Law Viewer

Back Home

ENFORCEMENT DECREE OF THE ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION

Wholly Amended by Presidential Decree No. 20668, Feb. 29, 2008

Amended by Presidential Decree No. 20756, Mar. 28, 2008

Presidential Decree No. 20896, Jul. 3, 2008

Presidential Decree No. 20947, Jul. 29, 2008

Presidential Decree No. 21278, Jan. 28, 2009

Presidential Decree No. 21692, Aug. 18, 2009

Presidential Decree No. 21719, Sep. 9, 2009

Presidential Decree No. 22003, Jan. 27, 2010

Presidential Decree No. 22151, May 4, 2010

Presidential Decree No. 22423, Oct. 1, 2010

Presidential Decree No. 22424, Oct. 1, 2010

Presidential Decree No. 22467, Nov. 2, 2010

Presidential Decree No. 22550, Dec. 27, 2010

Presidential Decree No. 22773, Mar. 29, 2011

Presidential Decree No. 23104, Aug. 29, 2011

Presidential Decree No. 23169, Sep. 29, 2011

Presidential Decree No. 23876, jun. 25, 2012

Presidential Decree No. 24047, Aug. 17, 2012

Presidential Decree No. 24076, Aug. 31, 2012

Presidential Decree No. 24102, Sep. 14, 2012

Presidential Decree No. 24445, Mar. 23, 2013

Presidential Decree No. 25050, Dec. 30, 2013

Presidential Decree No. 25532, Aug. 6, 2014

Presidential Decree No. 25751, Nov. 19, 2014

Presidential Decree No. 25789, Nov. 28, 2014

Presidential Decree No. 27188, May 31, 2016

Presidential Decree No. 27510, Sep. 22, 2016

Presidential Decree No. 27751, Dec. 30, 2016

Presidential Decree No. 27951, Mar. 22, 2017

Presidential Decree No. 28210, Jul. 26, 2017

Presidential Decree No. 28283, Sep. 5, 2017

Presidential Decree No. 28919, May 28, 2018

Presidential Decree No. 29053, Jul. 17, 2018

Presidential Decree No. 29192, Sep. 28, 2018

Presidential Decree No. 29339, Dec. 11, 2018

Presidential Decree No. 29633, Mar. 19, 2019

Presidential Decree No. 29852, jun. 11, 2019

Presidential Decree No. 29886, jun. 25, 2019

Presidential Decree No. 30509, Mar. 3, 2020

Presidential Decree No. 30691, May 19, 2020

Presidential Decree No. 30894, Aug. 4, 2020

Presidential Decree No. 31247, Dec. 8, 2020

Presidential Decree No. 31221, Dec. 8, 2020

Presidential Decree No. 31380, Jan. 5, 2021

Presidential Decree No. 31429, Feb. 2, 2021

Presidential Decree No. 32179, Dec. 7, 2021

CHAPTER I GENERAL PROVISIONS
 Article 1 (Purpose)
The purpose of this Decree is to provide for matters delegated by the Act on Promotion of Information and Communications Network Utilization and Information Protection and matters necessary for enforcing said Act.
 Article 2 (Code of Ethics)
(1) The providers of information and communications services, defined under Article 2 (1) 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as the “Act”), or an association of such providers may establish and enforce a code of ethics in order to protect users and to ensure soundness and safety in providing information and communications services. <Amended on Jan. 28, 2009; Aug. 4, 2020>
(2) An association of users defined under Article 2 (1) 4 of the Act may establish and enforce a users’ code of ethics for the establishment of a sound information society.
(3) The Government may provide assistance to activities for the establishment and enforcement of the code of ethics under paragraph (1) or (2).
 Article 3 Deleted. <Aug. 4, 2020>
CHAPTER II PROMOTION OF UTILIZATION OF INFORMATION AND COMMUNICATIONS NETWORKS
 Article 4 Deleted. <Aug. 18, 2009>
 Article 5 Deleted. <Aug. 18, 2009>
 Article 6 (Measures for Establishment of System for Sharing Information)
(1) Pursuant to Article 12 of the Act, the head of a central administrative agency may formulate and provide a public notice of a plan for sharing information about matters under his or her jurisdiction. <Amended on May 4, 2010>
(2) If the head of a central administrative agency deems it necessary to efficiently implement a plan for sharing information pursuant to paragraph (1), he or she may assist a person in conducting the following business activities:
1. Selection of information to be shared, among the information possessed and managed;
2. Establishment and operation of a system for interconnecting different information and communications networks;
3. Adjustment of expenses allotted to each agency in connection with the interconnection of different information and communications networks;
4. Other activities necessary for the establishment of the system for sharing information.
 Article 7 (Implementation of Projects for Promoting Utilization of Information and Communications Networks)
Projects that the Minister of Science and Information Communications Technology (ICT) may implement pursuant to Article 13 (1) of the Act are as follows: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. Pilot projects for the establishment and operation of information and communications networks;
2. Pilot projects for the commercialization of new media;
3. Advanced application projects for nurturing the informatization industry and projects for supporting related research projects;
4. Projects to lay a foundation for the development of technologies for electronic transactions and the invigoration of electronic transactions;
5. Supportive projects for the improvement of statutes and systems for promoting the utilization of information and communications networks;
6. Other pilot projects for the efficient utilization and dissemination of technologies, equipment, and application services.
CHAPTER III Deleted.
 Article 8 Deleted. <Dec. 22, 2015>
 Article 9 Deleted. <Dec. 22, 2015>
CHAPTER IV CREATION OF SAFE ENVIRONMENT FOR USE OF INFORMATION AND COMMUNICATIONS
 Article 9-2 (Extent of Access Authority)
(1) A case where a provider of information and communications services shall obtain consent from the users pursuant to Article 22-2 (1) of the Act means a case where such provider needs authority of access to the following information and functions (hereafter referred to as “access authority” in this Article) through the software of mobile devices: Provided That this shall not apply to the information and functions accessed by any software, which has been installed in mobile devices in the course of manufacturing and supplying them, to perform their intrinsic functions such as communications, photography, and audio and video replay:
