ENFORCEMENT DECREE OF THE ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION
Wholly Amended by Presidential Decree No. 20668, Feb. 29, 2008
Amended by Presidential Decree No. 20756, Mar. 28, 2008
Presidential Decree No. 20896, Jul. 3, 2008
Presidential Decree No. 20947, Jul. 29, 2008
Presidential Decree No. 21278, Jan. 28, 2009
Presidential Decree No. 21692, Aug. 18, 2009
Presidential Decree No. 21719, Sep. 9, 2009
Presidential Decree No. 22003, Jan. 27, 2010
Presidential Decree No. 22151, May 4, 2010
Presidential Decree No. 22423, Oct. 1, 2010
Presidential Decree No. 22424, Oct. 1, 2010
Presidential Decree No. 22467, Nov. 2, 2010
Presidential Decree No. 22550, Dec. 27, 2010
Presidential Decree No. 22773, Mar. 29, 2011
Presidential Decree No. 23104, Aug. 29, 2011
Presidential Decree No. 23169, Sep. 29, 2011
Presidential Decree No. 23876, jun. 25, 2012
Presidential Decree No. 24047, Aug. 17, 2012
Presidential Decree No. 24076, Aug. 31, 2012
Presidential Decree No. 24102, Sep. 14, 2012
Presidential Decree No. 24445, Mar. 23, 2013
Presidential Decree No. 25050, Dec. 30, 2013
Presidential Decree No. 25532, Aug. 6, 2014
Presidential Decree No. 25751, Nov. 19, 2014
Presidential Decree No. 25789, Nov. 28, 2014
Presidential Decree No. 27188, May 31, 2016
Presidential Decree No. 27510, Sep. 22, 2016
Presidential Decree No. 27751, Dec. 30, 2016
Presidential Decree No. 27951, Mar. 22, 2017
Presidential Decree No. 28210, Jul. 26, 2017
Presidential Decree No. 28283, Sep. 5, 2017
Presidential Decree No. 28919, May 28, 2018
Presidential Decree No. 29053, Jul. 17, 2018
Presidential Decree No. 29192, Sep. 28, 2018
Presidential Decree No. 29339, Dec. 11, 2018
Presidential Decree No. 29633, Mar. 19, 2019
CHAPTER I GENERAL PROVISIONS
| Article 2 (Code of Ethics) |
| (2) | An association of users defined under Article 2 (1) 4 of the Act may establish and enforce a users’ code of ethics for the establishment of a sound information society. |
| (3) | The Government may provide assistance to activities for the establishment and enforcement of the code of ethics under paragraph (1) or (2). |
| Article 3 (Guidelines for Protection of Personal Information) |
| (1) | In order to protect users’ personal information pursuant to Article 4 of the Act, the Korea Communications Commission may formulate and provide a public notice of guidelines for the protection of personal information and may recommend providers of information and communications services to comply with such guidelines. <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23169, Sep. 29, 2011> |
| (2) | When the Korea Communications Commission intends to formulate and provide a public notice of guidelines for the protection of personal information under paragraph (1), it shall collect opinions from related business circles, associations of users, etc. and shall consult with the heads of related central administrative agencies thereon. <Amended by Presidential Decree No. 23169, Sep. 29, 2011> |
CHAPTER II PROMOTION OF UTILIZATION OF INFORMATION AND COMMUNICATIONS NETWORKS
| Articles 4 and 5 Deleted. <by Presidential Decree No. 21692, Aug. 18, 2009> |
| Article 6 (Measures for Establishment of System for Sharing Information) |
| (1) | Pursuant to Article 12 of the Act, the head of a central administrative agency may formulate and provide a public notice of a plan for sharing information about matters under his or her jurisdiction. <Amended by Presidential Decree No. 22151, May 4, 2010> |
| (2) | If the head of a central administrative agency deems it necessary to efficiently implement a plan for sharing information pursuant to paragraph (1), he or she may assist a person in conducting the following business activities: |
| 1. | Selection of information to be shared, among the information possessed and managed; |
| 2. | Establishment and operation of a system for interconnecting different information and communications networks; |
| 3. | Adjustment of expenses allotted to each agency in connection with the interconnection of different information and communications networks; |
| 4. | Other activities necessary for the establishment of the system for sharing information. |
| Article 7 (Implementation of Projects for Promoting Utilization of Information and Communications Networks) |
Projects that the Minister of Science and Information Communications Technology (ICT) may implement pursuant to Article 13 (1) of the Act are as follows: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> | 1. | Pilot projects for the establishment and operation of information and communications networks; |
| 2. | Pilot projects for the commercialization of new media; |
| 3. | Advanced application projects for nurturing the informatization industry and projects for supporting related research projects; |
| 4. | Projects to lay a foundation for the development of technologies for electronic transactions and the invigoration of electronic transactions; |
| 5. | Supportive projects for the improvement of statutes and systems for promoting the utilization of information and communications networks; |
| 6. | Other pilot projects for the efficient utilization and dissemination of technologies, equipment, and application services. |
CHAPTER III (Articles 8 and 9) Deleted.
CHAPTER IV PROTECTION OF PERSONAL INFORMATION
| Article 9-2 (Extent of Access Authority) |
| (1) | A case where a provider of information and communications services shall obtain consent from the users pursuant to Article 22-2 (1) of the Act means a case where such provider needs authority of access to the following information and functions (hereafter referred to as “access authority” in this Article) through the softwares of mobile devices: Provided That this shall not apply to the information and functions accessed by any software, which has been installed in mobile devices in the course of manufacturing and supplying them, to perform their intrinsic functions such as communications, photography, and audio and video replay: |
| 1. | Information stored by the users on their mobile devices such as contact points, schedules, videos, communications, biometric information (referring to information concerning physical or behavioral characteristics with which an individual can be identified, such as fingerprints, iris, voice, and handwriting; hereinafter the same shall apply); |
| 2. | Information automatically stored on mobile devices in the course of using them, such as location information, communication logs, authentication information, and physical activity records; |
| 4. | Input and output functions, such as photography, speech recognition, and biometric or health information detecting sensor. |
| (2) | A provider of information and communications services shall, in the course in which the users install or run a software of mobile devices, inform the users of the matters referred to in each subparagraph of Article 22-2 (1) of the Act in a manner displaying such matters on a software’s guidance information screen or other separate screen and shall obtain consent of the users according to the following classifications in the same manner: |
| 1. | Where the basic operating system of mobile devices (referring to the based environment in which the software can be executed in mobile devices; hereinafter referred to as “operating system”) is an operating system in which the users can individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services informs the users about the both access authorities under Article 22-2 (1) 1 and 2 of the Act separately from each other, the users choose whether to consent when for the first time they access any information or function the access authority for which is set; |
| 2. | Where the operating system of mobile devices is one by which the users can not individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services only sets the access authority under Article 22-2 (1) 1 and informs the users thereof, the users choose whether to consent to the access authority when they install the software; |
| 3. | Where the method referred to in subparagraph 1 or 2 is impossible though the operating system of mobile devices is one referred to in subparagraph 1 or 2: A method similar to one referred to in subparagraph 1 or 2, by which the provider of information and communications services informs the users of the content of consent so that they can definitely acknowledge such content and choose whether to give consent. |
| (3) | When determining whether a matter requiring the consent of the users pursuant to Article 22-2 (1) of the Act falls under any access authority under subparagraph 1 or 2 of that Article, the following shall be taken into consideration: the extent of information and communications services as disclosed through the terms and conditions on use, the policies on personal information management or any separate guidance; whether such information and communications services are actually provided; the users’ reasonable expectation for the relevant information and communications services; and technical relevance between the relevant information and communications services and the access authority. |
| (4) | Persons manufacturing and supplying the operating system of mobile devices, manufacturers of mobile devices, and persons manufacturing and supplying softwares of mobile devices shall take necessary measures according to the following classifications in order to protect information on the users referred to in Article 22-2 (3) of the Act: |
| 1. | Persons manufacturing and supplying the operating system of mobile devices: They shall manufacture and provide the operating system in which there are embedded functions by which the providers of information and communications services can obtain the consent of the users by the methods classified in the subparagraphs of paragraph (2) and the users can revokes their consent, and they also shall prepare and disclose operating standards for the access authority set in the operating system so that the persons manufacturing and supplying the softwares of mobile devices can easily understand such standards; |
| 2. | Manufacturers of mobile devices: They shall install on mobile devices the operating system in which functions to give and revoke the consent under subparagraph 1 are embedded; |
| 3. | Persons manufacturing and providing softwares of mobile devices: They shall embed in the softwares the operating system for which the measures under subparagraphs 1 and 2 are taken and the methods for giving and revoking consent which are suitable for mobile devices. |
[This Article Newly Inserted by Presidential Decree No. 27951, Mar. 22, 2017]
| Article 9-3 (Criteria for Standard Subject to Review) |
| (1) | Criteria for each standard subject to review under Article 23-3 (1) of the Act are as follows: <Amended by Presidential Decree No. 24047, Aug. 17, 2012> |
| 1. | A plan for physical/technological/administrative measures: A plan for measures concerning the following shall be formulated: |
| (a) | The management and operation of equipment for identification services under Article 23-3 (1) of the Act (hereinafter referred to as “identification services”); |
| (b) | The prevention of a breach on information and communications networks; |
| (c) | The operation, security, and management of systems and networks; |
| (d) | The protection of users and the settlement of complaints; |
| (e) | The response to urgency and emergency; |
| (f) | The formulation and enforcement of internal regulations on identification services; |
| (g) | The securement of safety of an alternative means under Article 23-2 (2) of the Act (hereinafter referred to as “alternative means”); |
| (h) | The prevention of fabrication and alteration of access records; |
| (i) | Other matters specified and publicly notified by the Korea Communications Commission for identification services; |
| 2. | Technological capability: An identification service agency shall have at least eight persons who meet any of the following requirements: |
| (a) | Each person shall hold a national technical qualification as an information and communications engineer, information processing engineer, or an engineer specializing in application of electronic computer systems or a qualification recognized by the Korea Communications Commission as equivalent to such qualification; |
| (b) | Each person shall have work experience of at least two years in a field specified and publicly notified by the Korea Communications Commission as related to the protection of information or the operation and management of information and communication systems; |
| 3. | Financial capability: An identification service agency’s equity capital shall be at least eight billion won (excluding state agencies and local governments); |
| 4. | Appropriateness of the scale of facilities: An identification service agency shall possess the following facilities in a scale necessary for the proper provision of identification services: |
| (a) | Facilities for the verification, management, and protection of users’ personal information; |
| (b) | Facilities for the generation, issuance, and management of alternative means; |
| (c) | Security facilities for controlling and restricting access; |
| (d) | Facilities for the protection of systems and networks; |
| (e) | Facilities for the prevention of fire, flood, power failure, and other disasters. |
| (2) | Matters necessary for guidelines and methods for the evaluation of criteria for each standard subject to the review under paragraph (1) shall be prescribed and publicly notified by the Korea Communications Commission. |
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
| Article 9-4 (Procedures for Designation of Identification Service Agencies) |
| (1) | A person who intends to be designated as an identification service agency under Article 23-3 (1) of the Act shall file an application for the designation of an identification service agency (including in electronic form) with the Korea Communications Commission, along with the following documents (including electronic documents): |
| 1. | A business plan describing the current conditions of its organization, human resources, facilities, etc.; |
| 2. | Documents certifying that criteria for each standard subject to the review under Article 9-3 are satisfied; |
| 3. | Articles of incorporation or bylaws of organization (applicable only if an applicant is a legal person or organization); |
