GDPR Information

What is GDPR?

The General Data Protection Regulation (GDPR) of the European Union (EU) is a data protection law at the EU level.

It was published in the EU Official Journal  dated May 4, 2016 and will enter into effect on May 24, 2016. The corresponding administrative penalty will be stipulated in May 25, 2018.

What kind of company needs to prepare?

Organizations that acquire personal data of residents of the European Economic Area (EEA) must comply with the GDPR, regardless of whether the organization is located inside or outside of the EEA. The EEA includes 28 EU members, Iceland, Liechtenstein, and Norway.

In terms of GDPR, what are the benefits of using Kii Cloud?

Kii takes responsibility to manage the server side as “Data Processor”. In collecting personal data of EEA residents using cloud services, customers need to select businesses that can do the following:

  • Data processing according to GDPR rules
  • Concluding a Controller-Processor contract as a “Data Processor”

Kii is an operator that meets these requirements.

What is “Data subject”, “Data Controller”, and “Data Processor” ?

In GDPR, “Data subject”, “Data Controller” and “Data Processor” are defined as follows:

Data Subject: a person whose personal data is processed by a controller or processor.

Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.

Data Processor: the entity that processes data on behalf of the Data Controller.

Kii Cloud users are “Data Controller” and Kii is “Data Processor”

Kii Cloud users who collect personal data of residents in the EEA are the “Data Controllers”. Kii is the “Data Processor” if the Data Controllers collect personal data through applications or IoT devices developed using Kii Cloud and save the data in Kii Cloud.

In addition, Kii becomes the “Data Controller” if a Kii Cloud user who resides in the EEA registers to Kii Cloud on Kii’s developer portal. In this case, a Kii Cloud user is a “Data Subject”.

What should Kii Cloud users do if they collect personal data of EEA residents?

Kii Cloud users need to fulfill their responsibility as a “Data Controller” defined in the GDPR. (Accountability and various rights guarantee of “Data Subject” etc.)

As part of their responsibility, they are obligated to supervise the “Data Processor” to ensure that the data is processed appropriately. To fulfill the obligation, they need to sign a “data controller-processor agreement” with Kii.

Transfer of personal data outside the EEA

Depending on how you use Kii Cloud, it may correspond to “Transfer of personal data out of the EEA area” due to the system configuration. You have to conclude a contract including “Standard Contract Clause (SCC)” in such cases.

What will happen if it does not correspond?

The following fine will be  imposed.

  • Up to EUR 10 million or 2% of the worldwide annual revenues in the previous fiscal year, whichever is higher
  • Up to EUR 20 million or 4% of the worldwide annual revenues in the previous fiscal year, whichever is higher

Contact information to make a data controller-processor agreement with Kii

For any inquiries, please contact

Disclaimer: The information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.