買]{ばいばい:buying and selling:N4}されていた[実態]{じったい:actual conditions:N1}があった。[受領]{じゅりょう:receiving:N2}[側]{がわ:side:N3}にも[確認]{かくにん:confirmation:N3}[義務]{ぎむ:obligation:N1}を[課す]{かす:to impose:N2}ことで、[不正]{ふせい:illicit:N4}データの[流通]{りゅうつう:circulation:N3}を[抑止]{よくし:deterrence, suppression:N1}する[狙い]{ねらい:aim:N2}がある。\n\n#en\nThe legislative purpose of Article 30 has a historical background. Introduced by the 2015 amendment, this article was a countermeasure against the so-called \"list broker\" (meiboya) problem. List brokers are operators who collect and sell personal data, and the reality was that large quantities of illicitly acquired personal data were being bought and sold. By imposing a confirmation obligation on the receiving side as well, the aim is to deter the circulation of illicit data.\n::\n\n::callout\n[法]{ほう:law:N3}29[条]{じょう:article:N1}（[提供]{ていきょう:provision:N1}[側]{がわ:side:N3}の[記録]{きろく:record:N2}）と[法]{ほう:law:N3}30[条]{じょう:article:N1}（[受領]{じゅりょう:receipt:N2}[側]{がわ:side:N3}の[確認]{かくにん:confirmation:N3}・[記録]{きろく:record:N2}）は[常]{つね:always:N3}にセットで[出題]{しゅつだい:appearing in exams:N4}される。[提供]{ていきょう:provision:N1}[側]{がわ:side:N3}は「[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}」のみ、[受領]{じゅりょう:receipt:N2}[側]{がわ:side:N3}は「[確認]{かくにん:confirmation:N3}＋[記録]{きろく:record:N2}の[作成]{さくせい:creation:N3}」の[両方]{りょうほう:both:N3}が[必要]{ひつよう:necessary:N3}である[点]{てん:point:N3}に[注意]{ちゅうい:attention:N4}。[混同]{こんどう:confusion:N2}しやすいので、「29=[記録]{きろく:record:N2}、30=[確認]{かくにん:confirm:N3}＋[記録]{きろく:record:N2}」と[覚える]{おぼえる:to memorize:N3}こと。\n\n#en\nArticle 29 (provider-side records) and Article 30 (recipient-side confirmation and records) are always tested as a pair. Note that the providing side only needs to \"create records,\" while the receiving side needs both \"confirmation AND record creation.\" These are easily confused, so memorize: \"29 = record, 30 = confirm + record.\"\n::\n\n::para\n[法]{ほう:law:N3}30[条]{じょう:article:N1}の[試験]{しけん:exam:N4}ポイントを[整理]{せいり:organize:N1}する。[第]{だい:ordinal:N1}[一]{いち:one:N5}に、[確認]{かくにん:confirm:N3}すべき2つの[事項]{じこう:matters:N1}（[提供者]{ていきょうしゃ:provider:N1}の[氏名]{しめい:name:N1}・[住所]{じゅうしょ:address:N3}と[取得]{しゅとく:acquisition:N3}[経緯]{けいい:circumstances:N1}）。[第]{だい:ordinal:N1}[二]{に:two:N5}に、[記録]{きろく:record:N2}すべき3つの[事項]{じこう:matters:N1}（[年月日]{ねんがっぴ:date:N5}・[確認]{かくにん:confirmed:N3}[事項]{じこう:matters:N1}・データの[項目]{こうもく:categories:N1}）。[第]{だい:ordinal:N1}[三]{さん:three:N5}に、2015[年]{ねん:year:N5}[改正]{かいせい:amendment:N2}で[導入]{どうにゅう:introduced:N2}された[背景]{はいけい:background:N3}（[名簿]{めいぼ:list:N1}[屋]{や:dealer:N4}[対策]{たいさく:countermeasure:N1}）。[第]{だい:ordinal:N1}[四]{よん:four:N5}に、[法]{ほう:law:N3}29[条]{じょう:article:N1}との[対比]{たいひ:comparison:N2}（[提供]{ていきょう:provision:N1}[側]{がわ:side:N3}＝[記録]{きろく:record:N2}のみ、[受領]{じゅりょう:receipt:N2}[側]{がわ:side:N3}＝[確認]{かくにん:confirm:N3}＋[記録]{きろく:record:N2}）。\n\n#en\nLet us organize the exam points for Article 30. First, the two matters to confirm (provider’s name\u002Faddress and acquisition circumstances). Second, the three matters to record (date, confirmed matters, and data categories). Third, the background of its introduction in the 2015 amendment (list broker countermeasure). Fourth, the comparison with Article 29 (provider side = record only, recipient side = confirm + record).