Has the data privacy authority issued any guidance on data privacy compliance in the context of transactional activity (including, but not limited to, share sales, asset sales, reorganizations or spinouts)?
Last review date: 17 January 2025
☒ Yes
If yes, please provide a link
The PPC has issued a brief alert regarding transactional activity.
https://www.ppc.go.jp/news/careful_information/gappei_soshikisaihen/ (in Japanese only)
In the context of an asset sale (the sale of a separate business unit as a going concern), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the assets that are the subject of the asset sale)?
Last review date: 17 January 2025
☒ No
In the context of a share sale (where the acquiring entity acquires 100% of the shares of a target company), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the target company)?
Last review date: 17 January 2025
☒ Unclear
There are no clear provisions and no helpful case studies. However, based on the Companies Act of Japan, we believe that the violating company itself, or the successor company that absorbs it, has the obligation to report to the PPC when a cybersecurity breach occurs.