| 4. | Other documents specified and publicly notified by the Korea Communications Commission as documents necessary for ascertaining the expertise in providing identification services, the soundness of the financial structure, etc. |
| (2) | Upon receipt of an application for the designation of an identification service agency under paragraph (1), the Korea Communications Commission shall verify the relevant corporate registration (applicable only if an applicant is a corporation) by sharing administrative information under Article 36 (1) of the Electronic Government Act. |
| (3) | If the Korea Communications Commission deems it necessary to review an application under paragraph (1), it may request an applicant to submit data or may hear the applicant’s opinions. |
| (4) | Upon receipt of an application under paragraph (1), the Korea Communications Commission shall examine whether the application meets criteria for each standard subject to the review under Article 9-3 and shall notify the applicant of the outcomes of the review within 90 days from the date when such application is filed: Provided, That the period may be extended by up to 30 days in special circumstances by giving notice of the reasons therefor. |
| (5) | When the Korea Communications Commission designates an identification service agency based on the result of the review under paragraph (4), it shall issue a letter of designation of an identification service agency to an applicant and shall provide a public notice of the details of designation, including the name and location of the identification service agency and the date of designation, through the Official Gazette. |
| (6) | Matters necessary for procedures and methods for the application for designation and the review on the designation under the provisions of paragraphs (1) through (5) shall be prescribed and publicly notified by the Korea Communications Commission. |
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
| Article 9-5 (Identification Service Agency’s Request for Verifying Electronic Data for Resident Registration) |
When a person designated as an identification service agency under Article 23-3 (1) of the Act (hereinafter referred to as "identification service agency") needs to verify the identities of a child under 14 years of age and the legal representative of the child, it may request the Minister of the Interior and Safety to verify relevant electronic data for resident registration under Article 30 (1) of the Resident Registration Act. [This Article Newly Inserted by Presidential Decree No. 29053, Jul. 17, 2018]
| Article 9-6 (Suspension or Discontinuation of Identification Services) |
| (1) | When an identification service agency intends to suspend or discontinue its services as referred to in Article 23-3 (2) or (3) of the Act, it shall notify users of the following matters: |
| 1. | The reasons for suspension or discontinuation; |
| 2. | The date and time of suspension or discontinuation (including the date and time of resumption of services in cases of suspension); |
| 3. | Restrictions on the use of alternative means and personal information (applicable only to suspension); |
| 4. | The destruction of alternative means and personal information (applicable only to discontinuation). |
| (2) | When an identification service agency reports the suspension or discontinuation of its identification services in accordance with Article 23-3 (2) or (3) of the Act, it shall file a report on the suspension or discontinuation of its identification services with the Korea Communications Commission, along with the following documents: |
| 1. | A notice of the matters under paragraph (1); |
| 2. | A document concerning a plan to restrict the use or to destroy alternative means and personal information; |
| 3. | A document concerning a plan for measures for the protection of users; |
| 4. | The letter of designation of an identification service agency (applicable only to discontinuation). |
| (3) | Details regarding the procedures, guidelines, methods, etc. for the notification and reporting of suspension or discontinuation under paragraph (1) or (2) shall be prescribed and publicly notified by the Korea Communications Commission. |
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
| Article 9-7 (Suspension of Identification Services or Cancellation of Designation) |
| (1) | Standards for the suspension of identification services or the cancellation of designation under Article 23-4 (1) of the Act are as prescribed in attached Table 1. |
| (2) | When the Korea Communications Commission suspends identification services or cancels designation under paragraph (1), it shall publish notice thereof in the Official Gazette. |
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
| Article 10 (Notification of Entrustment of Management of Personal Information) |
“Manner prescribed by Presidential Decree” in the former part of Article 25 (2) of the Act means electronic mail, writing, facsimile, telephone, or other similar means. <Amended by Presidential Decree No. 23169, Sep. 29, 2011>
| Article 11 (Notification upon Transfer of Personal Information Following Transfer of Business) |
| (1) | “Means specified by Presidential Decree” in Article 26 (1), with the exception of its subparagraphs, and in the main sentence of Article 26 (2) of the Act means electronic mail, writing, facsimile, telephone, or other similar means. <Amended by Presidential Decree No. 23169, Sep. 29, 2011> |
| (2) | If a provider of information and communications services or a business transferee does not get any information about how to contact a user without any fault on the part of the service provider or business transferee and so he or she is unable to give notice to the user by any means specified in paragraph (1), it shall publish the notice on its website for at least 30 days. <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| (3) | If it is impracticable to post a public announcement on the website in accordance with paragraph (2) due to a natural disaster or any other justifiable cause, such notice may be substituted by public notice given at least once through two or more general daily newspapers circulated nationwide under the Act on the Promotion of Newspapers (or general daily newspapers circulated in a certain region, if most users reside in the region). <Amended by Presidential Decree No. 22003, Jan. 27, 2010> |
| Article 12 (Methods for Obtaining Consent) |
| (1) | Pursuant to Article 26-2 of the Act, a provider of information and communications services shall obtain consent by any of the following methods: In such cases, a provider of information and communications services shall state matters for which he or she shall obtain consent (hereinafter referred to as “matters subject to consent”) so that users can clearly recognize and check such matters: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 28919, May 28, 2018> |
| 1. | Publishing matters subject to consent in his or her website and requesting each user to express whether he or she consents thereto; |
| 2. | Delivering a document containing matters subject to consent to each user in person or by mail or facsimile and requesting the user to return the document with his or her signature or seal affixed, if he or she consents thereto; |
| 3. | Sending a document containing matters subject to consent to each user by e-mail and requesting the user to return it with his or her consent expressed thereon by e-mail; |
| 4. | Informing each user of matters subject to consent by telephone and obtaining consent from the user or informing each user of a method by which the user can check the relevant Internet address and matters subject to consent and then calling the user again to obtain consent over the telephone; |
| 5. | Other methods equivalent to those prescribed in subparagraphs 1 through 4 for informing the matters subject to consent and ascertaining the manifestation of consent. |
| (2) | If it is impracticable for a provider of information and communications services to fully state matters subject to consent due to the characteristics of the medium for collecting personal information, he or she may inform each user of a method by which the user can check matters subject to consent (Internet address, telephone numbers of the place of business, etc.) to obtain consent from the user. <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| Article 13 (Qualification Requirements for Persons Responsible for Protection of Personal Information) |
| (1) | In order for a person to be qualified as a person designated by a provider of information and communications services or by any person to whom a provider of information and communications services provides users’ personal information (hereinafter referred to as “provider of information and communications services”) as one responsible for the protection of personal information under the main sentence of Article 27 (1) of the Act, the person shall be in any of the following positions: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016> |
| 2. | The head of a department in charge of the settlement of users’ grievances concerning personal information. |
| (2) | “If the provider of information and communications services or similar falls under the criteria prescribed by Presidential Decree” in the proviso to Article 27 (1) of the Act means a provider of information and communications services who has less than five full-time employees: Provided, That if the main business of a provider of information and communications services is to provide information and communications service through the Internet, the number of full-time employees working for the provider shall be less than five persons and the average number of daily users shall not be more than 1,000 persons during three months immediately before the end of the preceding year. <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| Article 14 (Methods for Public Disclosure of Policies on Handling of Personal Information) |
| (1) | Where a provider, etc. of information and communications services manages (referring to acts of collecting, creating, connecting, linking, recording, storing, holding, processing, editing, searching, printing, correcting, recovering, using, providing, disclosing, or destructing personal information or other similar acts; hereinafter the same shall apply in this Article, and Articles 15, 17 and 34) personal information, such provider shall, pursuant to Article 27-2 (1) of the Act, disclose his or her policy on management of personal information to the public under the title “policy on management of personal information” by any of the following methods, based upon the place, media, etc. from which personal information has been collected: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016> |
| 1. | Displaying the information about matters specified in Article 27-2 (2) of the Act on the front page of his or her website or a page linked to the front page to ensure that users can read the information. In such cases, the provider of information and communications services shall display the policy on management of personal information conspicuously by utilizing size, color, etc. of fonts to ensure readability; |
| 2. | Posting or keeping the information at a place where such information is easily noticeable in a shop or office; |
| 3. | Publishing the information in periodicals, newsletters, leaflets, or bills regularly issued and distributed to users at least twice a year under an identical title. |
| (2) | Pursuant to Article 27-2 (3) of the Act, reasons why a policy on management of personal information is revised and the details of such revision shall be publicly notified by at least one of the following methods: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016> |
| 1. | Posting public notice on a space for public notice in the front page of the website operated by the provider of information and communications services or on a separate page; |
| 2. | Giving notice to users by writing, facsimile, e-mail, or any similar means; |
| 3. | Posting or keeping public notice at a place where such notice is easily noticeable in a shop or office. |
| (3) | Deleted. <by Presidential Decree No. 25789, Nov. 28, 2014> |
| Article 14-2 (Notification and Reporting of Leakages of Personal Information) |
| (1) | When a provider of information and communications services becomes aware of the loss, theft, or leakage of personal information, he or she shall notify the relevant users of all matters specified in Article 27-3 (1) of the Act without delay in writing, by e-mail, facsimile, telephone, or any other similar means and shall report to the Korea Communications Commission and the Korea Internet and Security Agency. <Amended by Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 27510, Sep. 22, 2016> |
| (2) | If any fact relevant to a matter specified in Article 27-3 (1) 1 or 2 of the Act has not been verified in detail when a provider of information and communications services intends to give notice and make a report pursuant to paragraph (1), he or she shall give notice and make a report first with respect to the facts verified to date and the matters specified in subparagraphs 3 through 5 and then shall give further notice and make additional reports with regard to the facts additionally verified. |
| (3) | If a provider of information and communications services has good cause referred to in the proviso to Article 27-3 (1), he or she may post the information about matters specified in Article 27-3 (1) of the Act on his or her website for at least 30 days, in lieu of notice under paragraph (1). |
| (4) | If it is impracticable to post notice on the website in accordance with paragraph (3) due to a natural disaster or any other good cause, such notice may be substituted by a public announcement made at least once through two or more general daily newspapers with nationwide circulation under the Act on the Promotion of Newspapers. |
| (5) | An information and communications service provider, etc. shall promptly explain his or her cause under the main sentence of and proviso to, excluding its subparagraphs, Article 27-3 (1) of the Act to the Korea Communications Commission in writing (including an electronic document). <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 15 (Protective Measures for Personal Information) |
