課題Ⅰ 第６編 保有個人データに関する義務

Under the Act on the Protection of Personal Information, personal data held by a business operator for which the operator has the authority to respond to requests for disclosure, correction, deletion, etc. from the individual is called "retained personal data." Section 6 systematically sets out the obligations of business operators and the rights of individuals regarding this retained personal data, encompassing Articles 32 through 39. Disclosure requests and cessation-of-use requests appear especially frequently on the exam.

Article 32, Paragraph 1 imposes on business operators the obligation to make certain matters regarding retained personal data available to individuals. The specific items to be made known are: (a) the name, address, and representative's name of the business operator; (b) the purpose of use for ALL retained personal data; (c) procedures for requests such as disclosure; (d) the contact point for complaints; and (e) the name and complaint contact of any accredited personal information protection organization.

The 2022 amendment newly added (f) the content of security management measures to the list of items to be made known. In other words, business operators must publicly disclose what security management measures they have taken — for example, an outline of organizational, personnel-related, physical, and technical security management measures.

Acceptable methods for making information known include publication on the company website, posting at the office, and distributing pamphlets. The key point is that the information must be in a state where the individual can easily learn of it — merely storing it as an internal document is insufficient.

Under Article 32, Paragraph 2, individuals can request the business operator to notify them of the purpose of use of their retained personal data. The operator must notify the individual without delay upon receiving this request. "Without delay" means without unreasonable delay — the operator is required to respond within a reasonable period.

However, Article 32, Paragraph 3 provides exceptions where notification may be refused: (a) when the purpose of use has already been publicly announced; (b) when notification would risk harming the rights or interests of the individual or a third party; (c) when it would impede government agencies in carrying out duties prescribed by law. When the operator declines, the individual must be notified of that decision.

Article 33 establishes the individual's right to request disclosure of their retained personal data from the business operator. This is the most fundamental right among the individual's rights regarding retained personal data, and it is tested very frequently on the exam.

Before the 2022 amendment, disclosure was in principle limited to delivery in written form. However, after the amendment, individuals can now specify a method that includes provision via electromagnetic records (digital data) — for example, CSV files, email attachments, or web downloads. This is an important step toward realizing data portability.

In principle, the business operator must disclose via the method specified by the individual. However, if disclosure by that method would require excessive costs or is otherwise difficult, the operator may disclose by delivering a written document instead.

There are also legally prescribed grounds for refusing disclosure: (a) when it would risk harming the life, body, property, or other rights/interests of the individual or a third party; (b) when it would significantly impede the proper conduct of business operations; (c) when it would violate other laws or regulations. When the operator decides not to disclose, the individual must be notified without delay and given the reasons.

Article 34 provides the right for individuals to request correction, addition, or deletion when the content of retained personal data differs from the facts. An important point is that "differing from the facts" is a requirement — mere differences in evaluation or opinion do not qualify as grounds for a correction request.

Upon receiving a request, the business operator must promptly investigate within the scope necessary to achieve the purpose of use, and carry out correction etc. based on the results. The important point is the limitation "within the scope necessary for achieving the purpose of use." Whether or not correction is carried out, the individual must be notified without delay.

Article 35 governs the right to request cessation of use, etc. Under the old law before amendment, the right to request cessation was limited to specific cases — namely, violation of Article 18 (use beyond purpose) or violation of Article 20 (improper acquisition).

The 2022 amendment significantly expanded the right to request cessation of use. Three new grounds were added: (1) when the retained personal data is no longer needed; (2) when a breach as prescribed in Article 26, Paragraph 1 has occurred; (3) when the rights or legitimate interests of the individual may otherwise be harmed.

Furthermore, cessation of third-party provision can also be requested based on the same expanded grounds. In other words, individuals can also request that the provision of their retained personal data to third parties be stopped. When the operator finds the request to be justified, it must carry out cessation of use, etc. without delay.

When cessation of use would require excessive costs or is otherwise difficult, the business operator may respond by taking alternative measures to protect the rights and interests of the individual. For example, strengthening access restrictions on the relevant data may be considered.

Article 37 permits business operators to establish procedures for accepting requests such as disclosure. Specifically, they can prescribe: (a) where and how to submit requests; (b) documents necessary for identity verification (such as identification certificates); (c) information necessary to specify the retained personal data in question.

However, the established procedures must not impose an excessive burden on individuals. For example, only accepting requests at a specific distant counter, or requiring an unnecessarily large number of documents, is not permitted. Operators are required to create an environment where individuals can make requests easily and accurately.

Article 38 permits business operators to collect fees for requests such as disclosure. However, the fees must be within a range recognized as reasonable considering actual costs. Setting excessive fees that would de facto hinder the exercise of the individual's rights is not permitted.

Article 39 establishes the pre-litigation request system. Before an individual can file a lawsuit regarding disclosure, correction, or cessation of use, they must first make a request to the business operator. They cannot file directly with the court.

Specifically, the individual cannot file suit until 2 weeks have elapsed from the date of the request to the business operator. This 2-week period is intended to give the operator an opportunity to respond voluntarily. Of course, if the individual receives an unsatisfactory response, they can also file suit.

Organizing Section 6 as a whole: individual rights are exercised in the following flow. First, under Art. 32, request public notice and notification of purpose of use; under Art. 33, request disclosure; if the content has problems, request correction under Art. 34; if there is improper use, request cessation under Art. 35; and if the operator does not comply, file a lawsuit under Art. 39.