LY Corporation's DPO
LY Corporation (the “Company”) appoints and designates a Data Protection Officer (DPO) to promote the appropriate utilization of data. The DPO provides independent advice and monitors the protection and management of data entrusted to use by the users.
Roles of LY Corporation's DPO
LY Corporation's DPO earnestly listens to the voices of users and the opinions from the Panel of Experts. It operates independently from those involved in determining the purposes and methods of data use at the Company. The DPO comprehensively monitors and evaluates the protection, management, and use of data from the users' perspective, and provides advice to management and decision-makers. Through the designation and activities of LY Corporation's DPO, the Company aims to create a world where users can confidently entrust their data to the Company and enjoy a wide range of conveniences.
As illustrated in the following diagram, LY Corporation's DPO operates independently from the Company's divisions in charge of businesses and services, privacy protection, and security protection as well as those responsible for these divisions. The DPO plays a role in comprehensively monitoring the appropriateness of data protection measures from the users' perspective and providing advice to management and decision-makers.
Illustration: Roles of LY Corporation's DPO
Duties, independence of, and support system for LY Corporation's DPO
The Company establishes its DPO system based on the EU's General Data Protection Regulation (GDPR) and DPO guidelines (EU regulations on data protection). EU regulations on data protection outline the following concepts regarding the roles, independence of, and support system for the DPOs. Using these concepts as a model, the Company has established the Basic Regulations on Data Protection as an internal regulation. By ensuring the independence of the DPO of LY Corporation and supporting its activities, the Company is committed to maintaining and strengthening a data protection system that prioritizes user privacy.
DPO's duties
According to EU guidelines , the duties of the DPO include the following.
1) Monitoring and advising on data processing
To safeguard user privacy, DPOs check how data is used and processed, advise on improvements, and request changes in handling practices if needed. In addition, DPOs judge the need for data protection impact assessments and provide advice on methods and risk management strategies.
2) Monitoring and advising on legal compliance
DPOs inform about legal obligations related to data protection, monitor their compliance, and provide necessary advice.
3) Incident response
In cases of personal data breach or privacy violation, DPOs monitor and advise on the response towards supervisory authorities.
4) Fostering of privacy awareness
DPOs conduct activities to raise the internal awareness on privacy protection.
5) Reporting to the Board of Directors, etc.
DPOs directly reports to the Board of Directors, etc. on legal compliance and the status of data handling.
DPO's independence
EU guidelines stipulate the following to ensure the DPO can perform their duties independently.
1) Avoidance of conflicts of interests
DPOs are appointed from individuals who are independent of those responsible for determining the purposes and methods of data use and DPOs do not bear the responsibility for these decisions, thus avoiding any conflicts of interest. The Chief Executive Officer (CEO) and other senior management members cannot concurrently serve as a DPO.
2) Prohibition of instructions
DPOs perform their duties without receiving instructions from the Company, making independent judgements and actions. It is prohibited for others to instruct the DPOs to adopt certain interpretations or viewpoints in the execution of DPO duties.
3) Prohibition of adverse treatment
In relation to the performance of their duties, DPOs will not face any adverse treatment, such as denial of promotion and prevention from career advancement. This ensures an environment where DPOs can confidently carry out their responsibilities.
4) Reporting to the Board of Directors, etc.
DPOs directly report and advise the CEO and the Board of Directors, which further enhances the independence of the DPO.
Support system for the DPO
EU guidelines stipulate the following support system provided by the Company to ensure that the DPOs can fully perform their roles.
1) Assistance
The Company will provide adequate and necessary support in terms of financial resources, infrastructure and staff to maintain and improve DPO's functions and expertise.
2) Provision of information
To ensure the DPO's access to any necessary information, DPOs are granted the authority to attend all meetings where privacy-related decisions are made and to request access to relevant materials. DPOs are permitted to attend and speak at key meetings such as the Board of Directors and management meetings. Furthermore, if decisions differ from a DPO's opinion, the reasons and deliberation process must be documented.