| (1) | Pursuant to Article 28 (1) 1 of the Act, a provider of information and communications services shall formulate and implement an internal control plan, covering the following matters, in order to ensure safety in managing personal information: <Amended by Presidential Decree No. 27510, Sep. 22, 2016> |
| 1. | Formation and operation of an organization protecting personal information, including the designation of a person responsible for the protection of personal information; |
| 2. | Matters concerning education on a person managing users’ personal information (hereafter referred to as “personal information manager” in this Article) under the command and supervision of the provider of information and communications services; |
| 3. | Details necessary for taking protective measures under paragraphs (2) through (5). |
| (2) | Each provider of information and communications services shall take the following measures to block illegal access to personal information pursuant to Article 28 (1) 2 of the Act: Provided, That a provider of information and communications services is obliged to take a measure under subparagraph 3, only if the number of users whose personal information has been stored and managed by the provider of information and communications services during three months immediately preceding the end of the previous year averages at least one million persons per day or the sales of information and communications services during the preceding year (referring to the preceding business year, if the service provider is a corporation) amount to at least ten billion won: <Amended by Presidential Decree No. 24047, Aug. 17, 2012> |
| 1. | Formulation and enforcement of the criteria for the grant, alteration, or cancellation of the authority to access a database system systematically constructed to process personal information (hereinafter referred to as “personal information processing system”); |
| 2. | Installation and operation of intrusion prevention and detection systems in the personal information processing system; |
| 3. | Blockade of external Internet networks to computers, etc. of persons accessing the personal information processing system while handling personal information; |
| 4. | Establishment and management of guidelines for the methods of creation of passwords, the interval of changing passwords, etc.; |
| 5. | Other measures necessary for controlling access to personal information. |
| (3) | Pursuant to Article 28 (1) 3 of the Act, a provider of information and communications services shall take the following measures to prevent the fabrication and alteration of access records: |
| 1. | Storing records of the date and time of access, the details of data processed, etc. and inspection and supervision thereof, where a person handling personal information processes personal information by accessing the personal information processing system; |
| 2. | Preserving backup files of records of access to the personal information processing system in a separate storage device. |
| (4) | Pursuant to Article 28 (1) 4 of the Act, a provider of information and communications services shall take the following security measures to ensure the safe storage and transmission of personal information: <Amended by Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 27951, Mar. 22, 2017> |
| 1. | Storage of one-way encrypted passwords; |
| 2. | Storage of encrypted information determined and publicly notified by the Korea Communications Commission, including resident registration numbers, information about bank accounts and biometric information; |
| 3. | Installation of security servers while taking other necessary measures, where users’ personal information and authentication information are transmitted and received through information and communications networks; |
| 4. | Other security measures to be taken by applying encryption technologies. |
| (5) | Pursuant to Article 28 (1) 5 of the Act, a provider of information and communications services shall install anti-virus vaccine software in the personal information processing system and the information processing systems used by persons handling personal information so as to constantly monitor and block intrusions by malicious programs, such as computer viruses and spyware, and shall renew and inspect such anti-virus vaccine software periodically. |
| (6) | The Korea Communications Commission shall formulate and provide a public notice of detailed guidelines for matters under paragraphs (1) through (5) and other protective measures necessary for ensuring the safety of personal information under Article 28 (1) 6 of the Act. |
[This Article Wholly Amended by Presidential Decree No. 21278, Jan. 28, 2009]
| Article 16 (Destruction of Personal Information) |
| (1) | Deleted. <by Presidential Decree No. 27188, May 31, 2016> |
| (2) | If a user does not use information and communications services during a period specified in Article 29 (2) of the Act, the provider of information and communications services shall destroy the user’s personal information immediately after the lapse of the period or shall separate the user’s personal information from other users’ personal information for separate storage and management: Provided, That where the period referred to in the main sentence of Article 29 (2) of the Act (if the period is otherwise determined upon request of any user pursuant to the proviso to Article 29 (2) of the Act, referring to such otherwise determined period) has elapsed and the user’s personal information shall be required to be preserved under other statutes or regulations, the user’s personal information shall be stored and separately managed from other users’ personal information until the period referred to in the said statute or regulation elapses. <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 27510, Sep. 22, 2016> |
| (3) | When a provider of information and communications services separately stores and manages personal information pursuant to paragraph (2), he or she shall not use or provide such personal information to any person, except otherwise expressly provided for in the Act or any other statute. |
| (4) | “Matters prescribed by Presidential Decree, such as the fact that the personal information will be destroyed, the expiration date of the period, and items of personal information subject to destruction” in Article 29 (3) of the Act means the following matters: <Amended by Presidential Decree No. 27188, May 31, 2016> |
| 1. | In the case of destroying any personal information: the fact that the personal information will be destroyed, the expiration date of the period, and the items of the personal information subject to destruction; |
| 2. | In the case of storing and managing any personal information separately with other users’ personal information: the fact that the personal information will be separately stored and managed, the expiration date of the period, and the items of the personal information subject to separate storage and management. |
| (5) | “Manner prescribed by Presidential Decree such as by e-mail” in Article 29 (3) of the Act means a manner such as by e-mail, writing, facsimile, telephone, or similar thereto. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 17 (Notification of Details of Use of Personal Information) |
| (1) | “Provider of information and communications services or similar falling under the standards determined by Presidential Decree” in the main sentence of Article 30-2 (1) of the Act means a provider of information and communications services in whose case the number of users whose personal information has been stored and managed during three months immediately before the end of the preceding year is at least an average of one million persons per day or the sales of information and communications services during the preceding year (referring to the preceding business year, if the service provider is a corporation) amount to at least ten billion won. |
| (2) | The types of information which shall be notified to a user pursuant to Article 30-2 (1) of the Act are as follows: <Amended by Presidential Decree No. 27510, Sep. 22, 2016> |
| 1. | The purposes of collection and use of personal information and the items of information collected; |
| 3. | Any person to whom management of personal information is entrusted under Article 25 of the Act and the details of business affairs entrusted in managing personal information. |
| (3) | A notice under Article 30-2 (1) of the Act shall be given at least once a year by e-mail, writing, facsimile, telephone, or any similar means. |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 18 (Deadline for Filing Claim for Statutory Damages) |
| (1) | A user shall file a claim for damages under Article 32-2 (1) of the Act within three years from the date he or she becomes aware of loss, theft, leakage, forgery, alteration, or damage of personal information. <Amended by Presidential Decree No. 27510, Sep. 22, 2016> |
| (2) | No user shall file a claim for damages under Article 32-2 (1) if ten years has elapsed from the date loss, theft, leakage, forgery, alteration, or damage of personal information occurs. <Amended by Presidential Decree No. 27510, Sep. 22, 2016> |
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
| Article 19 (Scope of Persons Required to Designate Domestic Agents) |
| (1) | "Person who meets the criteria prescribed by Presidential Decree" in Article 32-5 (1) of the Act means any of the following persons: |
| 1. | A person whose sales for the preceding year (if the person is a corporation, referring to the preceding business year) reach or exceed one trillion won; |
| 2. | A person whose sales from information and telecommunications services for the preceding year (if the person is a corporation, referring to the preceding business year) reach or exceed ten billion won; |
| 3. | A person who stored or maintained at least one million users’ personal information on an average daily basis over the three months immediately before the end of the preceding year; |
| 4. | A person who caused or is likely to cause an incident or accident involving a personal information breach in violation of this Act and consequently has been required by the Korea Communications Commission to submit relevant materials, documents, etc. under Article 64 (1) of the Act. |
| (2) | Sales referred to in paragraphs (1) 1 and 2 shall be based on the amount determined by converting sales into Korean won at the average foreign exchange rate for the preceding year (if the person is a corporation, referring to the preceding business year). |
[This Article Newly Inserted by Presidential Decree No. 29633, Mar. 19, 2019]
| Articles 20 through 22 Deleted. <by Presidential Decree No. 23169, Sep. 29, 2011> |
CHAPTER V PROTECTION OF USERS IN INFORMATION AND COMMUNICATIONS NETWORKS
| Article 23 (Policy on Protection of Youths) |
“Matters prescribed by Presidential Decree” in Article 41 (1) 4 of the Act mean the following measures: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23104, Aug. 29, 2011> | 1. | Promotion of the development and dissemination of information useful to youths; |
| 2. | Encouragement of and support for youths’ voluntary activities for protecting themselves from harmful information, such as information of obscenity or violence, circulated through information and communications networks; |
| 3. | Encouragement of and support for voluntary activities conducted by parents, teachers, or nongovernmental organizations for surveillance, counseling, and remedial measures for the protection of youths; |
| 4. | Assistance in the establishment of a system for the cooperation of providers of information and communications services for the protection of youths; |
| Article 24 (Labelling of Media Product Harmful to Youths) |
| (1) | A person who provides a media product harmful to youths, as defined under Article 42 of the Act, shall label it with an easily noticeable audio, text, or video warning stating that no person under 19 years shall use the same. |
| (2) | If a person who shall put a label required by paragraph (1) provides information through the Internet, he or she shall also put an electronic label warning that it is a media product harmful to youths with symbols, marks, letters, or numbers. |
| (3) | The Korea Communications Commission shall prescribe specific methods for labelling under paragraphs (1) and (2), taking into consideration the categories of information, etc., and shall publish notice of the methods in the Official Gazette. |
| Article 25 (Scope of Persons Obliged to Designate Persons Responsible for Protection of Youths) |
“Provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree” in Article 42-3 (1) of the Act means a person who meets all the following criteria: <Amended by Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24102, Sep. 14, 2012> | 1. | A person falling under either of the following: |
| (a) | A person in whose case the average number of users per day during three months immediately before the end of the immediately preceding year is at least 100,000 persons; |
| (b) | A person whose sales of information and communications services during the immediately preceding year (or the preceding business year, if the service provider is a corporation) is at least one billion won; |
| 2. | A person who provides a media product harmful to youths, as defined under subparagraph 3 of Article 2 of the Youth Protection Act or who acts as a broker or agent for a transaction of such medium. |
| Article 26 (Duties of Persons Responsible for Protection of Youths) |
A person responsible for protection of youths under Article 42-3 (1) of the Act shall perform the following duties in order to protect youths from information harmful to youths on information and communications networks (hereinafter referred to as “harmful information”): | 1. | Formulation of a plan for protection of youths from harmful information; |
| 2. | Measures for restricting or controlling youths’ access to harmful information; |
| 3. | Education of persons engaged in information and communications services for the protection of youths from harmful information; |
| 4. | Counseling on damage inflicted by harmful information and the settlement of grievances; |
| 5. | Other matters necessary to protect youths from harmful information. |
| Article 27 (Deadline for Designation of Persons Responsible for Protection of Youths) |
A person responsible for protection of youths under Article 42-3 (1) of the Act shall be designated by no later than the end of April each year.
