Employee Data Privacy

Japan - Cross-Border Data Transfer

 Download as a PDF

Are there any restrictions on transferring personal data and how can these be overcome?

Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside Japan.


In Japan, the Amended Act on the Protection of Personal Information outlines that personal data is allowed to be transferred outside Japan when:

  • consent is obtained in advance from the data subject (note: consent is not required in a few cases such as when the transfer is based on Japanese laws or regulations). The new law requires that data subjects are informed of the basic data privacy laws in the recipient country for consent to be valid. The Japanese government has published a summary of each country’s data privacy laws on: https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/ (in Japanese);
  • the Personal Information Protection Commission (PIPC) recognizes a foreign country as having at least equal protections as Japan; or,
  • a third party establishes a system that continually conforms to the standards prescribed by the Personal Information Protection Commission or, is certified under an international data protection regulation admitted by the PIPC such as APEC’s Cross Border Privacy Rules.

Before transferring sensitive personal information, described as “special care-required personal information” in the Act, to a third party inside or outside Japan, you must request consent with limited exceptions (such as when the data collection is required by law). For additional details, see the Employee Consent section.


My Number

The Japanese national identification number, My Number, should typically remain with the Japanese entity. Generally, the employer is prohibited from transferring employee (and other data subject’s) My Number data to third-parties, including group companies, even with employee consent. The exception to this is when a Japanese entity delegates the handling of My Number data to a vendor for the statutory purposes of tax, social insurance and assistance in natural disasters.


HR Best Practices: Update consent forms to include details about international data transfers, unless the foreign country has been recognized by the Commission as having equal protection of individual rights. Japan and the European Union have an agreement in place that allows most personal data transfers between Japan and EU member countries (i.e. these countries are considered as having “adequate” personal data protection regulations and practices). The UK is also recognized as having adequate protections in place.

Alternatively, consider establishing a personal data management process and security standard that meets the standards prescribed by the Commission. 


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk