ENFORCEMENT DECREE OF THE PERSONAL INFORMATION PROTECTION ACT
Presidential Decree No. 23169, Sep. 29, 2011
Amended by Presidential Decree No. 24425, Mar. 23, 2013
Presidential Decree No. 25531, Aug. 6, 2014
Presidential Decree No. 25751, Nov. 19, 2014
Presidential Decree No. 25840, Dec. 9, 2014
Presidential Decree No. 26140, Mar. 11, 2015
Presidential Decree No. 26728, Dec. 22, 2015
Presidential Decree No. 26776, Dec. 30, 2015
Presidential Decree No. 27370, Jul. 22, 2016
Presidential Decree No. 27522, Sep. 29, 2016
Presidential Decree No. 28074, May 29, 2017
Presidential Decree No. 28150, Jun. 27, 2017
Presidential Decree No. 28211, Jul. 26, 2017
Presidential Decree No. 28355, Oct. 17, 2017
CHAPTER I GENERAL PROVISIONS
Article 2 (Scope of Public Institutions) |
3. | Local government-invested public corporations and local government public corporations established under the Local Public Enterprises Act; |
4. | Special corporations incorporated under any special Act; |
Article 3 (Scope of Visual Data Processing Devices) |
"Devices prescribed by Presidential Decree" in subparagraph 7 of Article 2 of the Act means the following: 1. | A closed-circuit television means any of the following devices: |
(a) | A device that shoots videos, etc. through a continuously installed camera at a certain place, or transmits such videos, etc. to the specified place via transmission channel of wired or wireless closed circuits, etc.; |
(b) | A device that can videotape or record the visual information filed or transmitted under item (a); |
2. | A network camera means a device with which its installer or operator may collect, store, or process visual information, filmed through a continuously installed device at a certain place, via the wired or wireless Internet at any place. |
CHAPTER II PERSONAL INFORMATION PROTECTION COMMISSION
Article 4 (Exclusion, Challenge, and Refrainment of Commissioner) |
(1) | Any Commissioner of the Personal Information Protection Commission (hereinafter referred to as the "Protection Commission") provided for in Article 7 (2) of the Act shall be excluded from participating in the deliberation or resolution on the following matters: |
1. | Any matter in which the Commissioner or his/her spouse, relatives within 4th degree, spouse’s relatives within 2nd degree, or an institution or organization to which such Commissioner belongs, has an interest; |
2. | Any matter to which the Commissioner has given any testimony or expert opinion, or was involved as an agent or representative; |
3. | Any matter in which a person has an interest, to whom the Commissioner or the public institution, corporation, or other organization to which the Commissioner belongs, has provided advice or assistance. |
(2) | When a person who has direct interests in any matter for deliberation and resolution by the Protection Commission finds the ground for exclusion referred to in paragraph (1) or deems it impracticable to expect a fair deliberation and resolution from the Commissioner, the person may file a challenge application with the Protection Commission, accompanied by a statement as to such ground. In this case, the Chairperson shall determine the challenge application. |
(3) | Any commissioner who falls under paragraph (1) or (2) may refrain from the deliberation and resolution on the relevant matter. |
Article 5 (Expert Committees) |
(1) | The Protection Commission may establish an expert committee by sector (hereinafter referred to as "expert committee") to review in advance the matters for deliberation and resolution subject to Article 8 (1) of the Act in a professional manner. |
(2) | The expert committee established under paragraph (1) shall be comprised of not more than ten members, including one chairperson, who are designated or commissioned by the Chairperson of the Protection Commission subject to the consent of the Protection Commission from among the following persons; and the chairperson of the expert committee shall be designated by the Chairperson of the Protection Commission from among the expert committee members: <Amended by Presidential Decree No. 27370, Jul. 22, 2016> |
1. | Commissioners of the Protection Commission; |
2. | Public officials engaged in the data protection-related job of a central administrative agency; |
3. | Persons with abundant expertise and experience in data protection; |
4. | Persons belonging to, or recommended by, data protection-related organizations or trade associations. |
(3) | Meetings of the expert committee shall commence with the attendance of a majority of all incumbent members, and resolutions shall be passed with the concurring vote of a majority of those present. |
Article 6 (Disclosure of Proceedings) |
Meetings of the Protection Commission shall be open to the public: Provided, That they may be closed, if deemed necessary by the Chairperson of the Protection Commission.
Article 7 (Dispatch of Public Officials, etc.) |
The Protection Commission may request a public institution to dispatch a public official, executive, or employee who works for the public institution, where the Protection Commission deems it necessary to conduct its functions.
Article 8 (Organizational Structure, Number of Staff Members, etc.) |
Except as otherwise expressly provided for in this Decree, necessary matters regarding the organizational structure and number of staff members of the Commission shall be separately stipulated by Presidential Decree.
Article 9 (Allowances for Attendance, etc.) |
A Commissioner who attends a meeting of the Protection Commission or the expert committee; or a person who attends a meeting of the Protection Commission or the expert committee pursuant to Article 8 (2) of the Act may be paid allowances, travel expenses, and other necessary costs within budgetary limits: Provided, That this shall not apply where any public official attends a meeting directly related with his/her own duties.
Article 9-2 (Procedures, etc. for Advising Improvement of Policies, Systems, and Statues) |
(1) | The Protection Commission shall advise the improvement of policies, systems, and statutes to the relevant agency pursuant to Article 8 (4) of the Act, along with the details of and reasons for such improvement. |
(2) | The Protection Commission may request the relevant agency to submit materials about the results of the implementation of its advice in order to inspect whether such advice has been implemented pursuant to Article 8 (5) of the Act. |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 9-3 (Procedures, etc. for Assessment of Data Breach Incident Factors) |
(1) | The head of a central administrative agency who intends to request an assessment of data breach incident factors pursuant to Article 8-2 of the Act (hereinafter referred to as "assessment of data breach incident factors") shall submit to the Protection Commission a written request (or an electronic request form) for an assessment of data breach incident factors which contains the following matters: |
1. | The purposes and major contents of the policy and systems in need of personal information processing to be adopted or changed by the statutes (including the draft statutes); |
2. | Self-analysis of data breach incident factors with respect to the matters prescribed in paragraph (2) following the adoption and change of the policy and system in need of personal information processing; |
3. | Measures to protect personal information following the adoption and change of the policy and system in need of personal information processing. |
(2) | Upon receipt of a written request under paragraph (1), the Protection Commission shall assess data breach incident factors taking into account the following matters, and shall notify the result thereof to the head of the relevant central administrative agency: |
1. | Necessity for processing personal information; |
2. | Propriety of guaranteeing the rights of data subjects; |
3. | Safety in the management of personal information; |
4. | Other matters necessary to assess data breach incident factors. |
(3) | The head of a central administrative agency who has been advised as prescribed in Article 8-2 (2) of the Act shall endeavor to implement as advised, such as incorporating such advice in the relevant draft statute: Provided, That where it is impracticable to implement as advised by the Protection Commission, the reason therefor shall be notified to the Protection Commission. |
(4) | The Protection Commission may request materials necessary to assess data breach incident factors from the head of the relevant central administrative agency. |
(5) | The Protection Commission may establish guidelines necessary to assess data breach incident factors, including detailed criteria for, and methods of, the assessment of data breach incident factors; and shall notify the heads of central administrative agencies of the guidelines. |
(6) | The Protection Commission may seek counsel, etc. from relevant experts where necessary to assess data breach incident factors. |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 10 (Operational Rule of Protection Commission, etc.) |
Except as otherwise expressly prescribed in the Act and this Decree, the composition and operation of the Protection Commission and the expert committees, and other necessary matters, shall be stipulated by the Rule of the Protection Commission subject to the resolution of the Protection Commission.