1. Information stored by the users on their mobile devices such as contact points, schedules, videos, communications, biometric information (referring to information concerning physical or behavioral characteristics with which an individual can be identified, such as fingerprints, iris, voice, and handwriting; hereinafter the same shall apply);
2. Information automatically stored on mobile devices in the course of using them, such as location information, communication logs, authentication information, and physical activity records;
3. Unique information assigned to identify mobile devices, including unique international identification number under Article 60-2 (1) of the Telecommunications Business Act;
4. Input and output functions, such as photography, speech recognition, and biometric or health information detecting sensor.
(2) A provider of information and communications services shall, in the course in which the users install or run a software of mobile devices, inform the users of the matters referred to in each subparagraph of Article 22-2 (1) of the Act in a manner displaying such matters on a software’s guidance information screen or other separate screen and shall obtain consent of the users according to the following classifications in the same manner:
1. Where the basic operating system of mobile devices (referring to the based environment in which the software can be executed in mobile devices; hereinafter referred to as “operating system”) is an operating system in which the users can individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services informs the users about the both access authorities under Article 22-2 (1) 1 and 2 of the Act separately from each other, the users choose whether to consent when for the first time they access any information or function the access authority for which is set;
2. Where the operating system of mobile devices is one by which the users cannot individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services only sets the access authority under Article 22-2 (1) 1 of the Act and informs the users thereof, the users choose whether to consent to the access authority when they install the software;
3. Where the method referred to in subparagraph 1 or 2 is impossible though the operating system of mobile devices is one referred to in subparagraph 1 or 2: A method similar to one referred to in subparagraph 1 or 2, by which the provider of information and communications services informs the users of the content of consent so that they can definitely acknowledge such content and choose whether to give consent.
(3) When determining whether a matter requiring consent of the users pursuant to Article 22-2 (1) of the Act falls under any access authority under subparagraph 1 or 2 of that Article, the following shall be taken into consideration: The extent of information and communications services as disclosed through the terms of service, the privacy policy prescribed in Article 30 (1) of the Personal Information Protection Act, or any separate guidelines; whether such information and communications services are actually provided; the users’ reasonable foreseeability for the relevant information and communications services; and technical relevance between the relevant information and communications services and the access authority, and other factors. <Amended on Aug. 4, 2020>
(4) Persons manufacturing and supplying the operating system of mobile devices, manufacturers of mobile devices, and persons manufacturing and supplying software of mobile devices shall take necessary measures according to the following classifications in order to protect information on the users referred to in Article 22-2 (3) of the Act:
1. Persons manufacturing and supplying the operating system of mobile devices: They shall manufacture and provide the operating system in which there are embedded functions by which the providers of information and communications services can obtain the consent of the users by the methods classified in the subparagraphs of paragraph (2) and the users can revokes their consent, and they also shall prepare and disclose operating standards for the access authority set in the operating system so that the persons manufacturing and supplying the software of mobile devices can easily understand such standards;
2. Manufacturers of mobile devices: They shall install on mobile devices the operating system in which functions to give and revoke the consent under subparagraph 1 are embedded;
3. Persons manufacturing and providing software of mobile devices: They shall embed in the software the operating system for which the measures under subparagraphs 1 and 2 are taken and the methods for giving and revoking consent which are suitable for mobile devices.
[This Article Newly Inserted on Mar. 22, 2017]
 Article 9-3 (Criteria for Standard Subject to Review)
(1) Detailed examination criteria for each item of examination under Article 23-3 (1) of the Act shall be as follows: <Amended on Aug. 17, 2012; Aug. 4, 2020>
1. A plan for physical, technological, or administrative measures: A plan for measures concerning the following shall be formulated:
(a) The management and operation of equipment for identification services under Article 23-3 (1) of the Act (hereinafter referred to as “identification services”);
(b) The prevention of a breach on information and communications networks;
(c) The operation, security, and management of systems and networks;
(d) The protection of users and the settlement of complaints;
(e) The response to urgency and emergency;
(f) The formulation and enforcement of internal regulations on identification services;
(g) The securement of safety of an alternative means under Article 23-2 (2) of the Act (hereinafter referred to as “alternative means”);
(h) The prevention of fabrication and alteration of access records;
(i) Other matters specified and publicly notified by the Korea Communications Commission for identification services;
2. Technological capability: An identification service agency shall have at least eight persons who meet any of the following requirements:
(a) Each person shall hold a national technical qualification as an information and communications engineer, information processing engineer, or an engineer specializing in application of electronic computer systems or a qualification recognized by the Korea Communications Commission as equivalent to such qualification;
(b) Each person shall have work experience of at least two years in a field specified and publicly notified by the Korea Communications Commission as related to the protection of information or the operation and management of information and communication systems;
3. Financial capability: An identification service agency’s equity capital shall be at least eight billion won (excluding state agencies and local governments);
4. Appropriateness of the scale of facilities: An identification service agency shall possess the following facilities in a scale necessary for the proper provision of identification services:
(a) Facilities for the verification, management, and protection of users’ personal information (referring to personal information defined in subparagraph 1 of Article 2 of the Personal Information Protection Act; hereafter in Article 9-6 the same shall apply);
(b) Facilities for the generation, issuance, and management of alternative means;
(c) Security facilities for controlling and restricting access;
(d) Facilities for the protection of systems and networks;
(e) Facilities for the prevention of fire, flood, power failure, and other disasters.
(2) Matters necessary for guidelines and methods for the evaluation of criteria for each standard subject to the review under paragraph (1) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted on Aug. 29, 2011]
 Article 9-4 (Procedures for Designation of Identification Service Agencies)
(1) A person who intends to be designated as an identification service agency under Article 23-3 (1) of the Act shall file an application for the designation of an identification service agency (including in electronic form) with the Korea Communications Commission, along with the following documents (including electronic documents):
1. A business plan describing the current conditions of its organization, human resources, facilities, etc.;
2. Documents certifying that criteria for each standard subject to the review under Article 9-3 are satisfied;
3. Articles of incorporation or bylaws of organization (applicable only if an applicant is a legal person or organization);
4. Other documents specified and publicly notified by the Korea Communications Commission as documents necessary for ascertaining the expertise in providing identification services, the soundness of the financial structure, etc.
(2) Upon receipt of an application for the designation of an identification service agency under paragraph (1), the Korea Communications Commission shall verify the relevant corporate registration (applicable only if an applicant is a corporation) by sharing administrative information under Article 36 (1) of the Electronic Government Act.
(3) If the Korea Communications Commission deems it necessary to review an application under paragraph (1), it may request an applicant to submit data or may hear the applicant’s opinions.
(4) Upon receipt of an application under paragraph (1), the Korea Communications Commission shall examine whether the application meets criteria for each standard subject to the review under Article 9-3 and shall notify the applicant of the outcomes of the review within 90 days from the date when such application is filed: Provided, That the period may be extended by up to 30 days in special circumstances by giving notice of the reasons therefor.
(5) When the Korea Communications Commission designates an identification service agency based on the result of the review under paragraph (4), it shall issue a letter of designation of an identification service agency to an applicant and shall provide a public notice of the details of designation, including the name and location of the identification service agency and the date of designation, through the Official Gazette.
(6) Matters necessary for procedures and methods for the application for designation and the review on the designation under the provisions of paragraphs (1) through (5) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted on Aug. 29, 2011]
 Article 9-5 (Identification Service Agency’s Request for Verifying Electronic Data for Resident Registration)
When a person designated as an identification service agency under Article 23-3 (1) of the Act (hereinafter referred to as "identification service agency") needs to verify the identities of a child under 14 years of age and the legal representative of the child, it may request the Minister of the Interior and Safety to verify relevant electronic data for resident registration under Article 30 (1) of the Resident Registration Act.
[This Article Newly Inserted on Jul. 17, 2018]
[Previous Article 9-5 moved to Article 9-6 <Jul. 17, 2018>]
 Article 9-6 (Suspension or Discontinuation of Identification Services)
(1) When an identification service agency intends to suspend or discontinue its services as referred to in Article 23-3 (2) or (3) of the Act, it shall notify users of the following matters:
1. The reasons for suspension or discontinuation;
2. The date and time of suspension or discontinuation (including the date and time of resumption of services in cases of suspension);
3. Restrictions on the use of alternative means and personal information (applicable only to suspension);
4. The destruction of alternative means and personal information (applicable only to discontinuation).
(2) When an identification service agency reports the suspension or discontinuation of its identification services in accordance with Article 23-3 (2) or (3) of the Act, it shall file a report on the suspension or discontinuation of its identification services with the Korea Communications Commission, along with the following documents:
1. A notice of the matters under paragraph (1);
2. A document concerning a plan to restrict the use or to destroy alternative means and personal information;
3. A document concerning a plan for measures for the protection of users;
4. The letter of designation of an identification service agency (applicable only to discontinuation).
(3) Details regarding the procedures, guidelines, methods, etc. for the notification and reporting of suspension or discontinuation under paragraph (1) or (2) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted on Aug. 29, 2011]
[Moved from Article 9-5; previous Article 9-6 Is moved to Article 9-7 <Jul. 17, 2018>]
 Article 9-7 (Suspension of Identification Services or Cancellation of Designation)
(1) Standards for the suspension of identification services or the cancellation of designation under Article 23-4 (1) of the Act are as prescribed in attached Table 1.
(2) When the Korea Communications Commission suspends identification services or cancels designation under paragraph (1), it shall publish notice thereof in the Official Gazette.
[This Article Newly Inserted on Aug. 29, 2011]
[Moved from Article 9-6 <Jul. 17, 2018>]
 Article 10 Deleted. <Aug. 4, 2020>
 Article 11 Deleted. <Aug. 4, 2020>
 Article 12 Deleted. <Aug. 4, 2020>
 Article 13 Deleted. <Aug. 4, 2020>
 Article 14 Deleted. <Aug. 4, 2020>
 Article 14-2 Deleted. <Aug. 4, 2020>
 Article 15 Deleted. <Aug. 4, 2020>
 Article 16 Deleted. <Aug. 4, 2020>
 Article 16-2 Deleted. <Aug. 4, 2020>
 Article 17 Deleted. <Aug. 4, 2020>
 Article 17-2 Deleted. <Aug. 4, 2020>
 Article 18 Deleted. <Aug. 4, 2020>
 Article 18-2 Deleted. <Aug. 4, 2020>
 Article 19 (Scope of Persons Required to Designate Domestic Agents)
(1) "Person who meets the criteria prescribed by Presidential Decree" in Article 32-5 (1) of the Act means any of the following persons: <Amended on Aug. 4, 2020>
1. A person whose sales for the preceding year (if the person is a corporation, referring to the preceding business year) reach or exceed one trillion won;
2. A person whose sales from information and telecommunications services for the preceding year (if the person is a corporation, referring to the preceding business year) reach or exceed 10 billion won;
3. Deleted; <Aug. 4, 2020>
4. A person who caused or is likely to cause an incident or accident significantly undermining security in using information and communication services in violation of this Act and has been consequently required by the Korea Communications Commission to submit relevant articles, documents, etc. under Article 64 (1) of the Act.
(2) Sales referred to in paragraphs (1) 1 and 2 shall be based on the amount determined by converting sales into Korean won at the average foreign exchange rate for the preceding year (if the person is a corporation, referring to the preceding business year).
[This Article Newly Inserted on Mar. 19, 2019]
 Article 20 Deleted. <Sep. 29, 2011>
 Article 21 Deleted. <Sep. 29, 2011>
 Article 22 Deleted. <Sep. 29, 2011>
CHAPTER V PROTECTION OF USERS IN INFORMATION AND COMMUNICATIONS NETWORKS
 Article 23 (Policy on Protection of Youths)
“Matters prescribed by Presidential Decree” in Article 41 (1) 4 of the Act means the following measures: <Amended on Jan. 28, 2009; Aug. 29, 2011>
1. Promotion of the development and dissemination of information useful to youths;
2. Encouragement of and support for youths’ voluntary activities for protecting themselves from harmful information, such as information of obscenity or violence, circulated through information and communications networks;
3. Encouragement of and support for voluntary activities conducted by parents, teachers, or nongovernmental organizations for surveillance, counseling, and remedial measures for the protection of youths;
4. Assistance in the establishment of a system for the cooperation of providers of information and communications services for the protection of youths;
5. Other measures incidental to the implementation of policies under Article 41 (1) of the Act.
 Article 24 (Labeling of Media Product Harmful to Youths)
(1) A person who provides a media product harmful to youths, as defined under Article 42 of the Act, shall label it with an easily noticeable audio, text, or video warning stating that no person under 19 years shall use the same.
(2) If a person who shall put a label required by paragraph (1) provides information through the Internet, he or she shall also put an electronic label warning that it is a media product harmful to youths with symbols, marks, letters, or numbers.
(3) The Korea Communications Commission shall prescribe specific methods for labeling under paragraphs (1) and (2), taking into consideration the categories of information, etc., and shall publish notice of the methods in the Official Gazette.
 Article 25 (Scope of Persons Obliged to Designate Persons Responsible for Protection of Youths)
“Provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree” in Article 42-3 (1) of the Act means a person who meets all the following criteria: <Amended on Aug. 29, 2011; Sep. 14, 2012>
1. A person falling under either of the following:
(a) A person in whose case the average number of users per day during three months immediately before the end of the immediately preceding year is at least 100,000 persons;
(b) A person whose sales of information and communications services during the immediately preceding year (or the preceding business year, if the service provider is a corporation) is at least one billion won;
2. A person who provides a media product harmful to youths, as defined under subparagraph 3 of Article 2 of the Youth Protection Act or who acts as a broker or agent for a transaction of such medium.
 Article 26 (Duties of Persons Responsible for Protection of Youths)
A person responsible for protection of youths under Article 42-3 (1) of the Act shall perform the following duties in order to protect youths from information harmful to youths on information and communications networks (hereinafter referred to as “harmful information”):
1. Formulation of a plan for protection of youths from harmful information;
2. Measures for restricting or controlling youths’ access to harmful information;
3. Education of persons engaged in information and communications services for the protection of youths from harmful information;
4. Counseling on damage inflicted by harmful information and the settlement of grievances;
5. Other matters necessary to protect youths from harmful information.
 Article 27 (Deadline for Designation of Persons Responsible for Protection of Youths)
A person responsible for protection of youths under Article 42-3 (1) of the Act shall be designated by no later than the end of April each year.
 Article 28 (Preservation of Video or Audio Information)
(1) “Information provider prescribed by Presidential Decree” in Article 43 (1) of the Act means a person who distributes information through telecommunications lines: Provided, That broadcasting business entities, CATV relay broadcasting business entities, and electronic signboard broadcasting business entities under subparagraphs 3, 6, and 12 of Article 2 of the Broadcasting Act, among persons who distribute information according to a certain program schedule, using the word “broadcasting”, “television” or “radio” in their names, shall be excluded herefrom. <Amended on Aug. 29, 2011>
(2) An information provider under Article 43 of the Act shall preserve relevant information for six months from the time when the information is provided for use.
 Article 29 Deleted. <Nov. 28, 2014>
 Article 30 Deleted. <Nov. 28, 2014>
 Article 31 (Scope of User Information That May Be Requested)
“Minimum information prescribed by Presidential Decree” in Article 44-6 (1) of the Act means the following information: <Amended on Aug. 29, 2011>
1. Name;
2. Address;
3. Other information that the defamation dispute conciliation division under Article 44-10 of the Act (hereinafter referred to as “defamation dispute conciliation division”) deems necessary for filing a civil or criminal complaint, including the contact information of users involved.
 Article 32 (Procedures for Requesting Provision of Information)
(1) A person who intends to request the provision of the information of users involved pursuant to Article 44-6 (1) of the Act (hereinafter referred to as “claimant”) may file a claim with the defamation dispute conciliation division, stating the following matters therein, along with supporting materials:
1. The claimant’s name, address, and contact information (referring to telephone numbers, e-mail addresses, etc.);
2. The category of the lawsuit to be filed and remedies sought;
3. The type of violated rights and specific facts relevant to the violation of rights by users involved.
(2) Where the defamation dispute conciliation division finds it necessary to make a decision on whether to provide information under Article 44-6 (2) of the Act, it may permit the claimant to present his or her arguments.
 Article 33 (Procedures for Provision of Information)
(1) Upon receipt of a request from a claimant to provide information, the defamation dispute conciliation division shall make a decision on whether to provide the information of users involved and shall notify the claimant of its decision.
(2) When the defamation dispute conciliation division decides to provide information, it shall request the relevant provider of information and communications services to provide information under Article 31. In such cases, the provider of information and communications services shall comply with such request, unless there is a compelling reason not to do so. <Amended on Jan. 28, 2009>
(3) A provider of information and communications services shall notify the users involved of such provision of information under paragraph (2). <Amended on Jan. 28, 2009>
(4) The defamation dispute conciliation division shall keep documents relating to the provision of user information for five years.
 Article 34 (Requests to Order Restrictions on Handling Unlawful Information)
(1) When the head of a related central administrative agency (including the head of an investigative agency with regard to a photograph or its duplicate (including duplicates of duplicates) under Article 14 of the Act on Special Cases concerning the Punishment of Sexual Crimes out of information provided in Article 44-7 (1) 9 of the Act; hereafter in this Article the same shall apply) intends to request the Korea Communications Commission pursuant to Article 44-7 (3) of the Act to order a provider of information and communications services or the manager or operator of a message board to refuse, suspend, or restrict the management of the information specified in Article 44-7 (1) 7 through 9 of the Act, he or she shall submit to the Korea Communications Commission a written request stating the following matters, along with evidentiary materials: <Amended on Jan. 28, 2009; Sep. 22, 2016; Jun. 11, 2019>
1. The purpose of and reasons for a request;
2. Relevant statutes or regulations and the details of violations;
3. A list of relevant information and a person by whom the relevant information is provided;
4. The titles or names and contact information, such as addresses, telephone numbers, and e-mail addresses, of the provider of information and communications services or the manager or operator of the message board and users involved.
(2) If the Korea Communications Commission finds any defect in the documents submitted pursuant to paragraph (1), it may request the head of a related central administrative agency to rectify the defect immediately. In such cases, at least five more days shall be given for rectification.
(3) If the head of a related central administrative agency fails to rectify a defect even until the end of a period given for the rectification requested under paragraph (2), the Korea Communications Commission may return the request and evidential materials submitted pursuant to paragraph (1) to the head of the related central administrative agency.
[Title Amended on Sep. 22, 2016]
 Article 35 (Grounds for Exception from Submission of Opinions)
“Ground prescribed by Presidential Decree” in Article 44-7 (4) 2 of the Act means any of the following cases: <Amended on Aug. 29, 2011>
1. Where a user involved is not identifiable (limited to the submission of a user’s opinion);
2. Where the facts relevant to an order have already been proved objective by a final judgment of a court or by other decisions and thus issuing the order to hear an opinion is unnecessary.
 Article 35-2 (Persons Responsible for Preventing Circulation of Illegally Filmed Materials)
(1) A provider of information and communications services obligated to designate a person responsible for preventing the circulation of illegally filmed materials, etc. pursuant to Article 44-9 (1) of the Act shall be the following persons:
