Top of Page
The group becomes the world's first cloud service provider to be approved to support the transfer and management of personal data in Europe
September 13, 2021
Internet Initiative Japan Inc.
TOKYO-September 13, 2021-Internet Initiative Japan Inc. (TSE1: 3774), one of Japan's leading Internet access and comprehensive network solutions providers, today announced that the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)--the Data Protection Authority (DPA) for the German Federal State North Rhine-Westphalia--approved the IIJ Group's Binding Corporate Rules (BCRs) on August 5, 2021. The BCRs are documented internal rules that define the group's personal data protection policies, written in accordance with the EU's General Data Protection Regulation (GDPR(*)). After the European Data Protection Board (EDPB)--a statutory body consisting of representatives of the data protection authorities of all EU member states, responsible for advising the European Commission--scrutinized IIJ's BCRs and issued a positive official opinion, leading to its approval by the LDI NRW.
IIJ Group is the first global cloud computing service provider in the world, including in Japan, to obtain BCR approval after the GDPR came into effect.
The GDPR, which lays down rules governing personal data protection in the EEA and came into effect in 2018, establishes legal requirements that apply to personal data processing and transfers to countries outside the EEA. It also makes any breaches of these regulations subject to fines of up to 20 million EUR or 4% of annual worldwide turnover for the entire group to which they belong, whichever is higher.
Japanese enterprises that have offices in the EEA or do business in European markets must comply with the GDPR. Therefore, notwithstanding the European Commission's decision of Japan’s adequate level of data protection, effective as of January 23, 2019, these companies are still obligated to continue to comply with the GDPR when it comes to personal data transfers to third countries outside the EEA other than Japan, as well as personal data processing within the EEA. Companies must use only those processors that comply with the GDPR, even when outsourcing the management of IT systems that handle personal data.
Now that the IIJ Group's BCRs have been approved, customers doing business in Europe can readily transfer personal data outside the EEA and re-transfer it to third countries using the group's services, including cloud and mail services, with no need to worry about GDPR violations.
Moreover, while customers are accountable for explaining their services--when asked by an EEA regulatory body to prove the GDPR compliance of any outsourced services--using IIJ Group services makes it easy for customers to demonstrate this compliance, significantly reducing their burden of proof.
In addition, the Act on the Protection of Personal Information of Japan also has legal requirements for allowing companies to provide personal data to foreign contractors. In this respect, the BCRs’ approval means that IIJ customers can attest to having certain standard-compliant systems that continually fulfill personal data handlers’ obligations per the Personal Data Protection Act.
IIJ continues to support its customers in complying with privacy protection regulations in Japan and abroad.
About IIJ
Founded in 1992, IIJ is one of Japan's leading Internet-access and comprehensive network solutions providers. IIJ and its group companies provide total network solutions that mainly cater to high-end corporate customers. IIJ's services include high-quality Internet connectivity services, systems integration, cloud computing services, security services and mobile services. Moreover, IIJ has built one of the largest Internet backbone networks in Japan that is connected to the United States, the United Kingdom and Asia. IIJ was listed on the First Section of the Tokyo Stock Exchange in 2006.
The statements within this release contain forward-looking statements about our future plans that involve risk and uncertainty. These statements may differ materially from actual future events or results.
End of the page.