CHAPTER III PROCEDURES TO ESTABLISH MASTER PLANS AND IMPLEMENTATION PLANS
Article 11 (Procedures, etc. to Establish Master Plans) |
(1) | The Protection Commission shall establish a Master Plan to protect personal information under Article 9 of the Act (hereinafter referred to as "Master Plan") every three years by no later than December 31, two years before the start of the third-year plan. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
(2) | To establish the Master Plan pursuant to paragraph (1), the Protection Commission may receive the sub-plans by sector, in which mid- and long-term plans, policies, etc. related to personal information protection are reflected from the heads of the relevant central administrative agencies; and may reflect them in the Master Plan. In this case, the Protection Commission shall consult with the heads of the relevant central administrative agencies about the objectives of the Master Plan, direction of promotion, guidelines to prepare sub-plans by sector, and other relevant matters. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
(3) | Upon finalizing the Master Plan, the Protection Commission shall notify the heads of the relevant central administrative agencies of the Master Plan without delay. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
Article 12 (Procedures, etc. to Establish Implementation Plans) |
(1) | The Protection Commission shall develop guidelines on how to establish implementation plans for the third year by no later than December 31 each year, and notify the heads of the relevant central administrative agencies of such guidelines. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
(2) | The head of a relevant central administrative agency shall establish the implementation plan under his/her jurisdiction, to be implemented during the following year based upon the Master Plan according to the guidelines notified under paragraph (1); and shall submit it to the Protection Commission by no later than the end of February each year. |
(3) | The Protection Commission shall deliberate and resolve on the implementation plans submitted pursuant to paragraph (2) by no later than April 30 of that year. |
Article 13 (Scope of Materials Requested and Methods of Request) |
(1) | The Protection Commission may request materials or opinions regarding the following from a personal information controller pursuant to Article 11 (1) of the Act: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
1. | Matters concerning the management of personal information and personal information files processed by the personal information controller and the installation and operation of visual data processing devices; |
3. | Matters concerning the technical, managerial, and physical measures to ensure the safety of personal information; |
4. | Matters concerning access by data subjects, requests for correction, erasure, suspension of personal information processing, and the status of measures taken; |
5. | Other matters necessary to establish and implement a Master Plan, such as compliance with the Act and this Decree. |
(2) | Upon requesting materials, opinions, etc. pursuant to paragraph (1), the Protection Commission shall request them to the minimum extent necessary to establish and implement the Master Plan. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
(3) | Paragraphs (1) and (2) shall apply mutatis mutandis where the head of a central administrative agency requests materials, etc. from the personal information controller under his/her jurisdiction pursuant to Article 11 (3) of the Act. In this case, the "Protection Commission" shall be construed as the “head of a central administrative agency", and "Article 11 (1) of the Act" as "Article 11 (3) of the Act", respectively. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016> |
Article 14 (Promotion and Support of Self-Regulation) |
The Minister of the Interior and Safety may provide necessary support to agencies and organizations related to the protection of personal information within budgetary limits to promote self-regulating data-protection activities of personal information controllers pursuant to subparagraph 2 of Article 13 of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017>
CHAPTER IV PROCESSING OF PERSONAL INFORMATION
Article 15 (Control of Out-of-Purpose Use of Personal Information or Provision of Information to Third Parties) |
Where a public institution uses personal information for other than the intended purpose, or provides it to a third party pursuant to Article 18 (2) of the Act, it shall record the following in the Register for Control of Out-of-Purpose Use or Provision of Personal Information in the form prescribed by the Minister of the Interior and Safety; and shall manage the Register: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> 1. | The name of the personal information or personal information file to be used or provided; |
2. | The name of the institution that uses, or is provided with, personal information; |
3. | The purpose of use or being provided; |
4. | The statutory ground for such use or being provided; |
5. | Particulars of personal information to be used or provided; |
6. | The date, frequency, or period to use or provide personal information; |
7. | Methods of using or providing personal information; |
8. | Any limitation or necessary measure that the personal information controller has requested from the recipient pursuant to Article 18 (5) of the Act. |
Article 15-2 (Matters subject to Notification, such as Sources of Personal Information Collected, and Methods of and Procedures for Notification) |
(1) | "Personal information controller satisfying the criteria prescribed by Presidential Decree" in the main sentence of Article 20 (2) of the Act means any of the following personal information controllers: |
1. | A person who processes sensitive information provided for in Article 23 of the Act (hereinafter referred to as "sensitive information") or personally identifiable information provided for in Article 24 (1) of the Act (hereinafter referred to as "personally identifiable information") of at least fifty thousand data subjects; |
2. | A person who processes personal information of at least one million data subjects. |
(2) | Any of the personal information controllers stated in paragraph (1) shall notify data subjects of the matters referred to in Article 20 (1) of the Act in the manner easily recognizable by the data subjects, such as in writing, or by telephone, text message or electronic mail, within three months from the date of being provided with their personal information: Provided, That where the personal information controller is regularly provided with and processes personal information at least twice a year to the extent he/she has obtained consent from the data subjects prescribed in Article 17 (1) 1 of the Act about the matters prescribed in Article 17 (2) 1 through 4 of the Act, he/she shall notify the data subjects within three months from the date of being provided with their personal information, or at least once a year counting from the date of the consent. |
(3) | Any of the personal information controllers stated in paragraph (1) who has notified under paragraph (2) shall retain and manage the following matters until the relevant personal information is destroyed pursuant to Article 21 or 37 (4) of the Act: |
1. | The fact that data subjects are notified; |
2. | When notification is made; |
3. | How notification is made. |
[This Article Added by Presidential Decree No. 27522, Sep. 29, 2016]
Article 16 (Methods of Destroying Personal Information) |
(1) | A personal information controller shall destroy person information pursuant to Article 21 of the Act by any of the following methods: <Amended by Presidential Decree No. 25531, Aug. 6, 2014> |
1. | Personal information in electronic files shall be permanently erased not to restore data; |
2. | Other records, printouts, paper documents, and media containing personal information, other than those referred to in subparagraph 1, shall be shredded or incinerated. |
(2) | Detailed matters concerning the safe destruction of personal information subject to paragraph (1) shall be prescribed and publicly notified by the Minister of the Interior and Safety. <Added by Presidential Decree No. 25531, Aug. 6, 2014; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 17 (Methods of Obtaining Consent) |
(1) | A personal information controller shall obtain consent from a data subject to the processing of his/her personal information pursuant to Article 22 of the Act by any of the following methods: |
1. | To issue a document stating the matters requiring consent, either in person or by mail or facsimile, to the data subject, and obtain a written consent on which the data subject has affixed his/her signature or seal; |
2. | To inform the data subject of the matters requiring consent, and confirm his/her intent of consent by telephone; |
3. | To inform the data subject of the matters requiring consent by telephone, let the data subject to confirm the matters requiring his/her consent posted on the designated website, etc.; and reconfirm his/her intent of consent by telephone; |
4. | To post the matters requiring consent on the designated website, etc., and let the data subject to express his/her consent to it; |
5. | To send an electronic mail containing the matters requiring consent to the data subject, and receive the return e-mail with his/her consent to it; |
6. | Other methods to inform the data subject of the matters requiring consent by a method similar to those referred to in subparagraphs 1 through 5, and confirm his/her intent of consent. |
(2) | "Significant matters prescribed by Presidential Decree" in Article 22 (2) of the Act means: <Added by Presidential Decree No. 28355, Oct. 17, 2017> |
1. | The fact that a data subject may be contacted to promote goods or services or solicit purchase thereof using the data subject’s personal information with respect to the purpose of collecting and using personal information; |
2. | The following matters with respect to the particulars of personal information to be processed: |
(a) | Sensitive information provided for in Article 18; |
(b) | Passport numbers, driver’s license numbers, and alien registration numbers referred to in subparagraphs 2 through 4 of Article 19; |
3. | The period for retaining and using personal information (in the case of provision, it means the period for retaining and using personal information by the recipient); |
4. | The recipient of personal information and the purpose for which the recipient of the personal information uses such information. |
(3) | Where a personal information controller intends to obtain consent from a data subject under Articles 18 (2) 1 and 22 (4) of the Act or consent to the matters eligible for selective consent under Article 22 (3) of the Act, the personal information controller shall distinguish the matters eligible for selective consent from the other matters so that the data subject may recognize explicitly his/her right to such selective consent. <Added by Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28355, Oct. 17, 2017> |
(4) | To obtain consent from the legal representative of a child under 14 years of age pursuant to Article 22 (6) of the Act, a personal information controller may collect information on the name and contact information of the legal representative directly from such child. <Amended by Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28355, Oct. 17, 2017> |
(5) | The head of a central administrative agency may, of various methods of consent stated in paragraph (1), advise personal information controllers to selectively obtain the appropriate consent based on the personal information protection guidelines (hereinafter referred to as “personal information protection guidelines”) established pursuant to Article 12 (2) of the Act in consideration of the duties of each personal information controller under his/her jurisdiction, the characteristics of business and the number of data subjects, etc. |