1. A person who provides value-added telecommunications services defined in subparagraph 14 (a) of Article 2 of the Telecommunications Business Act among special value-added telecommunications business operators referred to in Article 22-3 (1) of that Act;
2. Any of the following persons, who has filed a report on the value-added telecommunications business under Article 22 (1) of the Telecommunications Business Act (including a person who falls under any of the subparagraphs of Article 22 (4) of that Act):
(a) A person who provides information and communication services under attached Table 1-2, posting at least 10 billion won in sales of information and communication services over the preceding year (referring to the preceding business year, in the case of a corporation);
(b) A person who has an average number of at least 100,000 users per day for three months immediately before the end of the preceding year and who provides information and telecommunications services specified in attached Table 1-2.
(2) A provider of information and communications services under the subparagraphs of paragraph (1) (hereinafter referred to as "person obligated to designate a person responsible for preventing the circulation of illegally filmed materials, etc.") shall designate at least one person responsible for preventing the circulation of illegally filmed materials (hereinafter referred to as "illegally filmed materials, etc.") under Article 44-9 (1) of the Act (hereinafter referred to as "person responsible for preventing the circulation of illegally filmed materials").
(3) Persons responsible for preventing the circulation of illegally filmed materials, etc. shall be any of the following persons:
1. Executive officers who belong to the person obligated to designate a person responsible for preventing the circulation of illegally filmed materials, etc.;
2. The head of a division responsible for preventing the circulation of illegally filmed materials, etc., who belongs to the person obligated to designate a person responsible for preventing the circulation of illegally filmed materials, etc.
(4) A person responsible for preventing the circulation of illegally filmed materials, etc. shall receive education (including remote education using information and communications networks) for at least two hours every year, including the following matters, which is delivered by the Korea Communications Commission in cooperation with relevant agencies and organizations:
1. Matters regarding systems and statutes and regulations relating to preventing the circulation of illegally filmed materials;
2. Matters regarding measures necessary to prevent circulation under Article 44-9 (2) of the Act;
3. Matters regarding the criteria for deliberation on illegally filmed materials, etc. by the Korea Communications Standards Commission under Article 18 of the Act on the Establishment and Operation of Korea Communications Commission (hereinafter referred to as the "Korea Communications Standards Commission");
4. Other matters deemed by the Korea Communications Commission as necessary for preventing the circulation of illegally filmed materials, etc.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 36 (Establishment and Management of Defamation Dispute Conciliation Division, and Conciliation of Disputes)
(1) A meeting of the defamation dispute conciliation division shall be convened by the head of the defamation dispute conciliation division.
(2) When the head of the defamation dispute conciliation division intends to hold a meeting of the division, he or she shall determine the date, time, and place of meeting and items on the agenda and shall notify the conciliators thereof by no later than seven days before the opening of the meeting, except in unavoidable circumstances.
(3) A majority of the conciliators of the defamation dispute conciliation division shall constitute a quorum, and any resolution thereof shall require the concurring votes of at least a majority of those present.
(4) The head of the defamation dispute conciliation division shall be appointed by the Chairman of the Korea Communications Standards Commission, from among conciliators. <Amended on Dec. 8, 2020>
(5) No meeting of the defamation dispute conciliation division shall be open to the public: Provided, That, if it is deemed necessary, the defamation dispute conciliation division may resolve to permit parties to a dispute or interested parties to sit in on a meeting.
(6) Deleted. <Sep. 29, 2011>
(7) Except as provided in this Decree, the establishment, organization, and management of the defamation dispute conciliation division and other matters necessary for the conciliation of disputes shall be determined by the resolution of the Korea Communications Standards Commission.
CHAPTER VI SECURING OF STABILITY OF INFORMATION AND COMMUNICATIONS NETWORKS
 Article 36-2 (Scope of Equipment Connected to Information and Communications Networks)
"Devices, equipment, and facilities prescribed by Presidential Decree" in Article 45 (1) 2 of the Act means the following devices, equipment, and facilities (hereinafter referred to as "equipment connected to information and communications networks, etc.") in any field specified in attached Table 1-3:
1. Devices, equipment, and facilities that have caused or are likely to cause a computer security incident;
2. Devices, equipment, and facilities that pose a serious risk to ensuring the security of information and communications networks and the reliability of information, if a computer security accident occurs.
[This Article Newly Inserted on Dec. 8, 2020]
[Previous Article 36-2 moved to Article 36-3 <Dec. 8, 2020>]
 Article 36-3 (Preliminary Examination Standards on Protection of Information)
Preliminary examination standards on the protection of information under Article 45-2 (2) of the Act shall be determined and publicly notified by the Minister of Science and ICT, taking the following matters into consideration: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. The structure of the system for establishing an information and communications network or for providing information and communications services and the operating environment of such system;
2. Identification of assets to be protected, such as hardware, programs, and content for the operation of the system under subparagraph 1 and hazards in the protection of such assets;
