's response to EU "GDPR" and revision of privacy policy

update Last updated: September 11, 2023 at 9:43 PM

We have entered into a contract with Google and have incorporated it into our system in order to generate server operating costs for our website ( Google AdSense * , we have made it compatible with GDPR, which came into effect in the EU on May 25, 2018.
In conjunction with this, we have also revised our website's privacy policy.

* It is an advertising service provided by Google and implements the WordPress plugin “Site Kit by Google”

GDPR (General Data Protection Regulation) is a privacy policy imposed on all publishers who serve ads to users in the European Economic Area (EEA) or the United Kingdom (UK). If it is from Japan, it is basically unnecessary.
However, if the site is accessed from the European region, the GDPR will apply. In that case, you will need to display a GDPR message to the target users.

Please note that in the event of a violation of the GDPR, sanctions such as fines may be imposed on the business operator, so it is better to take precautions as much as possible, even when operating within Japan.

Based on this law, has clarified its policy regarding the handling of personal data and revised its privacy policy. complies with the obligations set out in the GDPR to ensure the appropriate protection of your personal data.

You can set the display of the GDPR message by logging into Google AdSense and selecting "Privacy and Messages." The following alert is currently displayed on the Google AdSense home screen after logging in.

Starting January 16, 2024, all publishers serving ads to users in the European Economic Area (EEA) or the United Kingdom (UK) will be required to use a consent management platform (CMP) certified by Google. It will be required. When serving ads in the European Economic Area and the UK, you can rely on his CMP, certified by Google, which includes Google's own consent management solution. If you're interested in Google's consent management solution, start by setting up your GDPR message.

Create a GDPR message – Google AdSense Help

Google AdSense , by using the Consent Management Platform (CMP) mentioned in the alert above, you can easily create a GDPR message by following the steps below.

  1. GDPR details
  2. Create a GDPR message
  3. Add privacy policy URL to your site
  4. Select Consent Options to Include
  5. Check your GDPR account settings
  6. Publish GDPR message
    (To change published messages, go to Privacy & Messages)

The gallery below is an example of how to create a GDPR message on this site. Additionally, AdSense's "Privacy and Messages" settings also support the display of CPRA (California Privacy Rights Act) messages.

As of September 9, 2023, the traffic status from the EEA and the UK is as follows.

GDPR details (quoted from other sites & re-edited)

GDPR (General Data Protection Regulation) is a "regulation for the protection of personal information" in the EU, and it came into effect on May 25, 2018, in line with the recent growing trend towards privacy protection.
GDPR is a regulation regarding the handling of personal information within the EU (including Iceland, Norway, and Liechtenstein), but it may actually apply to companies all over the world, and Japanese companies are no exception.

Definition of “personal information processing” under GDPR

Let's take a look at the key points of GDPR. First, let’s take a closer look at “personal information” and “processing” under the GDPR.

Targets “any data that can identify or identify an individual”

The GDPR stipulates that all data that can identify and identify individuals within the EU, such as names and addresses, are defined as "personal data (personal information)." The relevant article (GDPR Article 4, Item 1) and a trial translation by the Personal Information Protection Commission are as follows.

(1) “personal data” means information relating to an identified or identifiable natural person (“data subject”); An identifiable natural person is, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier, or a physical, physiological, genetic, mental, economic or cultural A person who can be identified, directly or indirectly, by reference to one or more elements that indicate a social or social identity.

Personal Data Protection Commission, 27 April 2016 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free transfer of such data and repealing Directive 95/46/EC Regulation (EU) 2016/679 (General Data Protection Regulation)

In areas familiar to us, the following information is considered to be personal data.

  • identity
  • Identification number (My number)
  • Location data
  • Credit Card Number
  • passport number
  • Online identifier (IP address/Cookie)

Also includes cookies and IP addresses

It is important to note that even online identifiers such as IP addresses and cookie information, which are not considered personal information by themselves under Japanese law, are also subject to personal data.
GDPR must be taken seriously. For example, even casually using an online identifier to collect information on an official website could violate the GDPR.

Any processing, such as collection, compilation, disclosure by transmission, etc., is considered "processing"

“Processing” under the GDPR refers to all actions such as collecting, storing, editing, and disclosing the personal data listed above. It is safe to note that any handling of information regarding individuals within the EU may be subject to the GDPR. For example, there is a court precedent that states that the act of mechanically measuring the body temperature of people entering and leaving a building using a thermal imaging camera is considered "processing" of personal information and is subject to the GDPR. (Conseil d’État, 26 juin 2020, Caméras thermiques à Lisse)
From Japan's personal information protection legal thinking, it may be a decision to shake your head. However, any handling of personal information in this way falls under “processing” of personal information.

What happens if GDPR is violated?

According to Articles 83(4) and 83(5) of the GDPR, a violation of the GDPR:

  • A fine of not more than 10 million euros (approximately 1.2 billion yen), or not more than 2% of the total worldwide sales in the immediately preceding fiscal year, or whichever is greater.
  • A fine of no more than 20 million euros (approximately 2.3 billion yen), or an amount of no more than 2% of the total worldwide sales in the immediately preceding fiscal year, or whichever is greater.

The above fines are imposed on businesses, etc. depending on the case of violation of obligations.

Update privacy policy

Based on the above, we have revised the privacy policy of this site in conjunction with creating a GDPR message for Google AdSense.
The privacy policy page is available at the link below and is bilingual in Japanese and English.

Access status to this site from overseas

For your reference, the gallery below shows the total access to this site by country. Each is statistical information from Google Analytics 4 and server logs.
In the past, our servers were located in the United States, and we received a lot of access from overseas, but now that we are based in Japan, we can see that there are fewer accesses from overseas.

2023.09.11 Added

If Google AdSense is not installed

WordPress において、Google AdSense が導入されていない環境で GDPR メッセージを表示させたい場合は、以下のプラグイン「Cookie Notice & Compliance for GDPR / CCPA」をインストールします。

Add this entry to the hasebookmark
X (post)

Leave a Reply