Article 18 (Scope of Sensitive Information) |
"Information prescribed by Presidential Decree" in the main sentence of Article 23 (1) of the Act means the following data or information: Provided, That where the public institutions process any of the following data or information pursuant to Article 18 (2) 5 through 9 of the Act, the said information shall be excluded herefrom: <Amended by Presidential Decree No. 27522, Sep. 29, 2016> 1. | DNA information acquired from genetic testing, etc.; |
Article 19 (Scope of Personally Identifiable Information) |
"Information prescribed by Presidential Decree" in Article 24 (1) of the Act means any of the following information: Provided, That such information does not include any of the following information processed by the public institutions pursuant to Article 18 (2) 5 through 9 of the Act: <Amended by Presidential Decree No. 27522, Sep. 29, 2016; Presidential Decree No. 28150, Jun. 27, 2017>
Article 20 Deleted. <by Presidential Decree No. 25531, Aug. 6, 2014> |
Article 21 (Measures to Ensure Safety of Personally Identifiable Information) |
(2) | "Personal information controller meeting the criteria prescribed by Presidential Decree" in Article 24 (4) of the Act means any of the following personal information controllers: |
2. | A person who processes personally identifiable information of at least fifty thousand data subjects. |
(3) | The Minister of the Interior and Safety shall inspect, at least once every two years, whether the personal information controllers provided for in paragraph (2) have taken necessary measures to ensure safety pursuant to Article 24 (4) of the Act. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
(4) | The inspection referred to in paragraph (3) shall be conducted by requiring the personal information controllers provided for in paragraph (2) to submit necessary material online or in writing. |
(5) | "Specialized institutions prescribed by Presidential Decree" in Article 24 (5) of the Act means any of the following institutions: <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
2. | A corporation, organization, or institution determined and publicly notified by the Minister of the Interior and Safety as deemed to have technical and financial capacity and equipment to conduct the inspection pursuant to Article 24 (4) of the Act. |
[This Article Wholly Amended by Presidential Decree No. 27522, Sep. 29, 2016]
Article 21-2 (Persons who must Encrypt Resident Registration Numbers) |
(1) | Any personal information controller who retains resident registration numbers by electronic means shall take encryption measures pursuant to Article 24-2 (2) of the Act. |
(2) | The encryption of resident registration numbers by a personal information controller shall start from one of the following dates: |
1. | As to the personal information controllers who retain the resident registration numbers of less than one million data subjects: January 1, 2017; |
2. | As to the personal information controllers who retain the resident registration numbers of at least one million data subjects: January 1, 2018. |
(3) | The Minister of the Interior and Safety may determine and publicly notify the detailed matters regarding encryption measures under paragraph (1), taking into account the technical and economic feasibility and other factors. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 26776, Dec. 30, 2015]
Article 22 (Exception to Limitation to Installation and Operation of Visual Data Processing Devices) |
(1) | "Facilities prescribed by Presidential Decree" in the proviso to Article 25 (2) of the Act means the following facilities: <Amended by Presidential Decree No. 28074, May 29, 2017> |
(2) | The head of a central administrative agency may establish a Privacy Policy which includes the detailed matters necessary to minimize infringement of the privacy of data subjects; and may encourage the personal information controllers under his/her jurisdiction to comply with the Privacy Policy where they install and operate the visual data processing devices at the facilities referred to in paragraph (1) pursuant to the proviso to Article 25 (2) of the Act. |
Article 23 (Gathering Opinions on Installation of Visual Data Processing Devices) |
(1) | The head of a public institution that intends to install and operate visual data processing devices pursuant to Article 25 (1) of the Act shall gather opinions from relevant experts and interested parties through any of the following formalities: |
2. | To hold an information session or to conduct a survey or polling for the neighborhood residents, etc. directly affected by the installation of that visual data processing devices. |
(2) | A person who intends to install and operate visual data processing devices at the facilities subject to the proviso to Article 25 (2) of the Act shall gather opinions from the following persons: |
2. | Anyone working in the relevant facilities, any person detained or accommodated in the relevant facilities, or interested parties, including the guardians of such persons. |
Article 24 (Posting of Notice, etc. on Signboard) |
(1) | A person who installs and operates visual data processing devices pursuant to Article 25 (1) of the Act (hereinafter referred to as "VDPD operator") shall post the matters referred to in Article 25 (4) of the Act on a signboard so that data subjects may recognize with ease that such devices are in operation: Provided, That a signboard, indicating the operation of visual data processing devices in the pertinent facilities and whole area, may be posted at the entry and other easily noticeable place where a multitude of visual data processing devices are installed in a building. <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
1. | through 3. Deleted. <by Presidential Decree No. 27522, Sep. 29, 2016> |
(2) | Notwithstanding paragraph (1), where any of the following applies to a visual data processing device installed and operated by a VDPD operator, the VDPD operator may post the matters referred to in Article 25 (4) of the Act on its website, instead of posting them on the signboard: <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
1. | Where the visual data processing devices installed by a public institution for the purpose of long range filming, over-speed and traffic signal violation enforcement service, or traffic flow survey and the possibility of data breach is significantly low; |
2. | Where a signboard is hardly to be posted because of terrain characteristics or is not easily noticeable to data subjects, i.e., a visual data processing device installed for surveillance of mountain fire. |
(3) | Unless the matters referred to in Article 25 (4) of the Act can be posted on the website under paragraph (2), a VDPD operator shall make public the said matters in one or more of the following manners: <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
1. | Posting at easily noticeable places of the VDPD operator’s workplace, business premise, office, shop, etc. (hereinafter referred to as "workplace, etc."); |
2. | Publishing them in the Official Gazette (only in case the VDPD operator is a public institution) or a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers, Etc. circulating mainly over the Special Metropolitan City, Metropolitan City, Do, or Special Self-Governing Province (hereinafter referred to as "City/Do") where the VDPD operator’s workplace is located. |
(4) | "Facilities prescribed by Presidential Decree" in the proviso to Article 25 (4) of the Act means the national security facilities provided for in Article 32 of the Regulations on Security Work. <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
Article 25 (Policy on Operation and Management of Visual Data Processing Devices) |
(1) | Each VDPD operator shall establish a policy to operate and manage visual data processing devices including the following matters pursuant to Article 25 (7) of the Act: |
1. | The statutory ground and purpose to install the visual data processing devices; |
2. | The number of visual data processing devices installed, the locations of installation and the scope of filming; |
3. | The manager and department in charge, and the person who is entitled to access the visual information; |
4. | The duration of filming, retention period, retention place and processing method of the visual information; |
5. | How and where the VDPD operator checks the visual information; |
6. | The measures taken to deal with the data subject’s request to access the visual information; |
7. | The technical, managerial and physical safeguards to protect the visual information; |
8. | Other matters necessary to install, operate, and manage the visual data processing devices. |
(2) | Article 31 (2) and (3) shall apply mutatis mutandis to the disclosure of the policy to operate and manage visual data processing devices established pursuant to paragraph (1). In this case, "personal information controller" shall be construed as "VDPD operator", "Article 30 (2) of the Act" as "Article 25 (7) of the Act", and "Privacy Policy" as "policy to operate and manage visual data processing devices", respectively. <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
Article 26 (Outsourcing of Installation and Operation of Visual Data Processing Devices by Public Institutions) |
(1) | Where a public institution outsources the installation and operation of visual data processing devices to a third party pursuant to the proviso to Article 25 (8) of the Act, it shall do so in writing stating the following: |
1. | The purpose and scope of outsourced work; |
2. | Matters concerning limitation to re-outsourcing; |
3. | Matters concerning the measures to ensure safety, including limitation to access to visual data; |
4. | Matters concerning the inspection of the status of visual data retained; |
5. | Matters concerning damage liability in case of breach of contractual obligation on the part of the outsourcee. |
(2) | Where work is outsourced pursuant to paragraph (1), the name and contact information of the outsourcee shall be posted on the signboard, etc. referred to in Article 24 (1) through (3). |
Article 27 (Guidelines for Installing and Operating Visual Data Processing Devices) |
Except as otherwise expressly provided for in the Act and this Decree, the Minister of the Interior and Safety may establish the Standard Personal Information Protection Guidelines referred to in Article 12 (1) of the Act regarding the standards for installing and operating visual data processing devices or outsourcing their installation and operation; and may encourage VDPD operators to comply with the Standard Guidelines. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017>
Article 28 (Measures to be Taken when Outsourcing Personal Information Processing) |
1. | The purpose and scope of outsourced work; |
2. | Matters concerning limitation to re-outsourcing; |
3. | Matters concerning measures to ensure safety, including limitation to access to personal information; |
4. | Matters concerning supervision and inspection of the status of management of personal information retained in relation to outsourcing; |
5. | Matters concerning liability, such as compensation for damages caused by a breach of contractual obligations on the part of an outsourcee under Article 26 (2) of the Act (hereinafter referred to as "outsourcee"). |
(2) | "Manner prescribed by Presidential Decree" in Article 26 (2) of the Act means the manner in which a personal information controller that has outsourced personal information processing (hereinafter referred to as "outsourcer") continuously posts details of the outsourced work and the outsourcee on its website. |
(3) | Where it is impossible to post on the website as prescribed in paragraph (2), the outsourcer shall make public the outsourced work and the outsourcee in one or more of the following manners: |
1. | Posting at easily noticeable places of the outsourcer’s workplace, etc.; |
2. | Publishing in the Official Gazette (only where the outsourcer is a public institution) or a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers, Etc. which mainly covers the City/Do where the outsourcer’s workplace, etc. is located; |
3. | Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice annually and distributed to data subjects on a continual basis; |
4. | Delivering to data subjects the paper-based agreement entered into between the outsourcer and the data subjects in order to supply goods or services. |
(4) | "Manners prescribed by Presidential Decree" in the former part of Article 26 (3) of the Act means in writing, or by electronic mail, facsimile, telephone, or text message, or by other equivalent manners (hereinafter referred to as "in writing, etc."). |
(5) | Where an outsourcer is unable to inform the data subjects of the outsourced work and the outsourcee in the manner stated in paragraph (4) without its negligence, the outsourcer shall post the relevant matters on its website for at least 30 days: Provided, That an outsourcer who has no website shall post them at easily noticeable places of its workplace, etc. for at least 30 days. |
(6) | Where an outsourcee processes personal information, the outsourcer shall supervise whether the outsourcee complies with the obligations of a personal information controller provided for in the Act and this Decree and the matters referred to in Article 26 (1) of the Act, pursuant to Article 26 (4) of the Act. |
Article 29 (Notification of Transfer of Personal Information Following Business Transfer, etc.) |
(2) | Where a person who intends to transfer personal information to a third party pursuant to Article 27 (1) of the Act fails to inform the data subjects of the matters stated in Article 27 (1) of the Act in the manner stated in paragraph (1) without his/her negligence, the person shall post the relevant matters on the website for at least 30 days: Provided, That a transferor, etc. who has no website shall post them at easily noticeable place of his/her workplace, etc. for at least 30 days. |
CHAPTER V SAFEGUARD OF PERSONAL INFORMATION
Article 30 (Measures to Ensure Safety of Personal Information) |
(1) | Each personal information controller shall take the following measures to ensure safety pursuant to Article 29 of the Act: |
1. | To formulate and implement an internal management plan for the safe processing of personal information; |
2. | To control access to personal information and restrict the authority to access personal information; |
3. | To adopt encryption technology to safely store and transmit personal information and other equivalent measures; |
4. | To retain login records to respond data breach incidents and to take measures to prevent the forgery and falsification thereof; |
5. | To install and upgrade security programs to protect personal information; |
6. | To take physical measures, such as a storage to keep personal information safely or a locking system. |
(2) | The Minister of the Interior and Safety may provide necessary assistance, such as building a system with which personal information controllers can take the measures to ensure safety pursuant to paragraph (1). <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(3) | Detailed standards for the measures to ensure safety under paragraph (1) shall be prescribed and publicly notified by the Minister of the Interior and Safety. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 31 (Details of Privacy Policy and Methods for Disclosure thereof, etc.) |
(1) | "Matters prescribed by Presidential Decree" in Article 30 (1) 8 of the Act means the following: <Amended by Presidential Decree No. 27522, Sep. 29, 2016> |
1. | Particulars of personal information to be processed; |
2. | Matters concerning destruction of personal information; |
3. | Matters concerning measures to ensure the safety of personal information subject to Article 30. |
(2) | A personal information controller shall post continuously the Privacy Policy established or modified pursuant to Article 30 (2) of the Act on its website. |
(3) | Where it is impossible to post the Privacy Policy on the website as prescribed in paragraph (2), the personal information controller shall make public the established or modified Privacy Policy in at least one of the following manners: |
1. | Posting at easily noticeable places of the personal information controller’s workplace, etc.; |
2. | Publishing in the Official Gazette (only in case the personal information controller is a public institution) or general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers, Etc. circulating mainly over the City/Do where the personal information controller’s workplace, etc. is located; |
3. | Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice a year and distributed to data subjects on a continual basis; |
4. | Delivering to data subjects the paper-based agreement entered into between the personal information controller and the data subjects in order to supply goods or services. |
Article 32 (Functions of Privacy Officer and Requirements for Designation, etc.) |
2. | To manage materials related to the protection of personal information; |
3. | To destroy personal information whose purpose of processing is attained or retention period expires. |
(2) | A personal information controller shall designate a privacy officer pursuant to Article 31 (1) of the Act according to the following classifications: <Amended by Presidential Decree No. 27370, Jul. 22, 2016> |
1. | Public institutions: Public officials, etc. who satisfy the standards classified as follows: |
(a) | The administrative bodies of the National Assembly, the Court, the Constitutional Court, and the National Election Commission; and central administrative agencies: A member of the Senior Executive Service (hereinafter referred to as "senior executive") or equivalent public official; |
(b) | Other national agencies than item (a), headed by a public official in political service: A 3rd grade or higher public official (including a senior executive) or equivalent public official; |
(c) | Other national agencies than items (a) and (b), headed by a senior executive, a 3rd grade or higher public official, or an equivalent public official: A 4th grade or higher public official or equivalent public official; |
(d) | Other national agencies than items (a) through (c) (including their affiliated bodies): The head of a department in charge of personal information processing in the relevant agency; |
(e) | Cities/Dos, City/Do Offices of Education: A 3rd grade or higher public official or equivalent public official; |
(f) | Sis/Guns or autonomous Gus: A 4th grade public official or equivalent public official; |
(g) | Schools of each level referred to in subparagraph 5 of Article 2: A person who takes overall control of the administrative affairs of the relevant school; |
(h) | Other public institutions than items (a) through (g): The head of a department in charge of the affairs related to personal information processing in the relevant institution; provided,, where the heads of at least two departments are in charge of the affairs related to personal information processing, the head of the relevant institution shall designate the privacy officer among them; |
2. | An institution other than public institutions: Any of the following persons: |
(a) | The business owner or representative; |
(b) | An executive officer (or the head of a department in charge of the affairs related to personal information processing, if no executive officer exists). |
(3) | The Minister of the Interior and Safety may provide necessary assistance, such as developing and providing educational programs for privacy officers so that they may efficiently perform the functions provided for in Article 31 (2) of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 33 (Registered Items of Personal Information Files) |
1. | The name of the public institution that operates personal information files; |
2. | The number of data subjects whose personal information is retained in personal information files; |
3. | The department in charge of affairs related to personal information processing in the relevant public institution; |
4. | The department that receives and processes requests for access to personal information pursuant to Article 41; |
5. | The scope of personal information to which access can be limited or denied pursuant to Article 35 (4) of the Act, among personal information in personal information files, and the grounds for limitation or denial. |
Article 34 (Registration, Disclosure, etc. of Personal Information Files) |
(1) | The head of a public institution that operates personal information files shall apply for registration of the matters provided for in Article 32 (1) of the Act and Article 33 of this Decree (hereinafter referred to as “registered matters") to the Minister of the Interior and Safety within 60 days from the date it starts operating the personal information files, as prescribed by Ministerial Decree of the Interior and Safety. The same shall also apply to any modification of registered matters. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(2) | The Minister of the Interior and Safety shall post the status of personal information files registered pursuant to Article 32 (4) of the Act on the Ministry’s website. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(3) | The Minister of the Interior and Safety may build and operate a system so that the registration of personal information files or modification of the registered matters may be electronically processed. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 34-2 (Criteria, Method, Procedure, etc. for Certification of Personal Information Protection) |
(1) | The Minister of the Interior and Safety shall determine and publicly notify the criteria for certification referred to in Article 32-2 (1) of the Act, including the establishment of managerial, technical, and physical safeguards to protect personal information, taking into account the matters provided for in Article 30 (1). <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
(2) | A person who intends to obtain certification of personal information protection pursuant to Article 32-2 (1) of the Act (hereafter referred to in this Article and Article 34-3, as "applicant"), shall submit an application (including an electronic application) for certification of personal information protection which includes the following matters to an institution specializing in the certification of personal information protection referred to in Article 34-6 (hereinafter referred to as "certification institution"): |
1. | A list of personal information processing systems subject to certification; |
2. | Methods and procedures for establishing and operating the personal information protection system; |
3. | A list of documents related to the personal information protection system and the implementation of safeguards. |
(3) | Upon receipt of an application for certification pursuant to paragraph (2), a certification institution shall consult with the applicant about the scope, time schedule, etc. of certification. |
(4) | An examination to certify personal information protection under Article 32-2 (1) of the Act shall be either a paper-based examination or an on-site examination conducted by the certification examiners for personal information protection subject to Article 34-8. |
(5) | Each certification institution shall establish and operate a certification committee comprised of members with considerable knowledge and experience in information protection to deliberate on the results of examinations for certification conducted pursuant to paragraph (4). |
(6) | Except as otherwise expressly provided for in paragraphs (1) through (5), detailed matters necessary for certification of personal information protection, including filing an application for certification, examination for certification, establishment and operation of the certification committee, and issuance of certificates, shall be determined and publicly notified by the Minister of the Interior and Safety. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-3 (Fees for Certification of Personal Information Protection) |
(1) | Each applicant shall pay a fee incurred in examining certification of personal information protection to the certification institution. |
(2) | The Minister of the Interior and Safety shall determine and publicly notify the detailed standards for calculating fees referred to in paragraph (1), based upon the number of certification examiners required for examining certification of personal information protection, number of days necessary to examine certification, and other relevant matters. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-4 (Revocation of Certification) |
(1) | A certification institution that intends to revoke certification pursuant to Article 32-2 (3) of the Act shall submit the case for deliberation and resolution by the certification committee established under Article 34-2 (5). |
(2) | Upon revoking certification pursuant to Article 32-2 (3) of the Act, the Minister of the Interior and Safety or the certification institution shall notify the affected party of such revocation; and shall publicly announce or post it in the Official Gazette or on the certification institution’s website. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-5 (Follow-up Management of Certification) |
(1) | An examination for follow-up management subject to Article 32-2 (4) of the Act shall be either a paper-based examination or an on-site examination. |
(2) | Where a certification institution discovers any of the causes provided for in Article 32-2 (3) of the Act through its follow-up management pursuant to paragraph (1), the certification institution shall submit the case for deliberation by the certification committee established under Article 34-2 (5) for deliberation; and shall notify the Minister of the Interior and Safety of the results of such deliberation. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-6 (Institutions Specializing in Certifying Personal Information Protection) |
(1) | "Specialized institutions prescribed by Presidential Decree" in Article 32-2 (5) of the Act means the following: <Amended by Presidential Decree No. 27522, Sep. 29, 2016; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | The Korea Internet and Security Agency; |
2. | A corporation or an organization or institution designated and publicly notified by the Minister of the Interior and Safety among the corporations, organizations or institutions that satisfy all of the following requirements: |
(a) | To have at least five certification examiners for personal information protection referred to in Article 34-8; |
(b) | To have been qualified by the Minister of the Interior and Safety through an examination of requirements and capacity for performing its functions. |
(2) | Detailed criteria, etc. necessary for designating a corporation, organization or institution stated in paragraph (1) 2 and revocation of such designation shall be determined and publicly notified by the Minister of the Interior and Safety. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-7 (Certification Mark and Promotion) |
Where a person who has obtained certification pursuant to Article 32-2 (6) of the Act intends to indicate or promote the certification, the person may use the personal information protection mark determined and publicly notified by the Minister of the Interior and Safety. In such cases, the person shall also indicate the scope and term of validity of the certification in the personal information protection mark. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> [This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 34-8 (Qualifications for Certification Examiners for Personal Information Protection and Grounds for Disqualification) |
(1) | A certification institution shall qualify persons with expertise in personal information protection, who pass an examination after having completed a specialized educational program necessary for certification examinations, as certification examiners for personal information protection (hereinafter referred to as "certification examiners") pursuant to Article 32-2 (7) of the Act. |
(2) | A certification institution may disqualify a certification examiner pursuant to Article 32-2 (7) of the Act in any of the following cases: Provided, That the certification examiner must be disqualified in cases falling under subparagraph 1: |
1. | Where the certification examiner has been qualified by fraud or other unjust means; |
2. | Where the certification examiner has received money, goods, or other profits in relation to the examination for certification of personal information protection; |
3. | Where the certification examiner has divulged any information acquired in the course of examining the certification of personal information protection, or has used such information for other than the intended purpose without just cause. |
(3) | Detailed matters concerning completion of the specialized educational programs, qualification and disqualification as certification examiners, and other relevant matters, shall be determined and publicly notified by the Minister of the Interior and Safety. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
[This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 35 (Object of Privacy Impact Assessment) |
"Personal information files meeting the criteria prescribed by Presidential Decree" in Article 33 (1) of the Act means any of the following personal information files that can be processed electronically: <Amended by Presidential Decree No. 27522, Sep. 29, 2016> 1. | Personal information files that will be established, operated, or modified, and contain sensitive information or personally identifiable information of at least fifty thousand data subjects for processing; |
2. | Personal information files that is established and operated, and will be matched with other personal information files being established and operated inside or out of the relevant public institution, and, as a result of matching, will contain the personal information of at least fifty thousand data subjects; |
3. | Personal information files that will be established, operated, or modified, and contain the personal information of at least one million data subjects; |
4. | Personal information files of which operating system, including the data retrieval system, will be changed after the privacy impact assessment under Article 33 (1) of the Act (hereinafter referred to as "privacy impact assessment"). In this case, the privacy impact assessment shall be limited to the changed system. |
Article 36 (Consideration at the time of Privacy Impact Assessment) |
1. | Whether sensitive information or personally identifiable information will be processed; |
2. | The retention period of personal information. |
Article 37 (Designation of PIA Institutions and Revocation of Designation) |
(1) | The Minister of the Interior and Safety may designate a corporation that satisfies all of the following requirements as a privacy impact assessment institution (hereinafter referred to as "PIA institution") pursuant to the latter part of Article 33 (1) of the Act: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 26728, Dec. 22, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | A corporation whose total revenue derived from any of the following business activities exceeds 200 million won during the last five years: |
(a) | Privacy impact assessments or equivalent business activities; |
(b) | Data protection consulting (which means the analysis and assessment of information systems and the provision of corresponding countermeasures against electronic breach incidents; hereafter the same shall apply) among the business activities related to establishing information systems, as defined in subparagraph 13 of Article 2 of the Electronic Government Act (including the information protection system); |
(d) | Business activities prescribed in Article 23 (1) 1 and 2 of the Act on the Promotion of the Information Security Industry; |
2. | A corporation that employs at least ten full-time experts specified in Appendix 1; |
3. | A corporation with the following offices and facilities: |
(a) | An office with facilities for identification and access control; |
(b) | Facilities for the safe management of records and materials. |
(2) | A person who intends to be designated as a PIA institution shall file an application for designation as a PIA institution, in the form prescribed by Ministerial Decree of the Interior and Safety, with the Minister of the Interior and Safety, along with the following documents (including electronic documents; hereinafter the same shall apply): <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
1. | The articles of incorporation; |
2. | The representative’s name; |
3. | Documents verifying the qualifications of the experts referred to in paragraph (1) 2; |
4. | Other documents prescribed by Ministerial Decree of the Interior and Safety. |
(3) | Upon receipt of an application for designation as a PIA institution filed under paragraph (2), the Minister of the Interior and Safety shall verify the following documents through the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act: Provided, That where the applicant would not give the consent to the verification of subparagraph 2, the Minister of the Interior and Safety shall require the applicant to submit the relevant document: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | The corporation registration certificate; |
(4) | Upon designating a PIA institution pursuant to paragraph (1), the Minister of the Interior and Safety shall, without delay, issue a written designation to the relevant applicant, and publish the following matters in the Official Gazette. The same shall also apply to any revision to the published matters: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | The name, address, and telephone number of the PIA institution, and the name of its representative; |
2. | Terms and conditions attached to the designation, if any. |
(5) | The Minister of the Interior and Safety may revoke the designation of a PIA institution subject to paragraph (1) in any of the following cases: Provided, That the Minister of the Interior and Safety shall revoke the designation in cases falling under subparagraph 1 or 2: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | Where the PIA institution is designated by fraud or other unjust means; |
2. | Where the PIA institution wants revocation of such designation or has closed its business; |
3. | Where the PIA institution fails to satisfy the requirements for designation provided for in paragraph (1); |
4. | Where the PIA institution fails to submit a report subject to paragraph (6); |
5. | Where the PIA institution unconscientiously conducts the privacy impact assessment either intentionally or by gross negligence, and is deemed incapable of duly conducting the privacy impact assessment; |
6. | Where the PIA institution breaches any of the duties provided for in the Act or this Decree. |
(6) | A PIA institution designated under paragraph (1) shall, upon occurrence of any of the following events after designation, submit a report to the Minister of the Interior and Safety, as prescribed by Ministerial Decree of the Interior and Safety, within 14 days from the date of occurrence: Provided, That it shall submit a report to the Minister of the Interior and Safety within 60 days from the date of occurrence in cases falling under subparagraph 3: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