\n::\n",{"id":229,"title":235,"titleEn":236,"topicPath":237,"questions":238},"第４編 個人データに関する義務 確認テスト","Chapter 4: Obligations Regarding Personal Data — Practice Test","software\u002Fkojin-joho-hogo\u002Fkadai-1\u002Fhen-04-kojin-data-gimu",[239,267,291,316,339,361],{"id":240,"articleId":241,"question":242,"options":245,"correctLabel":255,"explanation":262,"tags":265},"kjh-k1-h04-q01","kjh-k1-h04-anzen-kanri",{"en":243,"jp":244},"Which of the following is NOT one of the four types of safety management measures?","[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}の4[種類]{しゅるい:types}に[該当]{がいとう:applicable}しないものはどれか。",[246,250,254,258],{"label":247,"jp":248,"en":249},"ア","[組織的]{そしきてき:organizational}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}","Organizational safety management measures",{"label":251,"jp":252,"en":253},"イ","[人的]{じんてき:human}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}","Human safety management measures",{"label":255,"jp":256,"en":257},"ウ","[財務的]{ざいむてき:financial}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}","Financial safety management measures",{"label":259,"jp":260,"en":261},"エ","[技術的]{ぎじゅつてき:technical}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}","Technical safety management measures",{"en":263,"jp":264},"The four types of safety management measures are organizational, human, physical, and technical. \"Financial\" is not included.","[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}は、[組織的]{そしきてき:organizational}、[人的]{じんてき:human}、[物理的]{ぶつりてき:physical}、[技術的]{ぎじゅつてき:technical}の4[種類]{しゅるい:types}である。「[財務的]{ざいむてき:financial}」は[含]{ふく:included}まれない。",[266],"安全管理措置",{"id":268,"articleId":241,"question":269,"options":272,"correctLabel":255,"explanation":285,"tags":288},"kjh-k1-h04-q02",{"en":270,"jp":271},"Which of the following is INCORRECT as a requirement for mandatory breach reporting (Article 26)?","[漏]{ろう:leak}えい[報告]{ほうこく:report}（[法]{ほう:law}[第]{だい:article}26[条]{じょう:article}）が[義務]{ぎむ:obligation}づけられる[要件]{ようけん:requirement}として[誤]{あやま:incorrect}っているものはどれか。",[273,276,279,282],{"label":247,"jp":274,"en":275},"[要]{よう:requiring}[配慮]{はいりょ:consideration}[個人]{こじん:personal}[情報]{じょうほう:information}の[漏]{ろう:leak}えい","Leakage of special care-required personal information",{"label":251,"jp":277,"en":278},"[不正]{ふせい:unauthorized}アクセスによる[漏]{ろう:leak}えいのおそれ","Risk of leakage due to unauthorized access",{"label":255,"jp":280,"en":281},"1[件]{けん:case}でも[漏]{ろう:leak}えいがあれば[必]{かなら:always}ず[報告]{ほうこく:report}が[必要]{ひつよう:necessary}","Reporting is always required even for a single case of leakage",{"label":259,"jp":283,"en":284},"[財産的]{ざいさんてき:financial}[被害]{ひがい:damage}が[生]{しょう:occur}じるおそれがある[漏]{ろう:leak}えい","Leakage where financial damage may occur",{"en":286,"jp":287},"Mandatory breach reporting applies to four categories: leakage of special care-required information, unauthorized access, risk of financial damage, and leakage exceeding 1,000 persons. A single case of leakage does not always trigger reporting obligations.","[漏]{ろう:leak}えい[報告]{ほうこく:report}が[義務]{ぎむ:obligation}づけられるのは、[要]{よう:requiring}[配慮]{はいりょ:consideration}[個人]{こじん:personal}[情報]{じょうほう:information}の[漏]{ろう:leak}えい、[不正]{ふせい:unauthorized}アクセス、[財産的]{ざいさんてき:financial}[被害]{ひがい:damage}のおそれ、1,000[人]{にん:persons}[超]{ちょう:exceeding}の[漏]{ろう:leak}えいの4[類型]{るいけい:types}である。1[件]{けん:case}の[漏]{ろう:leak}えいでも[必]{かなら:always}ず[報告]{ほうこく:report}[義務]{ぎむ:obligation}が[生]{しょう:occur}じるわけではない。",[289,290],"漏えい報告","26条",{"id":292,"articleId":293,"question":294,"options":297,"correctLabel":255,"explanation":310,"tags":313},"kjh-k1-h04-q03","kjh-k1-h04-daisan-sha-teikyou",{"en":295,"jp":296},"Which of the following is NOT an exception allowing third-party provision without the individual's consent?","[第三者]{だいさんしゃ:third