IIJ Group's Binding Corporate Rules Approved by European Regulatory Body

PDF [416KB] / Japanese

TOKYO-September 13, 2021-Internet Initiative Japan Inc. (TSE1: 3774), one of Japan's leading Internet access and comprehensive network solutions providers, today announced that the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)--the Data Protection Authority (DPA) for the German Federal State North Rhine-Westphalia--approved the IIJ Group's Binding Corporate Rules (BCRs) on August 5, 2021. The BCRs are documented internal rules that define the group's personal data protection policies, written in accordance with the EU's General Data Protection Regulation (GDPR(*)). After the European Data Protection Board (EDPB)--a statutory body consisting of representatives of the data protection authorities of all EU member states, responsible for advising the European Commission--scrutinized IIJ's BCRs and issued a positive official opinion, leading to its approval by the LDI NRW.

IIJ Group is the first global cloud computing service provider in the world, including in Japan, to obtain BCR approval after the GDPR came into effect.

Background

The GDPR, which lays down rules governing personal data protection in the EEA and came into effect in 2018, establishes legal requirements that apply to personal data processing and transfers to countries outside the EEA. It also makes any breaches of these regulations subject to fines of up to 20 million EUR or 4% of annual worldwide turnover for the entire group to which they belong, whichever is higher.

Japanese enterprises that have offices in the EEA or do business in European markets must comply with the GDPR. Therefore, notwithstanding the European Commission's decision of Japan’s adequate level of data protection, effective as of January 23, 2019, these companies are still obligated to continue to comply with the GDPR when it comes to personal data transfers to third countries outside the EEA other than Japan, as well as personal data processing within the EEA. Companies must use only those processors that comply with the GDPR, even when outsourcing the management of IT systems that handle personal data.

Benefits to customers

Now that the IIJ Group's BCRs have been approved, customers doing business in Europe can readily transfer personal data outside the EEA and re-transfer it to third countries using the group's services, including cloud and mail services, with no need to worry about GDPR violations.

Moreover, while customers are accountable for explaining their services--when asked by an EEA regulatory body to prove the GDPR compliance of any outsourced services--using IIJ Group services makes it easy for customers to demonstrate this compliance, significantly reducing their burden of proof.

In addition, the Act on the Protection of Personal Information of Japan also has legal requirements for allowing companies to provide personal data to foreign contractors. In this respect, the BCRs’ approval means that IIJ customers can attest to having certain standard-compliant systems that continually fulfill personal data handlers’ obligations per the Personal Data Protection Act.

• (*)General Data Protection Regulation (GDPR): lays down obligations and rules concerning personal data processing and transfers in the EEA*1. The regulation imposes strict requirements on nearly all commercial entities doing business in the EEA. For example, it requires data processing*2 to be conducted with transparency, fairness, and well-defined purposes, in addition to minimized data retention periods. It also demands security protections against processing-related risks. Furthermore, data transfers must be performed under guarantees that data protections equivalent to the GDPR are in place in the transfer destination countries when personal data is transferred across national boundaries from any of the 30 countries in the EEA.
  *1 European Economic Area (EEA): The 27 EU-member states and Iceland, Lichtenstein, and Norway
  *2 Processing: Covers all work related to the recording, storage, or use of personal data.

IIJ continues to support its customers in complying with privacy protection regulations in Japan and abroad.

The statements within this release contain forward-looking statements about our future plans that involve risk and uncertainty. These statements may differ materially from actual future events or results.

• (*) All company names and service names used in this press release are the trademarks or registered trademarks of their respective owners.