| Article 28 (Preservation of Video or Audio Information) |
| (1) | “Information provider prescribed by Presidential Decree” in Article 43 (1) of the Act means a person who distributes information through telecommunications lines: Provided, That broadcasting business entities, CATV relay broadcasting business entities, and electronic signboard broadcasting business entities under subparagraphs 3, 6, and 12 of Article 2 of the Broadcasting Act, among persons who distribute information according to a certain program schedule, using the word “broadcasting”, “television” or “radio” in their names, shall be excluded herefrom. <Amended by Presidential Decree No. 23104, Aug. 29, 2011> |
| (2) | An information provider under Article 43 of the Act shall preserve relevant information for six months from the time when the information is provided for use. |
| Articles 29 and 30 Deleted. <by Presidential Decree No. 25789, Nov. 28, 2014> |
| Article 31 (Scope of User Information That May Be Requested) |
“Minimum information prescribed by Presidential Decree” in Article 44-6 (1) of the Act means the following information: <Amended by Presidential Decree No. 23104, Aug. 29, 2011> | 3. | Other information that the defamation dispute conciliation division under Article 44-10 of the Act (hereinafter referred to as “defamation dispute conciliation division”) deems necessary for filing a civil or criminal complaint, including the contact information of users involved. |
| Article 32 (Procedures for Requesting Provision of Information) |
| (1) | A person who intends to request the provision of the information of users involved pursuant to Article 44-6 (1) of the Act (hereinafter referred to as “claimant”) may file a claim with the defamation dispute conciliation division, stating the following matters therein, along with supporting materials: |
| 1. | The claimant’s name, address, and contact information (referring to telephone numbers, e-mail addresses, etc.); |
| 2. | The category of the lawsuit to be filed and remedies sought; |
| 3. | The type of violated rights and specific facts relevant to the violation of rights by users involved. |
| (2) | Where the defamation dispute conciliation division finds it necessary to make a decision on whether to provide information under Article 44-6 (2) of the Act, it may permit the claimant to present his or her arguments. |
| Article 33 (Procedures for Provision of Information) |
| (1) | Upon receipt of a request from a claimant to provide information, the defamation dispute conciliation division shall make a decision on whether to provide the information of users involved and shall notify the claimant of its decision. |
| (2) | When the defamation dispute conciliation division decides to provide information, it shall request the relevant provider of information and communications services to provide information under Article 31. In such cases, the provider of information and communications services shall comply with such request, except in extenuating circumstances. <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| (3) | A provider of information and communications services shall notify the users involved of such provision of information under paragraph (2). <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| (4) | The defamation dispute conciliation division shall keep documents relating to the provision of user information for five years. |
| Article 34 (Requests to Order Restrictions on Handling Unlawful Information) |
| (1) | When the head of a related central administrative agency intends to request the Korea Communications Commission pursuant to Article 44-7 (3) of the Act to order a provider of information and communications services or the manager or operator of a message board to refuse, suspend, or restrict the management of the information specified in Article 44-7 (1) 7 through 9 of the Act, he or she shall submit to the Korea Communications Commission a written request stating the following matters described therein, along with evidentiary materials: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016> |
| 1. | The purpose of and reasons for a request; |
| 2. | Relevant statutes or regulations and the details of violations; |
| 3. | A list of relevant information and a person by whom the relevant information is provided; |
| 4. | The titles or names and contact information, such as addresses, telephone numbers, and e-mail addresses, of the provider of information and communications services or the manager or operator of the message board and users involved. |
| (2) | If the Korea Communications Commission finds any defect in the documents submitted pursuant to paragraph (1), it may request the head of a related central administrative agency to rectify the defect immediately. In such cases, at least five more days shall be given for rectification. |
| (3) | If the head of a related central administrative agency fails to rectify a defect even until the end of a period given for the rectification requested under paragraph (2), the Korea Communications Commission may return the request and evidential materials submitted pursuant to paragraph (1) to the head of the related central administrative agency. |
| Article 35 (Grounds for Exception from Submission of Opinions) |
“Ground prescribed by Presidential Decree” in Article 44-7 (4) 2 of the Act means any of the following cases: <Amended by Presidential Decree No. 23104, Aug. 29, 2011> | 1. | Where a user involved is not identifiable (limited to the submission of a user’s opinion); |
| 2. | Where the facts relevant to an order have already been proved objective by a final judgment of a court or by other decisions and thus issuing the order to hear an opinion is unnecessary. |
| Article 36 (Establishment and Management of Defamation Dispute Conciliation Division, and Conciliation of Disputes) |
| (1) | A meeting of the defamation dispute conciliation division shall be convened by the head of the defamation dispute conciliation division. |
| (2) | When the head of the defamation dispute conciliation division intends to hold a meeting of the division, he or she shall determine the date, time, and place of meeting and items on the agenda and shall notify the conciliators thereof by no later than seven days before the opening of the meeting, except in unavoidable circumstances. |
| (3) | A majority of the conciliators of the defamation dispute conciliation division shall constitute a quorum, and any resolution thereof shall require the concurring votes of at least a majority of those present. |
| (5) | No meeting of the defamation dispute conciliation division shall be open to the public: Provided, That, if it is deemed necessary, the defamation dispute conciliation division may resolve to permit parties to a dispute or interested parties to sit in on a meeting. |
| (6) | Deleted. <by Presidential Decree No. 23169, Sep. 29, 2011> |
| (7) | Except as otherwise provided in this Decree, the establishment, organization, and management of the defamation dispute conciliation division and other matters necessary for the conciliation of disputes shall be determined by the resolution of the Korea Communications Standards Commission. |
CHAPTER VI SECURING OF STABILITY OF INFORMATION AND COMMUNICATIONS NETWORKS
| Article 36-2 (Preliminary Examination Standards on Protection of Information) |
Preliminary examination standards on the protection of information under Article 45-2 (2) of the Act shall be determined and publicly notified by the Minister of Science and ICT, taking the following matters into consideration: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> | 1. | The structure of the system for establishing an information and communications network or for providing information and communications services and the operating environment of such system; |
| 2. | Identification of assets to be protected, such as hardware, programs, and content for the operation of the system under subparagraph 1 and hazards in the protection of such assets; |
| 3. | Current status of the establishment and implementation of protective measures. |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 36-3 (Business Subject to Recommendation of Preliminary Examination on Protection of Information) |
| (1) | “Information and communications services or telecommunications business determined by Presidential Decree” in Article 45-2 (2) 1 of the Act means the information and communications services or telecommunications businesses that require at least 500 million won (referring to an amount exclusive of costs incurred in merely purchasing hardware and software) for investment in information systems. |
| (2) | “Information and communications services or telecommunications business determined by Presidential Decree” in Article 45-2 (2) 2 of the Act means the information and communications services or the telecommunications businesses that the Minister of Science and ICT fully or partially subsidizes projects for searching for and nurturing new information and communications services or the telecommunications businesses. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 36-4 (Methods and Procedures for Preliminary Examinations on Protection of Information) |
| (1) | The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered by a written examination, on-site examination, or remote examination (referring to an examination administered on matters related to security by accessing the system under subparagraph 1 of Article 36-2 from outside through an information and communications network). |
| (2) | The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered according to the following order: |
| 1. | Preparation for the preliminary examination; |
| 3. | Application of protective measures; |
| 4. | Inspection on the current status of implementation of protective measures; |
| 5. | Arrangement of results of the preliminary examination. |
| (3) | Upon recommendation from the Minister of Science and ICT under Article 45-2 (2) of the Act, a person may administer the preliminary examination on the protection of information by himself or herself or request the Korea Internet and Security Agency under Article 52 of the Act (hereinafter referred to as the “Korea Internet and Security Agency”) or a specialized external agency to administer the preliminary examination on his or her behalf. In such cases, only persons who meet the standards for the qualification as technicians for the protection of information under attached Table 2 may administer the preliminary examination on the protection of information. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | Except as otherwise provided in paragraphs (1) through (3), details regarding the methods and procedures for preliminary examination on the protection of information shall be determined and publicly notified by the Minister of Science and ICT. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 36-5 (Fees for Preliminary Examinations on Protection of Information) |
| (1) | When a person requests the Korea Internet and Security Agency or a external professional agency to administer the preliminary examination on the protection of information on his or her behalf, as recommended by the Minister of Science and ICT under Article 45-2 (2) of the Act, the person shall pay fees therefor to the Korea Internet and Security Agency or the specialized external agency. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (2) | The Minister of Science and ICT shall determine and provide a public notice of guidelines for the determination of fees for the preliminary examination on the protection of information, taking the following factors into consideration: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | The scale of information and communications services or telecommunications businesses subject to the preliminary examination on the protection of information; |
| 2. | Expertise of persons participating in the preliminary examination on the protection of information; |
| 3. | The period required for the preliminary examination on the protection of information. |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 36-6 (Scope of Information and Communications Service Providers Subject to Reporting of Designation of Chief Information Security Officers) |
"Provider of information and communications services whose the number of employees, number of users, etc. meet the criteria prescribed by Presidential Decree" in the proviso to Article 45-3 (1) of the Act means any of the following persons, who is an information and communications service provider: | 2. | A person who should obtain certification of an Information Security Management System pursuant to Article 47 (2) of the Act; |
| 3. | A person who employs at least five full-time employees or whose average daily users for the immediately preceding three months as of the end of the preceding year are at least 1,000 persons, and who is a special type of online service provider under Article 104 (1) of the Copyright Act; |
| 4. | A person who employs at least five full-time employees, who is an online sales business operator (including an online sales broker) under subparagraph 3 of Article 2 of the Act on Consumer Protection in Electronic Commerce; |
| 6. | A person who employs at least 1,000 full-time employees. |
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
| Article 36-7 (Methods and Procedures for Reporting on Chief Information Security Officers) |
Any information and communications service provider who intends to designate a chief information security officer and report thereon pursuant to the proviso to Article 45-3 (1) of the Act shall submit to the Minister of Science and ICT a report on the designation of the chief information security officer prescribed by Ordinance of the Ministry of Science and ICT within 90 days from the date he or she falls under any of the subparagraphs of Article 36-6. <Amended by Presidential Decree No. 28210, Jul. 26, 2017> [This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
| Article 36-8 (Scope of Programs of Association of Chief Information Security Officers) |
“Joint programs prescribed by Presidential Decree” in Article 45-3 (4) of the Act means the following activities: <Amended by Presidential Decree No. 25789, Nov. 28, 2014> | 1. | Assistance in policy research, studies, and formulation to enable information and communications service providers to strengthen the protection of information; |
| 2. | Analysis on a computer security incident and the study of measures following the use of information and communications services; |
| 3. | Improvement of information and communications service providers' ability and expertise of the protection of information, including education of chief information security officers; |
| 4. | International exchange and cooperation in relation to information and communications services security; |
| 5. | Other programs necessary for the security of information and communications systems and the safe management of information. |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 37 (Protective Measures of Business Entities of Clustered Information and Communications Facilities) |
| (1) | Pursuant to Article 46 (1) of the Act, a business entity who operates and manages clustered information and communications facilities to render information and communications services on behalf of other persons (hereinafter referred to as "business entity of clustered information and communications facilities") shall take the following protective measures to ensure the stable operation of information and communications facilities: <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| 1. | Technical and administrative measures for controlling and monitoring access by persons who have no authority to access information and communications facilities; |
| 2. | Physical and technical measures for uninterrupted and stable operation of information and communications facilities and for protecting information and communications facilities from various disasters and threats, such as fire, earthquake, flood, and terrorism; |
| 3. | Measures for selecting and placing personnel for the stable management of information and communications facilities; |
| 4. | Formulation and implementation of an internal control plan for the stable operation of information and communications facilities (including an emergency plan); |
| 5. | Preparation and implementation of technical and administrative measures to contain the spread of computer security incidents. |
| (2) | The Minister of Science and ICT shall collect opinions from related business entities and determine and publicly notify detailed guidelines for protective measures under paragraph (1). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | If any duty carried out by another agency is involved in the course of inspecting implementation of protective measures under paragraph (1), the Minister of Science and ICT shall consult with the relevant agency thereon in advance. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (1) | Pursuant to Article 46 (2) of the Act, a business entities of clustered information and communications facilities shall buy a liability insurance policy simultaneously when he or she commences his or her business operation. |
| (2) | The minimum insurance coverage of the liability insurance policy that a business entity shall purchase under paragraph (1) is as specified in attached Table 1-2. <Amended by Presidential Decree No. 23104, Aug. 29, 2011> |
| Articles 39 through 46 Deleted. <by Presidential Decree No. 24047, Aug. 17, 2012> |
| Article 47 (Methods and Procedures for, and Scope of, Certification of Information Security Management Systems) |
| (1) | A person who intends to have his or her information security management system certified under Article 47 (1) or (2) shall file an application for the certification of the information security management system (or an application in an electronic form) with the Korea Internet and Security Agency, an institution designated pursuant to Article 47 (6) of the Act (hereinafter referred to as “certification body of information security management system”), or an institution designated pursuant to Article 47 (7) of the Act (hereinafter referred to as “examination institution for information security systems”), along with a statement of the information security management system (or a statement in an electronic format) containing explanations about the following matters: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016> |