party}[提供]{ていきょう:provision}の[例外]{れいがい:exception}（[本人]{ほんにん:individual}の[同意]{どうい:consent}なく[提供]{ていきょう:provision}できる[場合]{ばあい:case}）に[該当]{がいとう:applicable}しないものはどれか。",[298,301,304,307],{"label":247,"jp":299,"en":300},"[法令]{ほうれい:laws}に[基]{もと:based}づく[場合]{ばあい:case}","Cases based on laws and regulations",{"label":251,"jp":302,"en":303},"[委託]{いたく:entrustment}に[伴]{ともな:accompanying}う[提供]{ていきょう:provision}","Provision accompanying entrustment",{"label":255,"jp":305,"en":306},"グループ[会社]{がいしゃ:company}[間]{かん:between}の[情報]{じょうほう:information}[共有]{きょうゆう:sharing}","Information sharing between group companies",{"label":259,"jp":308,"en":309},"[事業]{じぎょう:business}[承継]{しょうけい:succession}に[伴]{ともな:accompanying}う[提供]{ていきょう:provision}","Provision accompanying business succession",{"en":311,"jp":312},"Entrustment, business succession, and joint use are stipulated as cases not constituting third-party provision. Merely being between group companies does not create an exception — the requirements for joint use must be satisfied.","[委託]{いたく:entrustment}、[事業]{じぎょう:business}[承継]{しょうけい:succession}、[共同]{きょうどう:joint}[利用]{りよう:use}は[第三者]{だいさんしゃ:third party}に[該当]{がいとう:applicable}しない[場合]{ばあい:case}として[規定]{きてい:stipulated}されている。グループ[会社]{がいしゃ:company}[間]{かん:between}というだけでは[例外]{れいがい:exception}にならず、[共同]{きょうどう:joint}[利用]{りよう:use}の[要件]{ようけん:requirements}を[満]{み:satisfy}たす[必要]{ひつよう:necessary}がある。",[314,315],"第三者提供","例外",{"id":317,"articleId":293,"question":318,"options":321,"correctLabel":255,"explanation":334,"tags":337},"kjh-k1-h04-q04",{"en":319,"jp":320},"Which of the following is correct about third-party provision through opt-out?","オプトアウトによる[第三者]{だいさんしゃ:third party}[提供]{ていきょう:provision}について[正]{ただ:correct}しいものはどれか。",[322,325,328,331],{"label":247,"jp":323,"en":324},"[要]{よう:requiring}[配慮]{はいりょ:consideration}[個人]{こじん:personal}[情報]{じょうほう:information}もオプトアウトで[提供]{ていきょう:provision}できる","Special care-required personal information can also be provided through opt-out",{"label":251,"jp":326,"en":327},"[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[委員会]{いいんかい:commission}への[届出]{とどけで:notification}は[不要]{ふよう:unnecessary}である","Notification to the PPC is unnecessary",{"label":255,"jp":329,"en":330},"オプトアウトには[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[委員会]{いいんかい:commission}への[届出]{とどけで:notification}が[必要]{ひつよう:necessary}である","Opt-out requires notification to the PPC",{"label":259,"jp":332,"en":333},"[不正]{ふせい:illegally}に[取得]{しゅとく:acquired}した[個人]{こじん:personal}データもオプトアウトで[提供]{ていきょう:provision}できる","Illegally acquired personal data can also be provided through opt-out",{"en":335,"jp":336},"Third-party provision through opt-out requires notification to the PPC. The 2020 amendment prohibited opt-out provision of special care-required information, illegally acquired data, and data obtained through opt-out.","オプトアウトによる[第三者]{だいさんしゃ:third party}[提供]{ていきょう:provision}にはPPCへの[届出]{とどけで:notification}が[必要]{ひつよう:necessary}。2020[年]{ねん:year}[改正]{かいせい:amendment}で、[要]{よう:requiring}[配慮]{はいりょ:consideration}[個人]{こじん:personal}[情報]{じょうほう:information}や[不正]{ふせい:illegally}[取得]{しゅとく:acquired}データ、オプトアウトで[取得]{しゅとく:acquired}したデータはオプトアウト[提供]{ていきょう:provision}が[禁止]{きんし:prohibited}された。",[338],"オプトアウト",{"id":340,"articleId":293,"question":341,"options":344,"correctLabel":251,"explanation":357,"tags":360},"kjh-k1-h04-q05",{"en":342,"jp":343},"Which of the following is correct about joint use?","[共同]{きょうどう:joint}[利用]{りよう:use}について[正]{ただ:correct}しいものはどれか。",[345,348,351,354],{"label":247,"jp":346,"en":347},"[共同]{きょうどう:joint}[利用]{りよう:use}[者]{しゃ:user}の[範囲]{はんい:scope}を[本人]{ほんにん:individual}に[通知]{つうち:notify}する[必要]{ひつよう:necessary}はない","There is no need to notify the individual of