1. | Where any matter referred to in paragraph (1) is changed; |
2. | Where any matter referred to in paragraph (4) 1 is changed; |
3. | Where the transfer, acquisition, or merger of the PIA institution, or similar event occurs. |
(7) | Where intending to revoke the designation of a PIA institution pursuant to paragraph (5), the Minister of the Interior and Safety shall hold a hearing. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 38 (Criteria, etc. for Privacy Impact Assessment) |
(1) | Criteria for privacy impact assessments referred to in Article 33 (6) of the Act are as follows: <Amended by Presidential Decree No. 27370, Jul. 22, 2016> |
1. | The type and nature of personal information contained in the relevant personal information files, the number of data subjects, and the possibility of subsequent data breaches; |
3. | Countermeasures against data breach risk factors, if any; |
4. | Other necessary measures subject to the Act or this Decree, or any factor affecting breach of duties. |
(2) | A PIA institution in receipt of a request for a privacy impact assessment pursuant to Article 33 (1) of the Act shall analyze and assess the data breach risk factors arising out of the operation of personal information files according to the criteria for privacy impact assessments prescribed in paragraph (1); prepare a privacy impact assessment report containing the following matters; and submit the report to the head of the relevant public institution. The head of such public institution shall submit the report (including measures for improvement referred to in subparagraph 3, if any matter requiring improvement in such report) to the Minister of the Interior and Safety prior to building, operating, or changing personal information files provided for in Article 35: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 27370, Jul. 22, 2016; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | The summary of the project related to, and the purpose of, the operation of personal information files; |
2. | The outline of personal information files subject to the privacy impact assessment; |
3. | Analysis and assessment of data breach risk factors according to the criteria for privacy impact assessments, and matters requiring improvement; |
4. | Human resources and costs required to conduct the privacy impact assessment. |
(3) | Except as otherwise expressly prescribed in the Act and this Decree, the Minister of the Interior and Safety may establish and publicly notify detailed standards for designating PIA institutions, procedures for privacy impact assessments, etc. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 39 (Scope of Data Breach Notification and Where to Report) |
(1) | "Personal information above the scale prescribed by Presidential Decree" in the former part of Article 34 (3) of the Act means personal information of at least one thousand data subjects. <Amended by Presidential Decree No. 28355, Oct. 17, 2017> |
(2) | "Specialized institution prescribed by Presidential Decree" in the former part and the latter part of Article 34 (3) of the Act means the Korea Internet and Security Agency. <Amended by Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 27370, Jul. 22, 2016> |
Article 40 (Method and Procedure for Data Breach Notification) |
(1) | A personal information controller who becomes aware that personal information has been divulged shall, without delay, notify the aggrieved data subject of the matters prescribed in Article 34 (1) of the Act, in writing, etc.: Provided, That the personal information controller may give notice to the data subjects, right after it has taken contingent measures, including shut-down of the access route, check-up of weak points and deletion of divulged personal information, necessary to prevent the dissemination of divulged personal information and additional divulgence. |
(2) | Notwithstanding paragraph (1), where a personal information controller has became aware of data divulgence pursuant to the main sentence of paragraph (1) or has taken contingent measures after awareness of the data breach pursuant to the proviso to paragraph (1), but cannot confirm detailed data divulgence provided for in Article 34 (1) 1 or 2 of the Act, the personal information controller may first notify the aggrieved data subject of the divulgence of personal information and the information divulged, in writing, etc.; and then notify the facts confirmed additionally. |
(3) | Notwithstanding paragraphs (1) and (2), where personal information of at least one thousand data subjects has been divulged pursuant to Article 34 (3) of the Act and Article 39 (1) of this Decree, the relevant personal information controller shall notify the aggrieved data subjects of such divulgence in writing, etc. and post the matters provided for in Article 34 (1) of the Act on his/her website for at least seven days so that the data subjects may easily recognize them: Provided, That if a personal information controller has no website, the personal information controller shall notify the divulgence of personal information in writing, etc. and post the matters provided for in Article 34 (1) of the Act at easily noticeable places of his/her workplace, etc. for at least seven days. <Amended by Presidential Decree No. 28355, Oct. 17, 2017> |
Article 40-2 (Criteria, etc. for Imposition of Penalty Surcharges) |
(2) | To impose a penalty surcharge pursuant to Article 34-2 (1) of the Act, the Minister of the Interior and Safety shall give a written notice stating the violation, amount of the penalty surcharge, and methods of, and period for filing an objection, to the violator. <Amended by Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(3) | A person in receipt of the written notice given under paragraph (2) shall pay a penalty surcharge to a collecting agency designated by the Minister of the Interior and Safety within 30 days from the receipt of such written notice; provided,, where the person cannot pay the penalty surcharge within such period due to a natural disaster or other unavoidable causes, he/she shall pay it within seven days from the date the relevant cause ceases to exist. <Amended by Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(4) | "Late-payment penalty prescribed by Presidential Decree" in the former part of Article 34-2 (3) of the Act means an amount calculated for the period from the day following the due date for payment until the day preceding the payment date of the penalty surcharge by adding the amount equivalent to 5/1,000 of the unpaid penalty surcharge a month past due. |
[This Article Added by Presidential Decree No. 25531, Aug. 6, 2014]
CHAPTER VI GUARANTEE OF RIGHTS OF DATA SUBJECTS
Article 41 (Procedures, etc. for Access to Personal Information) |
(1) | A data subject who intends to request access to his/her own personal information processed by a personal information controller pursuant to Article 35 (1) of the Act shall submit a request, stating the information that he/she intends to access among the following information, in the manner and following the procedure determined by the personal information controller. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
1. | Particulars and substance of personal information; |
2. | The purpose of collecting and using personal information; |
3. | The period for retaining and using personal information; |
4. | Status of personal information provided to a third party; |
5. | The fact that the data subject has given consent to the processing of his/her own personal information and the content thereof. |
(2) | To determine the manner and procedure for requesting access under paragraph (1), a personal information controller shall comply with the following to ensure that such manner and procedure are not more difficult than the manner and procedure that the personal information controller uses to collect the relevant personal information: <Added by Presidential Decree No. 28355, Oct. 17, 2017> |
1. | To provide the requested personal information in a data subject-friendly manner, such as in writing, by telephone or electronic mail, or via the Internet; |
2. | To allow data subjects to request access to their own personal information at least through the same window or in the same manner that the personal information controller uses to collect such personal information, unless just cause exists, such as difficulty in continuously operating such window; |
3. | To post on a website the manner and procedure for requesting access if the personal information controller operates the website. |
(3) | A data subject who intends to request access to his/her own personal information via the Minister of the Interior and Safety pursuant to Article 35 (2) of the Act shall submit to the Minister of the Interior and Safety a Personal Information Access Request specifying the information to access among the information referred to in paragraph (1), as prescribed by Ministerial Decree of the Interior and Safety. In such cases, the Minister of the Interior and Safety shall forward the Personal Information Access Request to the relevant public institution without delay. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
(5) | Where a personal information controller allows a data subject to access the relevant personal information within ten days from the receipt of the Personal Information Access Request under paragraph (1) or (3), or limits access to the relevant person information under Article 42 (1), the personal information controller shall serve the data subject with the Access Notice, stating the accessible personal information, date and time, venue, etc. for access (in the case of partial access pursuant to Article 42 (1), the ground therefor and how to appeal shall be included), in the form prescribed by Ministerial Decree of the Interior and Safety: Provided, That where he/she allows immediate access, the Access Notice may be omitted. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
Article 42 (Limitation to, and Postponement and Denial of, Access to Personal Information) |
(1) | Where any information to which a personal information controller receives a request for access pursuant to Article 41 (1) falls under Article 35 (4) of the Act, the personal information controller may limit access to such information; and shall allow the data subject to access other personal information than the limited part. |
(2) | Where a personal information controller intends to postpone a data subject’s access to his/her own personal information pursuant to the latter part of Article 35 (3) of the Act, or to deny the access pursuant to Article 35 (4) of the Act, the personal information controller shall serve the data subject with the Access Postponement or Denial Notice, stating the grounds for postponement or denial and how to appeal, in the form prescribed by Ministerial Decree of the Interior and Safety within ten days from the receipt of the access request. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 43 (Correction, Erasure, etc. of Personal Information) |
(1) | A data subject who intends to request a personal information controller to correct or erase his/her own personal information pursuant to Article 36 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the correction or erasion of personal information; and "access" shall be construed as "correction or erasure". <Amended by Presidential Decree No. 28355, Oct. 17, 2017> |
(2) | Upon receipt of a request to correct or erase personal information pursuant to Article 36 (1) of the Act, a personal information controller who processes personal information files provided by other personal information controller shall correct or erase the relevant personal information as requested; or shall, without delay, notify the personal information controller who has provided the relevant personal information of the request to correct or erase the personal information, and take necessary measures based on the result of such processing. <Amended by Presidential Decree No. 28355, Oct. 17, 2017> |