| 1. | The scope of the information security management system; |
| 2. | A list of major information and communications facilities included in the information security management system and the system diagram; |
| 3. | The method and procedure for the establishment and operation of the information security management system; |
| 4. | A list of major documents related to the information security management system; |
| 5. | Details of domestic and foreign certifications obtained for the quality management system in connection with the information security management system. |
| (2) | Where the Korea Internet and Security Agency, a certification body of information security systems, or an examination institution for information security systems in receipt of an application referred to in paragraph (1) conducts an certification examination referred to in Article 47 (6) 1 of the Act (hereinafter referred to as “certification examination”), it shall consult with the applicant about the scope, time schedule, etc. of certification on the basis of standards for certification, etc. determined and publicly notified by the Minister of Science and ICT for the certification of information security systems referred to in paragraph (4) of that Article (hereinafter referred to as “public notice of certification of security systems”), including countermeasures for managerial, technical and physical protection. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | The Korea Internet and Security Agency, a certification institution for information protection and management systems, or an examination institution for information protection and management systems shall, in the case of conducting an certification examination, examine whether the information protection and management system established by the applicant for certification meets requirements for public notice of certification of management systems. In this case, an certification examination shall be conducted by means of a written examination or on-site examination. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (4) | A certification examination may be administered only by a certification examiner under Article 53 (1) 1. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (5) | An examination institution for information protection and management systems shall submit the result of an certification examination to a certification institution for information protection and management systems. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016> |
| (6) | The Korea Internet and Security Agency or a certification institution for information protection and management systems shall establish and operate a certificate committee composed of members having abundant knowledge and experience in the information protection field to deliberate on the results of examinations of certification. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (7) | Where an information protection and management system is found to meet the requirements for public notification of certification of management systems as a result of the deliberation by the certificate committee, the Korea Internet and Security Agency or a certification institution for information protection and management systems shall issue a certificate of the information protection and management system. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (8) | In addition to the matters provided for in paragraphs (1) through (7), details regarding the application for certification, deliberation on certification, the establishment and operation of a certification committee, and the issuance of certificates shall be determined and publicly notified by the Minister of Science and ICT. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 48 (Fees for Certification of Information Security Management Systems) |
| (1) | A person who intends to apply for certification pursuant to Article 47 (1) shall pay fees to the Korea Internet and Security Agency, a certification institution of information protection and management systems, or an examination institution for information protection and management systems. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (2) | The Minister of Science and ICT shall determine and give a public notice of detailed guidelines for the determination of fees for the certification of information security management systems, taking into consideration the number of certification examiners assigned to an certification examination, the number of days required for the certification examination, etc. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 49 (Scope of Persons Subject to Certification of Information Security Management Systems) |
| (1) | “Person who renders information and communications services, as prescribed by Presidential Decree” in Article 47 (2) 1 of the Act means a person who provides information and communications network services in Seoul Special Metropolitan City or any Metropolitan City. |
| (2) | “Person falling under the standards determined by Presidential Decree” in Article 47 (2) 3 of the Act means either of the following persons: <Amended by Presidential Decree No. 27188, May 31, 2016> |
| 1. | A person falling under any of the following items whose annual sales or revenues are at least 150 billion won: |
| (b) | A school pursuant to Article 2 of the Higher School Act, the number of the enrolled students of which is at least 1000 as of December 31, of the immediately preceding year; |
| 2. | A person whose sales of information and communication services during the preceding year (referring to the preceding business year, in the case of a corporation) are least ten billion won: excluding, however, a financial company under subparagraph 3 of Article 2 of the Electronic Financial Transactions Act; |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 50 Moved to Article 47. |
| Article 51 (Follow-Up Management of Certification) |
| (1) | Follow-up management under Article 47 (8) of the Act shall be conducted by means of written examination or on-site examination. <Amended by Presidential Decree No. 27188, May 31, 2016> |
| (2) | Where as a result of conducting follow-up management pursuant to Article 47 (8) of the Act, an examination institution for information protection and management systems finds there is a ground referred to in any subparagraph of paragraph (10) of the same Article, it shall immediately submit the result of the follow-up management so conducted to the Korea Internet and Security Agency or a certification institution for information protection and management systems. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016> |
| (3) | In cases falling under any of the following subparagraphs, the Korea Internet and Security Agency or a certification institution for information protection and management systems shall, after undergoing deliberation by the certification committee referred to Article 47 (6), notify the results thereof to the Minister of Science and ICT: <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Where follow-up management conducted pursuant to Article 47 (8) of the Act finds grounds referred to in any subparagraph of paragraph (10) of the same Article; |
| 2. | Where the Korea Internet and Security Agency or a certification institution for information protection and management systems receives the result of follow-up management from an examination institution for information protection and management systems pursuant to paragraph (2). |
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 52 (Indication and Public Relation of Certification) |
A person who obtains certification of his or her information security management system pursuant to Article 47 (1) or (2) of the Act may use a certification mark determined and publicly notified by the Minister of Science and ICT for the information security management system, when he or she indicates or promotes the certification in a document, invoice, or advertisement in accordance with Article 47 (9) of the Act. In such cases, the scope of certification and the effective period shall be indicated together with the mark. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> [This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 53 (Criteria for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems) |
| (1) | The criteria for the designation of a certification institution for information protection and management systems and an examination institution for information protection and management systems shall be as follows: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | A certification institution shall have at least five persons who meet the requirements for the qualification determined and publicly notified by the Minister of Science and ICT (hereinafter referred to as “certification examiners”); |
| 2. | A certification institution shall be approved as competent in an examination administered by the Minister of Science and ICT on the requirements and competence for the performance of the duties. |
| (2) | The Minister of Science and ICT shall determine and publicly notify detailed guidelines for the education of certification examiners, the management of qualification of certification examiners, and the examination on the requirements and competence for the performance of the duties under paragraph (1) 2. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 53-2 (Procedures for Designation of Certification Institution for Information Security Management Systems and Examination Institution for Information Protection and Management Systems) |
| (1) | A person who intends to have his or her business designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems pursuant to Article 47 (6) or (7) of the Act shall file an application (including in electronic form) for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems with the Minister of Science and ICT, along with the following documents (or electronic documents): <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Articles of incorporation, or bylaws of an association; |
| 2. | A statement of the current status of certification examiners employed and a document certifying the current status; |
| 3. | Documents determined and publicly notified by the Minister of Science and ICT as those necessary for the examination on the requirements and competence for the performance of duties, including work experience in performing duties for the protection of information and the level of expertise. |
| (2) | Upon receipt of an application for the designation under paragraph (1), the Minister of Science and ICT shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act, if the applicant is a corporation. <Amended by Presidential Decree No. 22151, May 4, 2010; Presidential Decree No. 22467, Nov. 2, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | Upon receipt of an application for the designation under paragraph (1), the Minister of Science and ICT shall examine whether the application meets the criteria for the designation under Article 53 (1), notify the applicant of the results thereof within three months from the date when the application is filed, and issue a certificate of designation of a certification institution for information protection and management systems or a certificate of designation of an examination institution for information protection and management systems to the applicant, if the applicant is designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | When the Minister of Science and ICT examines whether an application meets the criteria for the designation under paragraph (3), he or she may require the applicant to submit data or may conduct an on-site inspection. In such cases, a person who conducts an on-site inspection shall produce an identification badge certifying his or her authority to the applicant. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (5) | Deleted. <by Presidential Decree No. 23876, Jun. 25, 2012> |
| Article 53-3 (Effective Period for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems) |
| (1) | The effective period for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems under Article 53-2 shall be three years. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 27188, May 31, 2016> |
| (2) | A certification institution may file an application for re-designation during the period from six months before the end of the effective period until the expiry date. In such cases, the designation shall be deemed effective until the applicant for re-designation is notified of a decision on the application. |
| (3) | Articles 53 and 53-2, and paragraph (1) shall apply mutatis mutandis to the re-designation under paragraph (2). <Amended by Presidential Decree No. 24047, Aug. 17, 2012> |
| Article 53-4 (Follow-Up Management of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems) |
| (1) | A certification institution for information protection and management systems and an examination institution for information protection and management systems shall submit a report according to the following classification for the preceding year to the Minister of Science and ICT by no later than January 31 each year: <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | A certification institution for information protection and management systems: a report on the performances of certification for the preceding year; |
| 2. | An examination institution for information protection and management systems: a report on the performances of certification examination for the preceding year. |
| (2) | If the Minister of Science and ICT deems it necessary to ascertain whether a certification institution for information protection and management systems or an examination institution for information protection and management systems falls under any subparagraph of Article 47-2 (1) of the Act, he or she may require the certification institution or the examination institution to submit data or may conduct an on-site inspection. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 54 (Guidelines for Revocation of Designation) |
Guidelines for administrative dispositions rendered for the revocation of designation or the suspension of business under Article 47-2 of the Act are as prescribed in attached Table 4.
| Article 54-2 (Certification of Personal Information Management System) |
Articles 47, 48, 51 through 53, 53-2 through 53-4 and 54 shall apply mutatis mutandis to methods, procedures, scope, fee and follow-up management to certify personal information management system, and criteria, procedures, effective period and revocation of designation of a certification body under Article 47-3 of the Act. [This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 55 (Standard Agreements on Requests to Users for Protective Measures) |
Matters that shall be stipulated in standard user agreements with respect to a request to users for protective measures are as follows: <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
| 1. | Grounds for requesting users to take protective measures and a method of making such request; |
| 2. | Details of protective measures that users shall take; |
| 3. | The period during which access to an information and communications network is restricted, if a user fails to take protective measures; |
| 4. | Procedures for filing a user’s objection and for compensation therefor, if a user’ access is unreasonably restricted on the grounds of the user’s failure to take protective measures. |
| Article 55-2 (Criteria for Examination for Rating Management of Information Protection) |
| 1. | The scope of the system established for the management of information protection and the period of operation; |
| 2. | An organization exclusively dedicated to information protection and the budget therefor; |
| 3. | Activities for the management of information protection and the level of protective measures. |
| (2) | Matters necessary for the detailed criteria and methods for the evaluation according to the criteria for examination under paragraph (1) shall be determined and publicly notified by the Minister of Science and ICT. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 55-3 (Methods and Procedures for Rating Management of Information Protection) |
| (1) | A person who intends to be rated as qualified for the protection and management of information under Article 47-5 (1) of the Act shall file an application (including in electronic form) for rating the protection and management of information with the Korea Internet and Security Agency, along with a copy of the letter of certification of the information security management system. |
| (2) | A written examination or an on-site examination shall be administered for the examination for rating the protection and management of information. |
| (3) | Only certification examiners shall be able to conduct the examination under paragraph (2). |
| (4) | If the results of an examination administered under paragraph (2) meet the criteria for examination under Article 55-2, the Korea Internet and Security Agency shall issue a certificate of the rating for the protection and management of information to the applicant for the rating qualified for management. |
| (5) | Except as otherwise provided for in paragraphs (1) through (4), further details necessary for the application and examination for rating the management of information protection and the issuance of certificates of the rating for the management of information protection shall be determined and publicly notified by the Minister of Science and ICT. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 55-4 (Fees for Rating Management of Information Protection) |
Articles 46 and 52 shall apply mutatis mutandis to fees for rating for the management of information protection and indication and publicity thereof. [This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 55-5 (Effective Period of Rating for Management of Information Protection) |
The effective period of the rating for the management of information protection under Article 55-3 shall be one year. [This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
| Article 56 (Countermeasures against Computer Security Incidents) |
