Personal Information Protection Systems of Countries Receiving Information
Weverse Company Inc. (hereinafter “the company”) provides various services to its customers, and in the process, the company comes across many occasions in which the user’s personal information needs to be provided to companies located outside the country or region of the user’s residence, with the user’s consent. The company’s Privacy Policy describes that the company may provide the user’s personal information to companies outside the country.
This page describes the details of the company’s provision of user’s personal information to companies outside the country or region of the user’s residence, using the privacy regulations of other countries as reference.
The privacy regulations of various countries have been examined according to the below standards.
Existence of the data privacy regulations
This is an indication of whether the country has established data protection and privacy regulations, including a comprehensive regulation.
Reference for data privacy regulations
The following types of information are used as references for the standards of each country’s privacy regulations.
It will be indicated if the privacy regulations of the corresponding country/region is equivalent to those of Japan.
It will be indicated if the EU adequacy decision has been adopted in the corresponding country/region.
EU adequacy decision refers to the European Commission’s decision that indicates the corresponding country/region has secured an adequate level of data protection. If a country has adopted the EU adequacy decision, we can expect the same level of protection of personal information in the country/region as in Japan.
It will be indicated if the corresponding country/region is a participating country of the APEC CBPR system.
When the corresponding country/region is a participating country of the APEC CBPR system, we can expect the same level of protection of personal information in the country/region as in Japan, as it signifies that the laws of the corresponding country/region would be enforced in compliance with the APEC privacy framework and an enforcement office.
It will be indicated, as necessary, if the privacy regulation of the corresponding country/region includes rules that meet OECD’s Eight Principles.
OECD’s Eight Principles provides the basic principles to be referenced in performing international efforts for personal information protection, and they are considered to be the substantial global standards for each country’s establishment of the personal information protection system.
In this page, it will be indicated if the data privacy regulation of the corresponding country/region includes rules corresponding to OECD’s Eight Principles, according to the following legends for each of OECD’s Eight Principles.
Legends: ○ Rules are included in the comprehensive system; ∆ Certain rules are included in the comprehensive system/Rules are included in individual systems; — No rules could be found
OECD’s Eight Principles are as indicated in (1) to (8) below.
Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date
The purposes for which personal data are collected should be specified, and the subsequent use limited to the fulfillment of those purposes.
Personal data should not be used for purposes other than those specified except with the consent of the data subject or by the authority of law.
Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence of personal data, and the purposes of their use, as well as the data controller.
An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, and to challenge data relating to him.
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Existence of system that may significantly affect the rights and interests of individuals
Information on whether there is a system that may significantly affect the rights and interests of individuals pursuant to the transfer of personal data to the corresponding country/region in comparison to Japan’s data privacy regulation is indicated.
Specifically, the following information which may significantly affect the rights and interests of individuals in the system of the corresponding country/region is indicated; namely, (1) existence of rules which directly obligate the recipient of personal information, which was collected within the corresponding country/region, to retain such personal information within the corresponding country/region, or obligates the recipient of personal information to substantially retain such personal information within the corresponding country/region by imposing restrictions on carrying such personal information outside the corresponding country/region (system related to data localization), and (2) existence of rules which allow the government to access the personal data retained by private businesses or obligate private businesses to provide personal data to the government under laws for the purpose of enforcement of criminal laws and/or national security safeguards (system related to government access).
Please note that the information may not be the latest at present, as each country periodically updates the information related to the data privacy regulation. Please review the information on the data privacy regulations of foreign countries provided by the Personal Information Protection Commission of Japan. (Source: Personal Information Protection Commission of Japan)
- Existence of the data privacy regulations
- Comprehensive system: Yes
- Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
- Existence of system that will significantly affect the rights and interests of individuals
- Disclosure and notification of personal information of convicted sex offenders
- Existence of the data privacy regulations
- Comprehensive system: Yes
- Reference for data privacy regulations
- There is a data privacy regulation acknowledged as being the same level as in Japan.
- Existence of the data privacy regulations
- Comprehensive system: No
- System of individual sectors/regions: Yes
- Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
- Existence of system that will significantly affect the rights and interests of individuals
- None
- Existence of the data privacy regulations
- Comprehensive system: Yes
- Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
- Existence of system that will significantly affect the rights and interests of individuals
- There is a system related to government access that may significantly affect the rights and interests of individuals.
- Existence of the data privacy regulations
- Comprehensive system: Yes
- Reference for data privacy regulations
- There is a data privacy regulation acknowledged as being the same level as in Japan.
- Existence of the data privacy regulations
- Comprehensive system: Yes
- Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
- Existence of system that will significantly affect the rights and interests of individuals
- None