Japan: Issued Guidance on Handling of Personal Data for Docomo and Nexia

On 15 February 2024, the Japanese Personal Data Protection Commission (PPC) announced it had issued a guidance concerning NTT DoCoMo, Inc. (Docomo) outsourcing of information management services toNTT Nexia, Inc. (Nexia) under Article 147 of the Personal Data Protection Act. The PPC reviewed the companies' data security practices following an incident where a temporary employee of Nexia accessed a personal cloud service without authorisation or consent, potentially leaking the personal data of approximately 5.96 million people. Docomo and Nexia have been instructed to adopt necessary and appropriate security and technical measures to prevent data leakage. The companies are also required to train employees in data handling. Finally, they have been instructed to submit a report on the implementation of the measures to prevent recurrence by 15 March 2024.