the scope of joint users",{"label":251,"jp":349,"en":350},"[共同]{きょうどう:joint}[利用]{りよう:use}[者]{しゃ:user}の[範囲]{はんい:scope}、[利用]{りよう:use}[目的]{もくてき:purpose}、[管理]{かんり:management}[責任者]{せきにんしゃ:responsible person}を[本人]{ほんにん:individual}に[通知]{つうち:notify}または[公表]{こうひょう:publicize}する[必要]{ひつよう:necessary}がある","The scope of joint users, purpose of use, and responsible manager must be notified or publicized to the individual",{"label":255,"jp":352,"en":353},"[共同]{きょうどう:joint}[利用]{りよう:use}はPPCへの[届出]{とどけで:notification}が[必要]{ひつよう:necessary}","Joint use requires notification to the PPC",{"label":259,"jp":355,"en":356},"[共同]{きょうどう:joint}[利用]{りよう:use}では[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}の[義務]{ぎむ:obligation}は[免除]{めんじょ:exempt}される","Joint use exempts the obligation for safety management measures",{"en":358,"jp":359},"Joint use requires notifying or publicizing the scope of joint users, purpose of use, data items, and the name\u002Ftitle of the responsible manager. Notification to the PPC is not required.","[共同]{きょうどう:joint}[利用]{りよう:use}には、[共同]{きょうどう:joint}[利用]{りよう:use}[者]{しゃ:user}の[範囲]{はんい:scope}、[利用]{りよう:use}[目的]{もくてき:purpose}、データ[項目]{こうもく:items}、[管理]{かんり:management}[責任者]{せきにんしゃ:responsible person}の[氏名]{しめい:name}・[名称]{めいしょう:title}を[本人]{ほんにん:individual}に[通知]{つうち:notify}または[公表]{こうひょう:publicize}する[必要]{ひつよう:necessary}がある。PPCへの[届出]{とどけで:notification}は[不要]{ふよう:unnecessary}。",[198],{"id":362,"articleId":363,"question":364,"options":367,"correctLabel":255,"explanation":380,"tags":383},"kjh-k1-h04-q06","kjh-k1-h01-hotaikei",{"en":365,"jp":366},"Which of the following is correct about provision to third parties in foreign countries?","[外国]{がいこく:foreign}にある[第三者]{だいさんしゃ:third party}への[提供]{ていきょう:provision}について[正]{ただ:correct}しいものはどれか。",[368,371,374,377],{"label":247,"jp":369,"en":370},"[本人]{ほんにん:individual}の[同意]{どうい:consent}[取得]{しゅとく:acquisition}[時]{じ:time}に[外国]{がいこく:foreign}の[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[制度]{せいど:system}に[関]{かん:related}する[情報]{じょうほう:information}[提供]{ていきょう:provision}は[不要]{ふよう:unnecessary}","Information about the foreign country's personal information protection system is unnecessary when obtaining consent",{"label":251,"jp":372,"en":373},"EU[加盟国]{かめいこく:member states}への[提供]{ていきょう:provision}は[常]{つね:always}に[同意]{どうい:consent}が[必要]{ひつよう:necessary}","Provision to EU member states always requires consent",{"label":255,"jp":375,"en":376},"2020[年]{ねん:year}[改正]{かいせい:amendment}で[本人]{ほんにん:individual}への[情報]{じょうほう:information}[提供]{ていきょう:provision}[義務]{ぎむ:obligation}が[強化]{きょうか:strengthened}された","The 2020 amendment strengthened the obligation to provide information to the individual",{"label":259,"jp":378,"en":379},"[外国]{がいこく:foreign}への[提供]{ていきょう:provision}は[一律]{いちりつ:uniformly}[禁止]{きんし:prohibited}されている","Provision to foreign countries is uniformly prohibited",{"en":381,"jp":382},"The 2020 amendment mandated providing information about the destination country's system when obtaining consent for foreign third-party provision. EU member states and the UK are PPC-approved countries, enabling provision without consent.","2020[年]{ねん:year}[改正]{かいせい:amendment}により、[外国]{がいこく:foreign}[第三者]{だいさんしゃ:third party}[提供]{ていきょう:provision}の[同意]{どうい:consent}[取得]{しゅとく:acquisition}[時]{じ:time}に[移転先]{いてんさき:transfer destination}[国]{くに:country}の[制度]{せいど:system}[情報]{じょうほう:information}[提供]{ていきょう:provision}が[義務化]{ぎむか:mandatory}された。EU[加盟国]{かめいこく:member states}や[英国]{えいこく:UK}はPPCが[認定]{にんてい:approved}した[国]{くに:country}であり、[同意]{どうい:consent}なしでの[提供]{ていきょう:provision}が[可能]{かのう:possible}。",[384],"外国第三者提供"]