Data Transfers to Other Countries

Understand what a transfer of Personal Data can entail

In an interconnected world, we use global services on a daily basis. You may be wondering whether your data is stored and processed in other countries and if that impacts your privacy and the protection of your personal data.

Rakuten Group is a global business. As such, when necessary we may transfer personal data to other companies within our group or companies that provide a service for us in other countries.

This article explains why transferring your data is sometimes necessary and the mechanisms Rakuten uses to protect your data.

But what is data transfer? Let’s look at some examples:

  • ・When you use a travel website to book accommodation in a hotel located in a different country, information such as your name will be provided to the hotel to secure your booking. In this case, the personal data will be available in a different country.
  • ・Sometimes, we use external companies that help us provide the best service to you: For example, to host data or to provide a more secure environment for our operations. These companies might be located in other countries.

Why is transferring personal data considered a risk?

You may wonder if your personal data is still protected if stored in a different country. In simple terms – it is. The law under which your personal data is collected will always apply, even if this information is transferred to another country. However, some countries have only limited or fragmented privacy rules, or may lack a general privacy framework.

To ensure your data is protected, sometimes it is necessary to take additional measures. These measures aim to ensure that the same level of protection applied when your data was first collected is kept while it "travels to another destination." You can think about it like travel insurance: You buy it to ensure that your trip overseas is as safe as if you were at home.

As a company, we are responsible and accountable to our users and apply the highest standards and guarantees while your data is transferred internationally.

Rakuten Group Privacy Standards and Measures

Transfer of personal data in Rakuten Group

Rakuten adheres to a set of global privacy protection standards called Binding Corporate Rules (BCRs). These guidelines ensure data protection throughout the Rakuten Group and have been approved by the Data Protection Authorities of the European Union and the United Kingdom. The rules establish that even if personal data is transferred to a country that operates on a more lenient data protection regime, Rakuten will still apply its high global standards.

Rakuten Group’s BCRs were approved by the European Union Data Protection Authority in 2016 and the UK Data Protection Authority in May 2022. These approvals recognize that Rakuten upholds a high global standard in handling personal information, which protects its customers’ privacy and personal data.

The BCRs also require Rakuten to establish processes for law enforcement access requests that adhere to the laws of the data’s country of origin.

Transfer of personal data outside of Rakuten Group

When we share personal data with service providers outside of the Rakuten Group, we have contractual commitments that bind those companies to the exact legal requirements under which the data was collected. This includes strong security commitments, access control, and obligations to use data only for the purposes instructed by us.

For example, if you are in the European Union and use one of Rakuten’s services in the EU and that service has a service provider outside of the EU, we need to ensure that there is a contractual agreement. This contract will guarantee that the same data protection standards are applied, even if the data is not within the EU. If the service provider breaches those requirements, Rakuten will enforce the contract against it.

If the service provider grants access to any other party in their country without informing Rakuten, it would be a breach of contract and most likely the law under which the data was initially collected. The service provider should inform Rakuten, and in those cases, Rakuten’s privacy teams will carefully review the situation and assess the best approach considering your fundamental privacy rights.

Keep in mind that personal data transfer rules vary between countries. Check the privacy policy of the service you use if personal data is transferred and what additional measures apply. The privacy policy may also list the countries where your information is shared, in line with the applicable law.

For Japanese users, we provide a more detailed explanation of your data transfers here: https://corp.rakuten.co.jp/privacy/understand/data-transfers/

Page Top