(3) | A personal information controller shall inform the relevant data subject of the fact that he/she has duly corrected or erased the relevant personal information pursuant to Article 36 (2) of the Act within ten days from the receipt of a request to correct or erase personal information under paragraph (1) or (2); otherwise, if the erasure of personal information is denied because it falls under the proviso to Article 36 (1) of the Act, the personal information controller shall serve the data subject with the Personal Information Correction or Deletion Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form prescribed by Ministerial Decree of the Interior and Safety. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
Article 44 (Suspension, etc. of Processing Personal Information) |
(1) | A data subject who intends to request a personal information controller to suspend the processing of his/her own personal information pursuant to Article 37 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the suspension of processing personal information; and "access" shall be construed as "suspension of processing". <Amended by Presidential Decree No. 28355, Oct. 17, 2017> |
(2) | A personal information controller shall inform the relevant data subject of the fact that it has duly suspended the processing of personal information pursuant to the main sentence of Article 37 (2) of the Act within ten days from the receipt of a request to suspend the processing of personal information made under paragraph (1); otherwise, if the suspension of processing personal information is denied because it falls under the proviso to Article 37 (2) of the Act, the personal information controller shall serve the relevant data subject with the Personal Information Processing Suspension Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form prescribed by Ministerial Decree of the Interior and Safety. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017; Presidential Decree No. 28355, Oct. 17, 2017> |
Article 45 (Scope, etc. of Representative) |
1. | A legal representative of the data subject; |
2. | A person delegated by the data subject. |
(2) | A representative referred to in paragraph (1), representing a data subject pursuant to Article 38 of the Act, shall submit the power of attorney of the data subject, in the form prescribed by Ministerial Decree of the Interior and Safety, to the personal information controller. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 46 (Confirmation of Data Subjects or Representatives) |
(1) | Upon receipt of the Access Request under Article 41 (1), the Personal Information Correction or Erasure Request under Article 43 (1), or the Personal Information Processing Suspension Request under Article 44 (1) (hereafter referred to as "Access Request, etc." in this Article, and Articles 47 and 48), a personal information controller shall confirm whether the person who has submitted the Access Request, etc. is the principal or the duly authorized representative. |
(2) | Any personal information controller, which is a public institution eligible for the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act, shall confirm as provided in paragraph (1) through the sharing of administrative information: Provided, That this shall not apply where the public institution is unable to share administrative information or the data subject would not provide consent to such confirmation. |
Article 47 (Amounts of Fees, etc.) |
(1) | The amounts of fees and postage provided for in Article 38 (3) of the Act shall be determined by the relevant personal information controller within the actual expenses necessary for the processing of the Access Request, etc.: Provided, That where a personal information controller is a local government, they shall be prescribed by municipal ordinance of the relevant local government. |
(2) | A personal information controller shall not demand any fee or postage if the cause for submitting the Access Request, etc. lies on the personal information controller. |
(3) | Any fee and postage provided for in Article 38 (3) of the Act shall be paid as follows: Provided, That a personal information controller, which is the National Assembly, the Court, the Constitutional Court, the National Election Commission, a central administrative agency, or its affiliated body (hereafter referred to as "national agency" in this Article) or a local government, may claim such fee and postage by the electronic payment means, as defined in subparagraph 11 of Article 2 of the Electronic Financial Transactions Act, or telecommunications billing services, as defined in subparagraph 10 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.: |
1. | Where the fee or postage is paid to a personal information controller that is a national agency: Revenue stamp; |
2. | Where the fee or postage is paid to a personal information controller that is a local government: Revenue certificate; |
3. | Where the fee and postage is paid to other personal information controller than a national agency or local government: In the manner determined by the relevant personal information controller. |
Article 48 (Establishing, etc. Access Request Support System) |
(1) | A personal information controller may establish and operate a support system that enables the Access Request, etc. to be processed and notified electronically, and determine other work procedures. |
(2) | The Minister of the Interior and Safety may establish and operate a support system so that the public institutions which possess personal information efficiently process the Access Request, etc. and notify the results of such processing. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
CHAPTER VII PERSONAL INFORMATION DISPUTE MEDIATION
Article 48-2 (Ex Officio Members) |
Ex officio members of the Personal Information Dispute Mediation Committee established under Article 40 (1) of the Act (hereinafter referred to as the "Dispute Mediation Committee") shall be appointed by the heads of the institutions to which they belong from among members in general service of the Senior Executive Service of the Ministry of the Interior and Safety, the Korea Communications Commission, the Financial Services Commission, and the Protection Commission, who are in charge of the affairs related to the protection of personal information. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> [This Article Added by Presidential Decree No. 27370, Jul. 22, 2016]
Article 49 (Composition and Operation of Mediation Panels) |
(1) | The mediation panel referred to in Article 40 (6) of the Act (hereinafter referred to as “mediation panel”) shall be comprised of not more than five members appointed by the chairperson of the Dispute Mediation Committee, and one of whom shall be a commissioner with an attorney-in-law license. <Amended by Presidential Decree No. 27370, Jul. 22, 2016> |
(2) | The chairperson of the Dispute Mediation Committee shall convene the meetings of the mediation panel. |
(3) | The chairperson of the Dispute Mediation Committee shall notify each member of the mediation panel of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency. |
(4) | The presider of the mediation panel shall be elected by and from among its members. |
(5) | Except as otherwise expressly prescribed in paragraphs (1) through (4), matters necessary for the composition and operation of the mediation panel, and other necessary matters, shall be determined by the chairperson of the Dispute Mediation Committee subject to the resolution of the Dispute Mediation Committee. |
The secretariat of the Protection Commission shall conduct administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding pursuant to Article 40 (8) of the Act. [This Article Wholly Amended by Presidential Decree No. 27370, Jul. 22, 2016]
Article 51 (Operation of Dispute Mediation Committee, etc.) |
(1) | The chairperson of the Dispute Mediation Committee shall convene and preside over meetings of the Dispute Mediation Committee. |
(2) | The chairperson of the Dispute Mediation Committee shall notify each member of the Dispute Mediation Committee of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency. |
(3) | The meetings of the Dispute Mediation Committee and the mediation panel shall not be open to the public: Provided, That attendance of the parties or interested parties is allowed by the resolution of the Dispute Mediation Committee, if deemed necessary. |
Article 52 (Incidents Eligible for Collective Dispute Mediation) |
"Incident is prescribed by Presidential Decree" in Article 49 (1) of the Act means any incident that satisfies all of the following conditions: 1. | The number of data subjects suffering from damage or infringement on their rights shall be not less than 50 persons, except the following: |
(a) | Data subjects who have agreement with the personal information controller on the dispute settlement or compensation for damage; |
(b) | Data subjects whose dispute based on the same cause is dealt with by the dispute mediation body established by other statutes; |
(c) | Data subjects who have filed a lawsuit with a court against the relevant data breach incident; |
2. | Major issues of the incident are common in fact or legally. |
Article 53 (Commencement of Collective Dispute Mediation Proceedings) |
(1) | "Period prescribed by Presidential Decree" in the latter part of Article 49 (2) of the Act means a period of at least 14 days. |
(2) | Notification of commencing the collective dispute mediation proceedings referred to in the latter part of Article 49 (2) of the Act shall be posted on the website of the Dispute Mediation Committee or a general daily newspaper circulating nationwide under the Act on the Promotion of Newspapers, Etc. <Amended by Presidential Decree No. 26776, Dec. 30, 2015> |
Article 54 (Applications for Participation in Collective Dispute Mediation Proceedings) |
(1) | A data subject or personal information controller, other than the parties to collective dispute mediation subject to Article 49 of the Act (hereinafter referred to as “collective dispute mediation”), who intends to participate in such collective dispute mediation additionally as a party pursuant to Article 49 (3) of the Act, shall file a written application during the notice period subject to the latter part of Article 49 (2) of the Act. |
(2) | Upon receiving a written application for collective dispute mediation as a party pursuant to paragraph (1), the Dispute Mediation Committee shall inform the applicant of whether it has accepted his/her application within ten days from the expiry of the application period referred to in paragraph (1). |
Article 55 (Collective Dispute Mediation Proceedings) |
(1) | After the collective dispute mediation proceedings commence, a data subject who falls under any of subparagraph 1 (a) through (c) of Article 52 shall be excluded from the party. |
(2) | Once the collective dispute mediation proceedings of the case which satisfies the conditions referred to in Article 52 commence, such proceedings shall not be suspended even if the conditions referred to in subparagraph 1 of Article 52 are not satisfied because a data subject falls under any of subparagraph 1 (a) through (c) of the same Article. |
Article 56 (Allowances and Travel Expenses) |
Members, etc. who attend a meeting of the Dispute Mediation Committee or the mediation panel may be paid allowances and travel expenses within budgetary limits: Provided, That this shall not apply where a public official attends any meeting directly related with his/her duties.
Article 57 (Dispute Mediation Rule) |
Except as otherwise expressly prescribed by the Act and this Decree, matters necessary for the operation of the Dispute Mediation Committee and collective dispute mediation shall be determined by the chairperson subject to the resolution of the Dispute Mediation Committee.