“Other countermeasures against computer security incidents prescribed by Presidential Decree” in Article 48-2 (1) 4 of the Act means the following measures: <Amended by Presidential Decree No. 21278, Jan. 28, 2009> | 1. | Requesting a major provider of information and telecommunications services or a business entity who operates and manages clustered information and telecommunications facilities for other persons to provide information and telecommunications services under Article 46 (1) of the Act to cut off access channels (limited to access channels that have been used, or are likely to be used, for spreading computer security incidents); |
| 2. | Requesting a software business entity, defined under subparagraph 4 of Article 2 of the Software Industry Promotion Act, who produced or distributed the software involved in a computer security incident, to produce and distribute a program by which the vulnerability in security of the software is cured and corrected (hereinafter referred to as “program for curing the vulnerability in security”) or requesting the provider of information and communications services to release the program for curing the vulnerability in security through information and communications networks; |
| 3. | Spreading forecasts and warnings of computer security incidents under Article 48-2 (1) 2 of the Act to mass media and providers of information and communications services; |
| 4. | Providing information about computer security incidents to the heads of related agencies, if necessary for the security of national information and communications networks. |
| Article 57 (Persons Providing Information about Computer Security Incidents) |
“Persons prescribed by Presidential Decree from among those who operate an information and communications network” in Article 48-2 (2) 3 of the Act means any of the following persons among those who operate an information and communications network: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> | 2. | A person who observes the current status of operation of information and communications networks by providers of information and communications services and provides information on computer security incidents; |
| 3. | A person specified and publicly notified by the Minister of Science and ICT among private business entities who operate information and communications networks independently with Internet protocol addresses allocated by the Korea Internet and Security Agency under subparagraph 1 (a) of Article 2 of the Internet Address Resources Act; |
| 4. | A producer of antivirus software against computer viruses among persons who engage in the information protection industry. |
| Article 58 (Provision of Information on Computer Security Incidents) |
A person who provides information on computer security incidents under Article 48-2 (2) of the Act shall comply with the following subparagraphs in providing information on computer security incidents: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> | 1. | A method which a person applies to providing such information shall conform to a method determined by the Minister of Science and ICT, taking into consideration characteristics of information and communications networks, trends in computer security incidents, etc.; |
| 2. | The person shall take measures to prevent the destruction, obliteration, and alteration of information on computer security incidents; |
| 3. | The person shall adopt encryption techniques determined by the Minister of Science and ICT; |
| 4. | The person shall comply with other methods and procedures determined and publicly notified by the Minister of Science and ICT. |
| Article 59 (Organization of Private-Public Joint Investigation Team) |
| (1) | The Minister of Science and ICT shall organize an investigation team with the following persons when he or she organizes a private-public joint investigation team pursuant to Article 48-4 (2) (hereinafter referred to as “investigation team”): <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Public officials in charge of investigation of computer security incidents; |
| 2. | Persons who have expertise and experience in investigating computer security incidents; |
| 3. | Employees of the Korea Internet and Security Agency; |
| 4. | Other persons deemed necessary for the analysis of causes of computer security incidents. |
| (2) | The organization of an investigation team under paragraph (1) may be adjusted according to the scale and type of each computer security incident. |
| Article 60 (Entry into Places of Business by Investigation Team) |
| (1) | When an investigation team enters a place of business of a person involved under Article 48-4 (4) of the Act, the team members shall present identification badges indicating their authority to a person involved. |
| (2) | The identification badges under paragraph (1) are as prescribed in attached Table 5. |
| Article 61 (Guidelines for Transmission of Advertising Information for Profit) |
| (1) | “Period prescribed by Presidential Decree” in Article 50 (1) 1 of the Act means six months from the date the trade of the relevant goods, etc. is concluded. <Amended by Presidential Decree No. 25789, Nov. 28, 2014> |
| (2) | “Media prescribed by Presidential Decree” in the proviso to Article 50 (3) of the Act means electronic mail. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014> |
| (3) | Matters that a person who transmits advertising information for profit, using an electronic transmission medium pursuant to Article 50 (4) of the Act shall clearly state in the relevant information, and methods therefor shall be as specified in attached Table 6. <Amended by Presidential Decree No. 25789, Nov. 28, 2014> |
| Article 62 (Provision of Free Telephone Services for Refusal of Reception or Withdrawal of Consent to Reception) |
A person who transmits advertising information for profit, using an electronic transmission medium shall clearly state information about free telephone services, etc. for the refusal of reception or for the withdrawal of consent to reception, as prescribed in attached Table 6, and shall provide such services to addressees in accordance with Article 50 (6) of the Act. <Amended by Presidential Decree No. 22773, Mar. 29, 2011; Presidential Decree No. 25789, Nov. 28, 2014>
| Article 62-2 (Notification of Results of Handling of Consent to Receive Messages) |
A person who intends to transmit advertising information for profit, using an electronic transmission medium pursuant to Article 50 (7) of the Act shall notify an addressee of the following matters within 14 days from the date the relevant addressee expresses his or her consent to receipt of messages, refusal to receive messages or withdrawal of his or her consent to receive messages: | 2. | Fact that the addressee has consented to receive messages, refused to receive messages, or withdrawn his or her consent to receive messages, and the date he or she expresses the relevant intent; |
| 3. | Results of the handling thereof. |
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28,
2014]
| Article 62-3 (Verification of Addressees' Consents to Receive Messages) |
| (1) | A person who has obtained prior consent from an addressee pursuant to Article 50 (1) or (3) of the Act shall verify whether the relevant addressee gives consent to receive messages every two years from the date he or she obtains consent to receive messages from the addressee (referring to the day before every second year from the date he or she obtains consent to receive messages) pursuant to paragraph (8) of the aforesaid Article. |
| (2) | A person who intends to verify whether an addressee gives his or her consent to receive messages pursuant to paragraph (1) shall advise the addressee of the following matters: |
| 2. | Fact that the addressee gives consent to receive messages, and the date he or she gives consent to receive messages; |
| 3. | Methods for expressing his or her intent to maintain or withdraw his or her consent to receive messages. |
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28,
2014]
| Article 63 (Devices for Restricting Installation of Advertising Programs for Profits) |
“Information processing device prescribed by Presidential Decree” in the former part of Article 50-5 of the Act means an information processing device with which information can be transmitted and received by connecting it to an information and communications network, such as mobile Internet and mobile telephones. <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
| Article 64 (Subsidization for Development of Software Designed to Cut Off Transmission of Advertising Information for Profits) |
| (1) | Pursuant to Article 50-6 of the Act, the Korea Communications Commission may fully or partially subsidize a project of a public institution, corporation, or organization that develops and distributes a piece of software or a computer program for conveniently cutting off or reporting advertising information transmitted for profits in violation of Article 50 of the Act (hereinafter referred to as “software for cutting off or reporting advertisements”), within budgetary limits. |
| (2) | The Korea Communications Commission may recommend providers of information and communications services and users to use the software developed in accordance with paragraph (1) for cutting off or reporting advertisements. <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| Article 65 (Operation of the Korea Internet and Security Agency) |
| (1) | The Minister of Science and ICT, the Minister of the Interior and Safety or the Korea Communications Commission may request the head of a related agency to dispatch public officials engaged in the business of the Korea Internet and Security Agency under Article 52 (3) of the Act to the relevant work. <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28210, Jul. 26, 2017> |
| (2) | When the head of a related agency who dispatched a public official under paragraph (1) needs to have the public official returned during the period of dispatch service, he or she shall consult with the head of the agency that requested for such dispatch. |
| (3) | The head of the Korea Internet and Security Agency may authorize a research institute related to information and communications to conduct part of the business affairs specified in Article 52 (3) 4 of the Act, with approval therefor from the Minister of Science and ICT, the Minister of the Interior and Safety or the Korea Communications Commission. <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | If a business affair that the head of the Korea Internet and Security Agency conducts in accordance with Article 52 (3) of the Act is related to the protection of a public institution’s information, he or she shall obtain approval therefor from the head of the related institution. <Amended by Presidential Decree No. 22423, Oct. 1, 2010> |
| Article 66 (Operation of the Privacy Call Center) |
| (1) | The privacy call center under Article 52 (3) 9 of the Act (hereinafter referred to as the “privacy call center”) shall conduct the following duties: <Amended by Presidential Decree No. 21278, Jan. 28, 2009> |
| 1. | Provision of technical advice under Article 64 (10) of the Act on the prevention of personal information breach, the protection of personal information and other necessary assistance; |
| 2. | Settlement of grievances relating to the personal information breach and the transmission of advertising information and counseling thereon; |
| 3. | Research on countermeasures against the personal information breach; |
| 4. | Education and public relations activities for the prevention of personal information; |
| 5. | Programs related to the duties under subparagraphs 1 through 4. |
| (2) | If the Korea Communications Commission deems it necessary for requiring providers of information and communications services, etc. to submit relevant goods, documents, etc. or for efficiently conducting inspections under Article 64 (1) or (3) of the Act, it may dispatch its public officials to the Korea Internet and Security Agency pursuant to Article 32-4 of the State Public Officials Act. <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23169, Sep. 29, 2011> |
CHAPTER VI-2 TELECOMMUNICATIONS BILLING SERVICES
| Article 66-2 (Requirements for Registration) |
| (1) | A person who intends to be registered as a provider of telecommunications billing services shall meet all the following requirements: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | The ratio of the total liabilities to the equity capital, total contributions, or endowment shall not exceed a ratio determined and publicly notified by the Minister of Science and ICT, which shall not exceed 200%. If the majority stockholder is a company that belongs to a conglomerate, defined under subparagraph 2 of Article 2 of the Monopoly Regulation and Fair Trade Act, (excluding conglomerates defined under Article 17 (1) 1 and 2 of the Enforcement Decree of the aforesaid Act) in such cases, the calculation of such ratio shall be based on the conglomerate, but companies that engage in financial business or insurance business, from among companies that belong to the conglomerate, shall be excluded from the calculation; |
| 2. | The person shall be fully equipped with the following human resources and physical facilities with which the person can conduct the business: |
| (a) | At least five executive officers and employees who have work experience of at least two years in operating electronic computer systems; |
| (b) | Electronic computer systems and various computer programs necessary for smoothly providing telecommunications billing services; |
| 3. | The equity capital, total contributions, or endowment shall be at least an amount specified in paragraph (2). |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
| Article 66-3 (Procedures for Registration) |
| (1) | A person who intends to be registered as a provider of telecommunications billing services shall file an application for registration, describing the following matters, with the Minister of Science and ICT: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Trade name and the principal place of business; |
| 2. | The representative’s name; |
| 3. | Equity capital, total contributions, or endowment; |
| 4. | The names or titles of contributors (excluding small contributors specified and publicly notified by the Minister of Science and ICT) and their shares. |
| (2) | An application for registration under paragraph (1) shall be accompanied by the following documents: |
| 1. | Articles of incorporation; |
| 2. | Documents proving that an applicant meets the requirements for registration under Article 66-2; |
| 3. | A business plan for three years after the commencement of business (including estimated financial statements and a statement of estimated revenues and expenditures); |
| 4. | A plan for the protection of users of telecommunications billing services (including matters under Articles 66-7 through 66-9). |
| (3) | Upon receipt of an application for registration under paragraph (1), the Minister of Science and ICT shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act. <Amended by Presidential Decree No. 22151, May 4, 2010; Presidential Decree No. 22467, Nov. 2, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | If the Minister of Science and ICT finds any defect in a document submitted pursuant to paragraph (1) or (2), he or she may request the applicant to supplement and submit the document within ten days from the date when such document is submitted. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (5) | When the Minister of Science and ICT registers a provider of telecommunications billing services, he or she shall publish the details of the registration through in the Official Gazette and shall inform the general public thereof through the Internet, etc. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
| Article 66-4 (Grounds for Disqualification from Registration) |
“Investor prescribed by Presidential Decree” in subparagraph 1 of Article 54 of the Act means any of the following persons: <Amended by Presidential Decree No. 20947, Jul. 29, 2008; Presidential Decree No. 28283, Sep. 5, 2017> | 1. | The principal who holds the largest number of outstanding voting stocks of, or shares in contributions to, the relevant corporation (hereafter referred to as “stocks or the like” in this Article), when the stocks held by the principal and those held by persons related to the principal, as defined under any subparagraph of Article 3 (1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies, on their own accounts respectively in whosever name are aggregated; |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
| Article 66-5 (Administrative Dispositions) |
| (1) | Deleted. <by Presidential Decree No. 26757, Dec. 22, 2015> |
| (2) | When the Minister of Science and ICT intends to revoke the registration of a provider of telecommunications billing services under Article 55 of the Act, he or she shall hold a hearing. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | When the Minister of Science and ICT revokes the registration of a provider of telecommunications billing services under Article 55 of the Act, he or she shall publish the details thereof in the Official Gazette and shall notify the general public thereof through the Internet or by other means. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
| Article 66-6 (Measures Necessary for Securing Stability and Reliability of Telecommunications Billing Services) |
Administrative and technical measures that a provider of telecommunications billing services shall take in accordance with Article 57 (2) of the Act in order to secure the stability and reliability of transactions through telecommunications billing services are as prescribed in attached Table 7. [This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
| Article 66-7 (Period for Preservation of Transaction Records and Methods for Changing Contractual Terms) |
| (1) | Pursuant to Article 58 (4) and (7) of the Act, a provider of telecommunications billing services shall preserve records of the following matters for one year from the date on which each transaction is conducted: Provided, That the records of a transaction, the amount of which exceeds 10,000 won, shall be preserved for five years: <Amended by Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017; Presidential Decree No. 29339, Dec. 11, 2018> |
| 1. | The type of a transaction conducted through telecommunications billing services; |
| 2. | The amount of a transaction; |
| 3. | The other party to a transaction of purchase or use through telecommunications billing services (referring to a person who sells goods or provides services in return for a price therefor through telecommunications billing services; hereinafter referred to as the “other party to a transaction”); |