3. Current status of the establishment and implementation of protective measures.
[This Article Newly Inserted on Aug. 17, 2012]
[Moved from Article 36-2; Previous Article 36-3 moved to Article 36-4 <Dec. 8, 2020>]
 Article 36-4 (Business Subject to Recommendation of Preliminary Examination on Protection of Information)
(1) “Information and communications services or telecommunications business determined by Presidential Decree” in Article 45-2 (2) 1 of the Act means the information and communications services or telecommunications businesses that require at least 500 million won (referring to an amount exclusive of costs incurred in merely purchasing hardware and software) for investment in information systems.
(2) “Information and communications services or telecommunications business determined by Presidential Decree” in Article 45-2 (2) 2 of the Act means the information and communications services or the telecommunications businesses that the Minister of Science and ICT fully or partially subsidizes projects for searching for and nurturing new information and communications services or the telecommunications businesses. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
[Moved from Article 36-3; previous Article 36-4 moved to Article 36-5 <Dec. 8, 2020>]
 Article 36-5 (Methods and Procedures for Preliminary Examinations on Protection of Information)
(1) The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered by a written examination, on-site examination, or remote examination (referring to an examination administered on matters related to security by accessing the system under subparagraph 1 of Article 36-3 from outside through an information and communications network). <Amended on Dec. 8, 2020>
(2) The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered according to the following order:
1. Preparation for the preliminary examination;
2. Review on designs;
3. Application of protective measures;
4. Inspection on the current status of implementation of protective measures;
5. Arrangement of results of the preliminary examination.
(3) Upon recommendation from the Minister of Science and ICT under Article 45-2 (2) of the Act, a person may administer the preliminary examination on the protection of information by himself or herself or request the Korea Internet and Security Agency under Article 52 of the Act (hereinafter referred to as the “Korea Internet and Security Agency”) or a specialized external agency to administer the preliminary examination on his or her behalf. In such cases, only persons who meet the standards for the qualification as technicians for the protection of information under attached Table 2 may administer the preliminary examination on the protection of information. <Amended on Mar. 23, 2013; Jul. 26, 2017>
(4) Except as provided in paragraphs (1) through (3), details regarding the methods and procedures for preliminary examination on the protection of information shall be determined and publicly notified by the Minister of Science and ICT. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
[Moved from Article 36-4; previous Article 36-5 moved to Article 36-6 <Dec. 8, 2020>]
 Article 36-6 (Fees for Preliminary Examinations on Protection of Information)
(1) When a person requests the Korea Internet and Security Agency or an external professional agency to administer the preliminary examination on the protection of information on his or her behalf, as recommended by the Minister of Science and ICT under Article 45-2 (2) of the Act, the person shall pay fees therefor to the Korea Internet and Security Agency or the specialized external agency. <Amended on Mar. 23, 2013; Jul. 26, 2017>
(2) The Minister of Science and ICT shall determine and provide a public notice of guidelines for the determination of fees for the preliminary examination on the protection of information, taking the following factors into consideration: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. The scale of information and communications services or telecommunications businesses subject to the preliminary examination on the protection of information;
2. Expertise of persons participating in the preliminary examination on the protection of information;
3. The period required for the preliminary examination on the protection of information.
[This Article Newly Inserted on Aug. 17, 2012]
[Moved from Article 36-5; previous Article 36-6 moved to Article 36-7 <Dec. 8, 2020>]
 Article 36-7 (Designation of Chief Information Security Officers and Prohibition on Dual Office Holding)
(1) "Executive officers and employees meeting the criteria prescribed by Presidential Decree" in the main clause of Article 45-3 (1) of the Act means persons categorized as follows: <Newly Inserted on Dec. 7, 2021>
1. Any of the following providers of information and telecommunications services: The business owner or its representative:
(a) A person whose capital does not exceed 100 million won;
(b) A small enterprise set forth in Article 2 (2) of the Framework Act on Small and Medium Enterprises;
(c) A medium enterprise defined in Article 2 (2) of the Framework Act on Small and Medium Enterprises, which does not fall under any of the following:
(i) A telecommunications business operator under the Telecommunications Business Act;
(ii) A person required to obtain certification of an information security management system pursuant to Article 47 (2) of the Act;
(iii) A personal information controller required to disclose its privacy policy under Article 30 (2) of the Personal Information Protection Act;
(iv) A mail order distributor required to file a report under Article 12 of the Act on the Consumer Protection in Electronic Commerce;
2. Any of the following providers of information and communications services: Directors (including persons under Article 401-2 (1) 3 of the Commercial Act and executive directors under Article 408-2 of that Act):
(a) A person whose total assets as of the end of the immediately preceding business year amount to at least five trillion won;
(b) A person whose total assets as of the end of the immediately preceding business year amount to at least 500 billion won, among those required to obtain certification of an information security management system under Article 47 (2) of the Act;