CHAPTER VIII SUPPLEMENTARY PROVISIONS AND PENALTY PROVISIONS
Article 58 (Advices for Improvements and Disciplinary Action) |
(2) | A person who has received an advice under paragraph (1) shall take necessary measures as advised, and notify the Minister of the Interior and Safety or the head of the relevant central administrative agency of the outcome in writing: Provided, That special circumstances, in which it is deemed impracticable to take measures as advised, shall be explained to the addressee. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 59 (Reporting on Infringements, etc.) |
The Minister of the Interior and Safety shall designate the Korea Internet and Security Agency as a specialized institution to efficiently receive and handle the claim reports on infringements on personal information-related rights or interests pursuant to Article 62 (2) of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017>
Article 60 (Requests for Materials and Inspections) |
(1) | "Circumstances prescribed by Presidential Decree" in Article 63 (1) 3 of the Act means circumstances in which a data subject’s right or interest has been infringed on, or is likely to be infringed on, such as a personal data breach. |
(2) | The Minister of the Interior and Safety may request the head of the Korea Internet and Security Agency to provide necessary assistance, including technical advice, in order to request materials and to conduct inspections, etc. pursuant to Article 63 (1) and (2) of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 61 (Disclosure of Results) |
(1) | The Minister of the Interior and Safety or the head of a relevant central administrative agency may make public the following matters pursuant to Article 66 (1) or (2) of the Act by posting them on the website of the Ministry or the relevant agency or in a general daily nationwide newspaper under the Act on the Promotion of Newspapers, Etc.: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | The substance of violations; |
3. | The advice for improvement, corrective measures, accusation, and advice for disciplinary action, and imposition of administrative fines, and the outcomes thereof. |
(2) | To make public the matters prescribed in paragraph (1) pursuant to Article 66 (1) or (2) of the Act, the Minister of the Interior and Safety or the head of a relevant central administrative agency shall take into account the substance and severity of violations, the period and frequency of violations, the scope of damage caused by the relevant violations, and the outcomes thereof. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
(3) | Prior to submitting a case for deliberation or resolution to the Protection Commission under Article 66 (1) of the Act, the Minister of the Interior and Safety or the head of a relevant central administrative agency shall inform the person affected by the disclosure of such fact and give him/her an opportunity to submit evidentiary materials or defensive opinion. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 62 (Entrustment of Authority) |
(1) | Deleted. <by Presidential Decree No. 26776, Dec. 30, 2015> |
(2) | The Minister of the Interior and Safety may entrust the authority to support the provision of alternative sign-up tool subject to Article 24-2 (4) of the Act to any of the following institutions: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
2. | The Korea Internet and Security Agency; |
3. | A corporation, institution, or organization publicly notified by the Minister of the Interior and Safety after being recognized as having technical and financial capacity and facilities to develop, provide, and manage the alternative sign-up tool safely. |
(3) | The Minister of the Interior and Safety shall entrust the following authority to the Korea Internet and Security Agency: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | Education and public relations concerning the protection of personal information under subparagraph 1 of Article 13 of the Act; |
2. | Training of relevant specialists and development of criteria for privacy impact assessments under Article 33 (5) of the Act; |
5. | Receipt of applications for designating a PIA institution under Article 37 (2) and receipt of reports under Article 37 (6). |
(4) | Where the Minister of the Interior and Safety entrusts the authority pursuant to paragraph (2), he/she shall publicly notify the entrusted institutions and the entrusted affairs. <Added by Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
Article 62-2 (Processing of Personally Identifiable Information) |
(1) | The Minister of the Interior and Safety (including persons entrusted with the authority of the Minister of the Interior and Safety under Article 62 (3)) may process the data that contains resident registration numbers, passport numbers, driver’s license numbers, or alien registration numbers referred to in Article 19, if inevitable to perform the following: <Amended by Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | Preparing for and supporting the establishment of systems providing alternative sign-up tools pursuant to Article 24-2 (4) of the Act; |
(2) | The Dispute Mediation Committee may process the data that contains resident registration numbers, passport numbers, driver’s license numbers, or alien registration numbers referred to in Article 19, if inevitable to perform the affairs related to personal information dispute mediation under Articles 45 and 47 of the Act. |
[This Article Added by Presidential Decree No. 25531, Aug. 6, 2014]
Article 62-3 (Review of Regulation) |
(1) | The Minister of the Interior and Safety shall review the appropriateness of the criteria for imposing penalty surcharges under Article 40-2 and Appendix 1-2 every three years, counting from January 1, 2014 (being any date before January 1 of every third anniversary), and shall take measures, such as making improvements. <Amended by Presidential Decree No. 28211, Jul. 26, 2017> |
(2) | The Minister of the Interior and Safety shall review the appropriateness of the following matters every two years, counting from the following base dates (being any date before the base date of every second anniversary), and shall take measures, such as making improvements: <Amended by Presidential Decree No. 26776, Dec. 30, 2015; Presidential Decree No. 28211, Jul. 26, 2017> |
1. | Gathering opinions when installing visual data processing devices under Article 23: January 1, 2015; |
2. | Details, and method of disclosure, of the Privacy Policy under Article 31: January 1, 2015; |
2-2. | Requirements for designating PIA institutions and for revoking such designation under Article 37: January 1, 2016; |
3. | Procedures, etc. for access to personal information under Article 41: January 1, 2015; |
4. | Incidents eligible for collective dispute mediation under Article 52: January 1, 2015; |
5. | Criteria for imposing administrative fines under Article 63 and Appendix 2: January 1, 2015. |
[This Article Wholly Amended by Presidential Decree No. 25840, Dec. 9, 2014]
Article 63 (Criteria for Imposition of Administrative Fines) |
ADDENDA
Article 1 (Enforcement Date)
This Decree shall enter into force on September 30, 2011: Provided, That Article 20 and subparagraph 2 (i) of Appendix 2 shall enter into force on March 30, 2012.
Article 2 (Repeal of other Acts)
Article 3 (Transitional Measures concerning Establishment of Master Plans and Implementation Plans)
(1) | Notwithstanding Article 11, the Minister of Public Administration and Security shall establish the Master Plan for the period from 2012 to 2014 by December 31, 2011 subject to the deliberation and resolution of the Protection Commission. |
(2) | Notwithstanding Article 12, the head of a central administrative agency shall submit the implementation plan for the period from 2012 and 2013 according to the relevant Master Plan established under paragraph (1) and submit it to the Protection Commission by February 28, 2012 and establish it by April 30, 2012 subject to the deliberation and resolution of the Protection Commission. |
Article 4 (Transitional Measures concerning Encryption of Personal Information Collected and Retained by Personal Information Controllers)
Personal information controllers who have collected and retained personal information as at the time this Decree enters into force shall complete the encryption of the personal information stored in electronic media (including the encryption of personally identifiable information to which Article 21 shall apply mutatis mutandis) pursuant to Article 30 (1) 3 by no later than December 31, 2012.
Article 5 (Transitional Measures concerning Registration of Personal Information Files)
The head of a public institution that operates personal information files as at the time this Decree enters into force (excluding institutions that have already registered personal information files before this Decree enters into force) shall apply for the registration thereof to the Minister of Public Administration and Security pursuant to Article 34 within 60 days from the date this Decree enters into force.
Article 6 (Transitional Measures concerning Privacy Impact Assessment)
The head of a public institution operating, or building up to operate, personal information files prescribed in the subparagraphs of Article 35 as at the time this Act enters into force shall conduct a privacy impact assessment of such personal information and submit the result thereof to the Minister of Public Administration and Security within five years from the date this Decree enters into force.
Article 7 Omitted.
Article 8 (Relationship with other Acts and Subordinate Statutes)
ADDENDA <Presidential Decree No. 24425, Mar. 23, 2013>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment made by Presidential Decree promulgated before this Act enters into force, but the dates on which such amendment enters into force has yet arrived among the Presidential Decrees amended pursuant to Article 6 of the Addenda shall respectively enter into force on the date such Presidential Decree enters into force.
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 25531, Aug. 6, 2014>
This Decree shall enter into force on August 7, 2014.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment made by Presidential Decree promulgated before this Act enters into force, but the dates on which such amendment enters into force has yet arrived among the Presidential Decrees amended pursuant to Article 5 of the Addenda shall respectively enter into force on the date such Presidential Decree enters into force.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25840, Dec. 9, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2015.
Articles 2 through 16 Omitted.
ADDENDA <Presidential Decree No. 26140, Mar. 11, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 26728, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 26776, Dec. 30, 2015>
This Decree shall enter into force on the date of its promulgation: Provided, That the amended provisions of Articles 21-2, 62 (2), 62-2 (1) 1, and Appendix 2 shall enter into force on January 1, 2016.
ADDENDA <Presidential Decree No. 27370, Jul. 22, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on July 25, 2016.
Article 2 (Transitional Measures concerning Establishment of Master Plans and Implementation Plans)
(1) | The Master Plan for 2015 to 2017 established pursuant to the former provisions of Article 11 shall be deemed the Master Plan established pursuant to the amended provisions of Article 11. |
(2) | The implementation plans for 2016 and 2017 established pursuant to the former provisions of Article 12 shall be deemed the implementation plans established pursuant to the amended provisions of Article 12, respectively. |
ADDENDUM <Presidential Decree No. 27522, Sep. 29, 2016>
This Decree shall enter into force on September 30, 2016.
ADDENDA <Presidential Decree No. 28074, May 29, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on May 30, 2017.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 28150, Jun. 27, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on July 1, 2017: Provided, That the amended provisions of Article 3 of this Addenda shall enter into force on the date of its promulgation.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 28211, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment of the Presidential Decrees made pursuant to Article 8 of this Addenda, which were promulgated before this Decree comes into force, but the enforcement date of which has yet to arrive, shall enter into force on the date the corresponding Presidential Decree takes effect.
Articles 2 through 8 Omitted.
ADDENDA <Presidential Decree No. 28355, Oct. 17, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on October 19, 2017.
Article 2 (Applicability to Reporting, etc. on Data Breach Notification)
The amended provisions of Articles 39 (1) and 40 (3) shall begin to apply from the first divulgence of any personal information after this Decree enters into force.
Article 3 (Transitional Measures concerning Request for Access, etc. to Personal Information)
Notwithstanding the amended provisions of Articles 41 (1), 43 (1), and 44 (1), a person who has requested access to, correction or erasure, or suspension of processing of, his/her personal information before this Decree enters into force shall be governed by the former provisions.