| 4. | The date and time of a transaction; |
| 5. | The subscriber number of telecommunications services for which charges are billed and collected; |
| 6. | Matters regarding access to telecommunications services in connection with the relevant transaction; |
| 7. | Matters regarding an application for a transaction and amendment to terms and conditions; |
| 8. | Matters regarding approval for a transaction; |
| 9. | Other matters determined and publicly notified by the Minister of Science and ICT. |
| (2) | Transaction records under paragraph (1) shall be preserved in paper, microfilms, discs, magnetic tapes, or other electronic information processing systems: Provided, That where such records are preserved in discs, magnetic tapes, or other electronic information processing systems, the requirements under Article 5 (1) of the Framework Act on Electronic Documents and Transactions shall be fully met. <Amended by Presidential Decree No. 24076, Aug. 31, 2012> |
| (3) | When a provider of telecommunications billing services (limited to a person who provides services under Article (2) (1) 10 (a)) changes contractual terms pursuant to Article 58 (6) of the Act, he or she shall notify users of telecommunications billing services by any means of e-mail, writing, facsimile, telephone or other means similar thereto. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014> |
| (4) | A user of telecommunications billing services may raise an objection to the changed contractual terms from the date he or she receives notification under paragraph (3) until the business day before the effective date of the changed contractual terms. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014> |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
[Moved from Article 66-8]
| Article 66-8 (Content of and Procedures for Requesting Information on Purchasers) |
| (1) | Where a user of telecommunications billing services requests the other party to a transaction pursuant to the former part of Article 58-2 (1) of the Act for information about the name and date of birth of a person who purchased or used goods or service (hereinafter referred to as "purchaser information"), he or she shall submit a written request (including an electronic document) for purchaser information, stating the following information: |
| 1. | Personal data of the user of telecommunications billing services: Name, date of birth, and contact information (referring to a telephone number, electronic mail address, etc.); |
| 2. | Requested details of payment: The telephone number used for payment and the date, time, and amount of payment; |
| 3. | The statement that purchaser information needs to be written separately for each type of goods or services. |
| (2) | Where any institution or organization authorized to mediate in and resolve disputes under Article 59 (2) of the Act requests for purchaser information on behalf of a user of telecommunications billing services, it shall submit a document (including an electronic document) confirming that the user of telecommunications billing services has given consent to requesting purchaser information on behalf of the user, along with the written request under paragraph (1). |
[This Article Newly Inserted by Presidential Decree No. 29339, Dec. 11, 2018]
[Previous Article 66-8 moved to Article 66-7]
| Article 66-9 (Procedures for Filing Objections and Redressing Violations of Rights) |
| (1) | A provider of telecommunications billing services shall designate a manager and an officer in charge of the protection of users of telecommunications billing services for filing objections and redressing violations of rights under Article 59 (3) of the Act and shall notify the contact information of such manager and officer (referring to telephone numbers, facsimile numbers, e-mail addresses, etc.) to users of telecommunications billing services through the Internet and by other means. <Amended by Presidential Decree No. 29339, Dec. 11, 2018> |
| (2) | A user of telecommunications billing services may file an objection with regard to telecommunications billing services to the relevant provider of telecommunications billing services in writing (or by an electronic document), telephone, facsimile, or other similar means. |
| (3) | Upon receipt of an objection under paragraph (2), the provider of telecommunications billing services shall notify the user of the results of the relevant investigation or decision within two weeks from the date when such objection is filed. |
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
CHAPTER VI-3 INTERNATIONAL COOPERATION
| Article 67 (Protective Measures in Transferring Personal Information Abroad) |
| (1) | “Manner prescribed by Presidential Decree, including by e-mail” in the proviso to Article 63 (2) of the Act means any of e-mail, writing, facsimile, telephone, or any similar means. <Newly Inserted by Presidential Decree No. 27510, Sep. 22, 2016> |
| (2) | Protective measures to be taken in accordance with Article 63 (4) of the Act in the case of transferring personal information to overseas shall be as follows: <Amended by Presidential Decree No. 20756, Mar. 28, 2008> |
| 1. | Technical and administrative measures for protecting personal information under Article 15; |
| 2. | Measures for settling grievances and resolving disputes on the infringement of personal information; |
| 3. | Other measures necessary for protecting users’ personal information. |
| (3) | A provider, etc. of information and communications services shall, in advance, reach an agreement on measures specified in each subparagraph of paragraph (2) with a person to whom personal information is transferred overseas and shall reflect such agreement in the relevant contract. <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016> |
CHAPTER VII SUPPLEMENTARY PROVISIONS
| Article 68 (Submission of Data) |
“Ground prescribed by Presidential Decree to believe that it is necessary for the protection of users” in Article 64 (1) 3 of the Act means either of the following cases: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 23104, Aug. 29, 2011> | 2. | Where it is necessary to ascertain whether a person responsible for the protection of youths under Article 42-3 (3) of the Act performs the duty of protecting youths; |
| 3. | Deleted. <by Presidential Decree No. 24047, Aug. 17, 2012> |
| Article 68-2 (Methods for Publication of Order of Corrective Measures) |
| (1) | When the Minister of Science and ICT or the Korea Communications Commission orders a provider of information and communications services under Article 64 (4) of the Act to make a public publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and ICT or the Korea Communications Commission shall prescribe the details, number of times, and media of publication, the size of pages, etc. in issuing such order, taking the following factors into consideration: <Amended by Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Details and severity of relevant violations; |
| 2. | The duration and number of times of relevant violations. |
| (2) | When the Minister of Science and ICT or the Korea Communications Commission orders a provider of information and communications services under paragraph (1) to make a publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and ICT or the Korea Communications Commission may consult on the text of the publication with the provider of information and communications services. <Amended by Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
| Article 69 (Disclosure of Order to Take Corrective Measures) |
| (1) | In either of the following cases, the fact that a provider of information and communications services is ordered to take corrective measures under Article 64 of the Act may be disclosed. In such cases, the Minister of Science and ICT or the Korea Communications Commission shall notify the relevant provider of information and communications services of the disclosure in advance: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Where a provider of information and communications services is ordered to take corrective measures for an act specified in any provision of Articles 71 through 74 of the Act; |
| 2. | Where a provider of information and communications services has been ordered to take corrective measures at least twice a year. |
| (2) | The disclosure of an order to take corrective measures under paragraph (1) shall be made by publishing it on Internet websites or general daily newspapers circulated nationwide under the Act on the Promotion of Newspapers. <Amended by Presidential Decree No. 22003, Jan. 27, 2010> |
| Article 69-2 (Guidelines for Computation of Penalty Surcharges) |
| (1) | “Sales related to a violation” in the main sentence of Article 64-3 (1) of the Act means the average annual sales of information and communications services, related to a violation of the relevant service provider, of the three immediately preceding business years: Provided, That such sales mean an amount computed by converting sales from the commencement date of business until the end of the immediately preceding business year into average annual sales, if three years have not passed since the business commenced as of the beginning of the pertinent business year, or an amount computed by converting sales from the commencement date of business until the date of violation into annual sales, if the business commenced during the pertinent business year. <Amended by Presidential Decree No. 24047, Aug. 17, 2012> |
| 1. | Where a provider of information and communications services has not commenced business or discontinued business and so has no record of business performance; |
| 2. | Where data for the computation of sales has been obliterated or destroyed, making it impracticable to compute sales objectively. |
| (3) | If the Korea Communications Commission needs financial statements or other data for the computation of sales under paragraph (1), it may request the relevant provider of information and communications services to submit relevant data within a specified period of up to 20 days. <Amended by Presidential Decree No. 24047, Aug. 17, 2012> |
| (4) | Guidelines and procedures for calculating penalty surcharges under Article 64-3 (4) of the Act are as specified in attached Table 8. <Newly Inserted by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 25789, Nov. 28, 2014> |
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
| Article 69-3 (Imposition and Payment of Penalty Surcharges) |
| (1) | When the Korea Communications Commission intends to impose a penalty surcharge upon a person under Article 64-3 of the Act, it shall investigate and ascertain the relevant violation and shall give a notice to a person subject to the imposition of the penalty surcharge to pay it, clearly stating the facts relevant to the violation, the amount imposed, the method for filing an objection, the period given for filing an objection, etc. in writing. |
| (2) | Upon receipt of a notice under paragraph (1), a person shall pay the penalty surcharge within 20 days from the date on which he or she receives the notice to a financial institution designated by the Korea Communications Commission: Provided, That if it is impossible to pay a penalty surcharge within a specified period due to a natural disaster or any other event beyond control, the penalty surcharge shall be paid within seven days from the date on which the event terminates. |
| (3) | A financial institution that receives a penalty surcharge under paragraph (2) shall issue a receipt to a person who pays the penalty surcharge. |
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
| Article 70 (Delegation and Entrustment of Authority) |
| (1) | Pursuant to Article 65 (1) of the Act, Minister of Science and ICT shall delegate the authority to impose administrative fines under Article 76 of the Act upon the following persons and to collect administrative fines from them to the Director General of the Central Radio Management Service: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 20896, Jul. 3, 2008; Presidential Decree No. 22424, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017; Presidential Decree No. 29192, Sep. 28, 2018> |
| 2. | A person required to designate and a chief information security officer, and report thereon pursuant to the proviso to Article 45-3 (1) of the Act; |
| (2) | and (3) Deleted. <by Presidential Decree No. 29192, Sep. 28, 2018> |
| (4) | Pursuant to Article 65 (3) of the Act, the Korea Communications Commission shall entrust the following duties to the head of the Korea Internet and Security Agency: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 25789, Nov. 28, 2014> |
| 1. | Duties relating to a request for the submission of data and inspections under Article 64 (1) and (3) of the Act for ascertaining a violation of any provision of Articles 22 through 32 of the Act (limited to grievances filed with the Korea Internet and Security Agency for settlement or counseling in connection with the personal information breach); |
| (5) | The Minister of Science and ICT shall delegate the following authority to the Director General of the Central Radio Management Center pursuant to Article 65 (1) of the Act: <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014; Amended by Presidential Decree No. 26757, Dec. 22, 2015; Presidential Decree No. 28210, Jul. 26, 2017> |
| 3. | Registration of changes in providers of telecommunications billing services, the transfer or acquisition of business, or the merger or inheritance of business, succession to business and reporting on the suspension, closure or dissolution of business under Article 53 (4) of the Act; |
| 5. | Reporting on contractual terms (including reporting on changes in contractual terms) on telecommunications billing services under Article 56 (1) of the Act; |
| 6. | Recommending a provider of telecommunications billing services to change contractual terms under Article 56 (2) of the Act; |
| 7. | Issuing orders to refuse, suspend, or restrict the provision of telecommunications billing services under Article 61 of the Act; |
| Article 70-2 (Processing of Personally Identifiable Information) |
Where it is inevitable to conduct the following duties, the Minister of Science and ICT or the Korea Communications Commission (including a person entrusted with the authority of the Korea Communications Commission pursuant to Article 70) may process resident registration numbers under subparagraph 1 of Article 19 of the Enforcement Decree of the Personal Information Protection Act, or foreigner registration numbers under subparagraph 4 of the aforesaid Article: <Amended by Presidential Decree No. 28210, Jul. 26, 2017> [This Article Newly Inserted by Presidential Decree No. 25532, Aug. 6, 2014]
| Article 71 (Re-Examination of Regulation) |
| (1) | The Minister of Science and ICT or the Korea Communications Commission shall examine the appropriateness of administrative fines every three years (referring to the period ending on the date immediately before every third anniversary from the base date), counting from the base date, January 1, 2017, and shall take measures, such as making improvements. <Amended by Presidential Decree No. 27751, Dec. 30, 2016; Presidential Decree No. 28210, Jul. 26, 2017> |
| (2) | The Minister of Science and ICT shall examine the appropriateness of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended by Presidential Decree No. 27751, Dec. 30, 2016; Presidential Decree No. 28210, Jul. 26, 2017; Presidential Decree No. 29339, Dec. 11, 2018> |
| 1. | Protective measures taken by business entities operating and managing clustered information and telecommunications facilities under Article 37: January 1, 2017; |
| 2. | Obligations to precure insurance and the minimum amount of insurance cover under Article 38: January 1, 2017; |
| 3. | Scope of persons subject to the certification of information protection and management systems under Article 49: January 1, 2014; |
| 4. | Follow-up management and notification on the certification of information protection and management systems under Article 51: January 1, 2017; |
| 5. | Guidelines for designating a certification institution for information protection and management systems under Article 53: January 1, 2017; |
| 6. | Procedures for designating a certification institution for information protection and management systems under Article 53-2: January 1, 2017; |
| 7. | Requirements for the registration of a provider of telecommunications billing services under Article 66-2: January 1, 2014; |
| 8. | Period and methods for preservation of transaction records under Article 66-7: January 1, 2014. |
| (3) | Deleted. <by Presidential Decree No. 27751, Dec. 30, 2016> |
| (4) | The Korea Communications Commission shall review the suitability of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended by Presidential Decree No. 25789, Nov. 28, 2014> |
| 1. | Methods for obtaining consent under Article 12: January 1, 2015; |
| 2. | Scope of persons required to give notice of the details of the use of personal information, types of information of which a person should give notice, and a frequency of and methods for giving notice under Article 17: January 1, 2015; |
| 3. | Scope of persons liable to designate a person responsible for the protection of youths under Article 25: January 1, 2015; |
| 4. | Deadline for designation of a person responsible for the protection of youths under Article 27: January 1, 2015; |
| 5. | Deleted. <by Presidential Decree No. 27751, Dec. 30, 2016> |
[This Article Newly Inserted by Presidential Decree No. 25050, Dec. 30, 2013]
| Article 72 Deleted. <by Presidential Decree No. 22550, Dec. 27, 2010> |
| Article 73 Deleted. <by Presidential Decree No. 21692, Aug. 18, 2009> |
| Article 74 (Guidelines for Imposition of Administrative Fines) |
[This Article Wholly Amended by Presidential Decree No. 22423, Oct. 1, 2010]
ADDENDA
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Relationship to Other Statutes or Regulations)
A citation of the previous Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, or a provision of either of them by any other statutes or regulations in force as at the time this Decree enters into force shall be deemed a citation of this Decree or the relevant provision of this Decree in lieu of the previous provision, if this Decree prescribes such relevant provision.