3) Incident reporting system
The Company will establish a system so that incidents such as leakage of personal information or privacy breaches will be promptly reported to the DPOs when they occur.
Activities of LY Corporation's DPO
Data Protection Officer‘s Voice
We are currently experiencing a significant period of transformation.
With the advent of AI and its widespread application, traditional methods of information gathering, decision-making, self-expression, and communication are undergoing substantial changes.
In this wave of major societal transformation, people are inevitably compelled to adapt to these changes, whether they welcome them or not. Businesses responsible for implementing new technologies and services in society are expected to demonstrate a commitment to making these changes beneficial for society, along with continuous efforts towards this end.
As society rapidly evolves towards greater sophistication and efficiency, it is natural for people to feel anxiety and concern. However, without embracing these changes, it is challenging for individuals to establish oneself and thrive in an evolving society. Businesses leading these changes must autonomously decide and implement the following: properly assess how their technologies and services may impact users and society, address concerns and anxieties, determine which values to prioritize, decide what actions to take or avoid in order to materialize these values, establish the governance structure needed to protect the values, and develop an approach to gain trust from users and society.
Businesses of this nature are required to maintain an objective perspective when making decisions and evaluating their actions. It is crucial to assess how their actions impact users and society, determine what needs protection, and ensure the appropriateness and proper implementation of safeguarding rules. Additionally, the adequacy of information disclosure, which serves as the basis of trust-building, must be evaluated. The Data Protection Officer (DPO) at LY Corporation will independently assess and provide feedback from the standpoints of users and society.
LY Corporation’s DPO works to ensure that the Company's technologies and services are accepted by users and society, enhancing daily life to be more convenient and richer than the day before.
- Akira Koyanagi, Data Protection Officer
- Joined Yahoo Japan Corporation in 2003. After working in the Legal Department and Corporate Policy Planning Division, joined Japan's Ministry of Economy, Trade and Industry in 2013 through the “Public-Private Personnel Exchange Program.” Engaged in the development and implementation of policies related to the promotion of data utilization, in anticipation of amendments to the Personal Information Protection Act. Rejoined Yahoo Japan Corporation in 2015 and was appointed as the company's DPO (Data Protection Officer) in May 2020. Appointed as Head of GDPO (Group DPO) Department at Z Holdings Corporation in October 2022, Head of Special Public Affairs Office of LY Corporation in April 2024, and assumed the current position in July 2025.
DPO designation at Major Group Companies
In furtherance of its management policy of "Privacy & security first," and based on the Basic Policy on Data Protection, LY Corporation requires the designation of a DPO at its major Group companies that handle user data, and also supports DPO activities at such Group companies. As of October 2023, 16 Group companies, including PayPay Corporation, ASKUL Corporation, and ZOZO, Inc., have designated DPOs who provide comprehensive monitoring and advice from the user's perspective on the appropriateness of data protection measures at respective Group companies.
Companies with DPOs
- ASKUL Corporation
- Ikyu Corporation (Japanese only)
- ZOZO, Inc.
- dely inc. (Japanese only)
- Demae-can Co., Ltd.
- ValueCommerce Co., Ltd.
- PayPay Corporation
- PayPay Card Corporation (Japanese only)
- PayPay Bank Corporation
- LINE Credit Corporation (Japanese only)
- LINE Securities Corporation (Japanese only)
- LINE Xenesis Corporation
- LINE Pay Corporation (Japanese only)
- LINE Healthcare Corporation (Japanese only)
- LINE MUSIC CORPORATION (Japanese only)
- LY Corporation
As of October 2023 (In Japanese syllabary order)
- Note: What Is a DPO?
- The General Data Protection Regulation (GDPR) was enacted to strengthen the protection of personal data within the European Economic Area (EEA) in the digital age. GDPR stipulates the role of Data Protection Officer (DPO) to monitor and evaluate the use, protection and management of user data collected by the company and to advise the company management and others on the relevant issues.
With the enforcement of the GDPR in 2018, many companies located in or doing business for the EEA have designated a DPO.