top of page

新GYOSEISHOSHI in Yotsuya, Shinjuku


Privacy Policy Drafting
Leave it to Our Firm


The EU General Data Protection Regulation (commonly known as GDPR), which became effective on May 25, 2018, applies to a wide range of businesses that collect information on individuals located in the European Economic Area (EEA) (including tourists and other temporary residents). Even if a business is not based in the EEA, if it collects cookie information or browsing information of individuals located in the EEA on its website, etc., it is subject to this regulation, so it is necessary to pay sufficient attention and take appropriate measures.

1. main features of the GDPR

(1) Broad scope of personal data

PC cookie information and browsing history are included in the scope of personal data.

(2) Broader scope of application

Businesses outside the European Economic Area (EEA) may also be covered.

(3) High fines for violating businesses

Up to 20 million euros or 4% of global sales, whichever is higher etc.

2. Major Cases of Exposure

(1)Mariott International

Mariott International, which operates a hotel business, was fined 99,200,396 pounds (approximately 135 million yen) for leaking approximately 339 million pieces of personal information.

(2) British Airways

The airline British Airways has been fined £183.39 million for breaching the data of approximately 500,000 customers.

(3) Google

Google was fined 50 million euros (approximately 6.2 billion yen) for not clearly indicating the purpose of use of personal information and for obtaining users' consent in bulk.

Although the cases of detection so far have been limited to large companies, it is imperative to take action because even small and medium-sized companies may be sanctioned if there is a leakage of personal information. Our firm has extensive experience in drafting GDPR-compliant privacy policies, and we have been very successful in doing so.

If you are a business based in the EEA or an operator of an e-commerce site or other website that collects information (including cookie information, browsing information, etc.) on individuals located in the EEA, please contact us for a consultation.

Fee 2,000$ (excl. tax)

TEL: 090-7702-8565



1. Definition of personal information under GDPR


GDPR Article 4(1):

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

This is a difficult statement to understand, but the point is,

"Any information that can be used to identify an individual is personal information.

Therefore, in addition to names, addresses, and other information previously defined as personal information, cookie information, browsing information, and other information that can identify an individual is included within the scope of personal information.

2. opt-in consent

Under GDPR, the "consent" of the data subject is mandatory for the collection of personal information.


Under Japan's Personal Information Protection Law, notification of the purpose of use is sufficient at the time of collection, but the GDPR requires the "consent" of the data subject in addition to notification of the purpose of use.

Therefore, when a data subject accesses a website, he or she must be presented with the GDPR privacy policy and be obtained "consent" for the acquisition of cookie information, etc. This is the pop-up that appears when you visit a company's website these days. In rare cases, some websites automatically obtain cookie information when an individual accesses the website and then provide information on how to opt-out (withdraw consent), but please note that this response is not allowed under the GDPR.

In addition, if you are delivering targeted advertising or using Google Analytics for access analysis, you must include the statement about this in your privacy policy and indicate it to the data subject before obtaining consent.

3. rights of the data subject

(1) Right to correction

Under Article 16 of the GDPR, if a business entity holds inaccurate personal data concerning a data subject, the data subject has the right to have the business entity correct it.

GDPR Article 16:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(2) Right to be forgotten

Pursuant to Article 17 of the GDPR, data subjects have the right to have their personal data erased if the personal data collected falls under the following:

The data is no longer required to be stored by the business, for example, if the legal retention period has expired

The data subject has withdrawn consent or there is no other legal basis for the processing

If the personal data has been treated unlawfully, etc.

4. transfer of personal data to third countries (transfer based on sufficiency)

In principle, the personal data of a data subject may not be transferred to a third country or international organization, but may be transferred to a third country or international organization if the European Commission determines, in accordance with Article 45(1) of the GDPR, that an adequate level of protection can be guaranteed. Japan has been certified by the European Commission as having an adequate level of protection for personal data.

GDPR Article 45(1):

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. 2Such a transfer shall not require any specific authorisation.

5. privacy of children

Article 8.1 of the GDPR states that the consent or permission of the person with parental responsibility for the child is required when collecting the personal information of a child under 16 years of age, and therefore, careful handling is required when collecting the personal information of a child under 16 years of age.

​The original text of GDPR can be found here.

TEL: 090-7702-8565



Ogawa GYOSEISHOSHI JIMUSHO: 2-14-328 Saneicho Yotsuya, Shinjuku, Tokyo

​Business hours: 9:00 am to 6:00 pm on weekdays

bottom of page