ADDENDUM <Presidential Decree No. 20756, Mar. 28, 2008>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 20896, Jul. 3, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 Omitted.
ADDENDA <Presidential Decree No. 20947, Jul. 29, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 4, 2009. (Proviso Omitted.)
Articles 2 through 28 Omitted.
ADDENDA <Presidential Decree No. 21278, Jan. 28, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That the amended provisions of Article 15 (4) 2 and 4 shall enter into force one year after the date of its promulgation. Article 2 (Preparation for Public Notice)
Notwithstanding the proviso to Article 1 of the Addenda, the public notice under the amended provisions of Article 15 (6) may include the public notice of guidelines under the amended provisions of Article 15 (4) 2 and 4.
ADDENDA <Presidential Decree No. 21692, Aug. 18, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 23, 2009.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 21719, Sep. 9, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 10, 2009.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 22003, Jan. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 1, 2010.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 22151, May 4, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on May 5, 2010.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 22423, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Transitional Measures concerning Guidelines for Administrative Dispositions)
| (1) | Notwithstanding the amended provisions of attached Tables 4 and 8, the previous provisions shall apply to the application of guidelines for administrative dispositions (including guidelines for the imposition of penalty surcharges) against violations committed before this Decree enters into force. |
| (2) | Administrative dispositions imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of attached Table 4. |
Article 3 (Transitional Measures concerning Administrative Fines)
| (1) | Notwithstanding the amended provisions of attached Table 9, the previous practices shall apply to the imposition of administrative fines for violations committed before this Decree enters into force. |
| (2) | Administrative fines imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of attached Table 9. |
ADDENDA <Presidential Decree No. 22424, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 10 Omitted.
ADDENDUM <Presidential Decree No. 22467, Nov. 2, 2010>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 22550, Dec. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 22773, Mar. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDUM <Presidential Decree No. 23104, Aug. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 23169, Sep. 29, 2011>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 30, 2011. (Proviso Omitted.)
Articles 2 through 8 Omitted.
ADDENDUM <Presidential Decree No. 23876, Jun. 25, 2012>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 24047, Aug. 17, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 18, 2012: Provided, That the amended provisions of Articles 15 (2), 36-2 through 36-6, 39 through 49, 51 through 53, 53-2 through 53-4, 54-2, 55-2 through 55-5, attached Table 2, attached Table 3, paragraph 2 (v) and (w) of attached Table 9, and Article 3 of Addenda shall enter into force on February 18, 2013. Article 2 (Applicability to Counting of Unused Period)
Counting a period under the amended provisions of Article 16 (1) shall begin where information and communications services are not used on and after August 18, 2012. Article 3 Omitted.
ADDENDA <Presidential Decree No. 24076, Aug. 31, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 2, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24102, Sep. 14, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 16, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24445, Mar. 23, 2013>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 4 Omitted.
ADDENDUM <Presidential Decree No. 25050, Dec. 30, 2013>
This Decree shall enter into force on January 1, 2014. (Proviso Omitted.)
ADDENDUM <Presidential Decree No. 25532, Aug. 6, 2014>
This Decree shall enter into force on August 7, 2014.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25789, Nov. 28, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on November 29, 2014: Provided, That the
amended provision of the main sentence of Article 16 (1) shall enter into force on August 18, 2015. Article 2 (Applicability to Destruction of Personal Information)
The amended provision of the main sentence of Article 16 (1) shall also apply to personal information collected or provided before August 18, 2015. Article 3 (Applicability to Notification of Results of Handling of Consent to Receive Messages)
The amended provisions of Article 62-2 shall begin to apply to cases where an addressee expresses his or her consent to receive messages, refuse to receive messages or withdraw his or her consent to receive messages after this Decree enters into force. Article 4 (Special Cases concerning Reporting on Chief Information Security Officers)
Notwithstanding the amended provisions of Article 36-7, an information and telecommunications service provider falling under any of the subparagraphs of the amended provisions of Article 36-6 as at the time this Decree enters into force shall submit a report on the designation of a chief information security officer to the Minister of Science, ICT and Future Planning within 90 days from the date this Decree enters into force. Article 5 (Special Cases on Guidelines for Transmitting Advertising Information for Purposes of Generating Profits)
Where the amended provision of Article 61 (1) applies to cases where the sale of goods, etc. is concluded before this Decree enters into force, the enforcement date of this Decree shall be deemed the date the sale of the relevant goods, etc. is concluded. Article 6 (Special Cases concerning Verification as to Whether Addressee Has Consented to Receive Messages)
Where the amended provisions of Article 62-3 (1) applies to cases where a person has obtained consent to receive messages from an addressee before this Decree enters into force, he or she shall be deemed to have obtained the relevant consent to receive messages on the date this Decree enters into force. Article 7 (Transitional Measures concerning Measures to Protect Personal Information)
Where an information and telecommunications service provider has taken security measures under the previous provisions of Article 15 (4) 1 and 2 before this Decree enters into force, the previous provisions shall apply, notwithstanding the amended provisions of Article 15 (4) 1 and 2. Article 8 (Transitional Measures concerning Guidelines for Calculating Penalty Surcharges)
When a penalty surcharge is imposed on any offense committed before this
Decree enters into force, notwithstanding the amended provisions of attached
Table 8, the previous provisions thereof shall apply.
Article 9 (Transitional Measures concerning Administrative Fines)
| (1) | When guidelines for imposing administrative fines apply to offenses committed before this Decree enters into force, notwithstanding the amended provisions of attached Table 9, the previous provisions thereof shall apply. |
| (2) | A disposition of the imposition of an administrative fine due to an offense committed before this Act enters into force shall be included in the calculation of the number of times of offenses under the amended provisions of attached Table 9. |
ADDENDA <Presidential Decree No. 26757, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Article 2 (Transitional Measures concerning Administrative Fines)
Administrative fines, imposed pursuant to the previous provisions of subparagraph 2 (n) of attached Table 9, for violations committed before this Decree enters into force, shall not be included in the count of violations under the amended provisions of subparagraph 2 (f) of attached Table 9.
ADDENDUM <Presidential Decree No. 27188, May 31, 2016>
This Decree shall enter into force on June 2, 2016: Provided, That the amended provisions of Article 16 shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 27510, Sep. 22, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 23, 2016: Provided, That the amended provisions of the proviso to Article 16 (2) shall enter into force one year after this Decree enters into force. Article 2 (Applicability to Separate Storage and Management of Personal Information)
The amended provisions of the proviso to Article 16 (2) shall also apply to the personal information collected or provided before the enforcement date referred to in the proviso to Article 1 of Addenda.
ADDENDA <Presidential Decree No. 27751, Dec. 30, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2017. (Proviso Omitted.)
Articles 2 through 12 Omitted.
ADDENDA <Presidential Decree No. 27951, Mar. 22, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on March 23, 2017.
Article 2 (Applicability to Consent to Access Authority)
The amended provisions of Article 9-2 (1) through (3) shall begin to apply from the first case where a provider of information and communications services needs access authority to provide the relevant services through such softwares (including softwares which have been manufactured before this Decree enters into force, but are provided thereafter, and softwares which have been provided before this Decree enters into force, but are supplied thereafter) of mobile devices as are supplied after this Decree enters into force. Article 3 (Applicability to Measures Necessary for Protecting Information on Users)
The amended provisions of Article 9-2 (4) shall begin to apply from the first case of providing the operating system or softwares of mobile devices after this Decree enters into force (including a case of having manufactured the operating system or software before this Decree enters, but providing it thereafter and a case of having provided the operating system or softwares before this Decree enters into force, but upgrading either thereafter) and the first case of manufacturing mobile devices after this Decree enters into force (excluding a case where mobile devices are being manufactured as at the time this Decree enters into force, but the operating system has been installed in them therebefore).
ADDENDA <Presidential Decree No. 28210, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 28283, Sep. 5, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force three months after the date of its promulgation: Provided, That ... <omitted> ... Article 6 of the Addenda shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 28919, May 28, 2018>
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
ADDENDUM <Presidential Decree No. 29053, Jul. 17, 2018>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 29192, Sep. 28, 2018>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 29339, Dec. 11, 2018>
This Decree shall enter into force on December 13, 2018.
ADDENDUM <Presidential Decree No. 29633, Mar. 19, 2019>
This Decree shall enter into force on March 19, 2019.