3. A provider of information and communications services who does not fall under subparagraph 1 or 2: Any of the following persons:
(a) The business owner or representative;
(b) Directors (including persons prescribed in Article 401-2 (1) 3 of the Commercial Act and executive directors prescribed in Article 408-2 of that Act);
(c) The head of a department that has general supervision and control of information security-related affairs.
(2) "Provider of information and communications services whose total assets, sales, and the like meet the criteria prescribed by Presidential Decree" in the proviso of Article 45-3 (1) of the Act means a person referred to in any item of paragraph (1) 1 as a provider of information and communications services. <Amended on Dec. 7, 2021>
(3) Where a person falling under the proviso of Article 45-3 (1) of the Act fails to report his or her chief information security officer, he or she shall be deemed to have designated the business owner or representative as the chief information security officer. <Newly Inserted on Dec. 7, 2021>
(4) A chief information security officer required to be designated and reported by a provider of information and communications services pursuant to Article 45-3 (1) and (7) of the Act shall have any of the following qualifications. In such cases, a degree in the field of information security or information technology refers to the completion of and graduation from courses offered by departments provided in the items of subparagraph 1 of the remarks of attached Table 1 of the Enforcement Decree of the Electronic Financial Transactions Act at schools referred to in the subparagraphs of Article 2 of the Higher Education Act or other degrees recognized as equivalent to or higher than aforementioned degrees under other relevant statutes or regulations: <Amended on Dec. 7, 2021>
1. A person who has obtained at least a master’s degree in the field of information security or information technology in Korea or abroad;
2. A person who has at least three years of work experience in the field of information protection or information technology, after obtaining a bachelor’s degree in the field of information security or information technology in Korea or abroad;
3. A person who has at least five years of work experience in the field of information security or information technology, after obtaining an associate degree in the field of information security or information technology in Korea or abroad;
4. A person who has at least 10 years of work experience in the field of information security or information technology;
5. A person who has obtained the qualification of a certification examiner of information security management systems under Article 47 (6) 5;
6. A person who has at least one year of work experience as the head of a department in charge of the information security-related affairs of the relevant provider of information and communications services.
(5) "Provider of information and communications services whose total assets, sales, and the like meet the criteria prescribed by Presidential Decree" in Article 45-3 (3) of the Act means a person who falls under any item of paragraph (1) 2 as a provider of information and communications services. <Amended on Dec. 7, 2021>
(6) The chief information security officer required to be designated and reported by a provider of information and communications services under paragraph (5) shall be a full-time worker with qualifications prescribed in paragraph (4) together with any of the following qualifications. In such cases, the affairs in the field of information security or information technology mean the affairs under subparagraphs 3 and 4 of the remarks of attached Table 1 of the Enforcement Decree of the Electronic Financial Transactions Act: <Amended on Dec. 7, 2021>
1. A person who has at least four years of work experience in the field of information security;
2. A person who has at least five years of total combined work experience in the field of information security and information technology (at least two years of those work experience shall be from the field of information security).
[This Article Wholly Amended on Jun. 11, 2019]
[Moved from Article 36-6; previous Article 36-7 moved to Article 36-8 <Dec. 8, 2020>]
 Article 36-8 (Methods and Procedures for Reporting on Chief Information Security Officers)
Any information and communications service provider obligated to designate and report a chief information security officer under the proviso of Article 45-3 (1) of the Act shall submit to the Minister of Science and ICT a report on the designation of the chief information security officer prescribed by Ordinance of the Ministry of Science and ICT within 180 days from the date he or she becomes obligated to report such officer. <Amended on Jul. 26, 2017; Jun. 11, 2019; Dec. 7, 2021>
[This Article Newly Inserted on Nov. 28, 2014]
[Moved from Article 36-7; previous Article 36-7 moved to Article 36-8 <Dec. 8, 2020>]
 Article 36-9 (Scope of Programs of Council of Chief Information Security Officers)
“Joint programs prescribed by Presidential Decree” in Article 45-3 (5) of the Act means the following programs: <Amended on Nov. 28, 2014; Jun. 11, 2019>
1. Assistance in policy research, studies, and formulation to enable information and communications service providers to strengthen the protection of information;
2. Analysis on a computer security incident and the study of measures following the use of information and communications services;
3. Improvement of information and communications service providers' ability and expertise of the protection of information, including education of chief information security officers;
4. International exchange and cooperation in relation to information and communications services security;
5. Other programs necessary for the security of information and communications systems and the safe management of information.
[This Article Newly Inserted on Aug. 17, 2012]
[Moved from Article 36-8 <Dec. 8, 2020>]
 Article 37 (Protective Measures of Business Entities of Clustered Information and Communications Facilities)
(1) Pursuant to Article 46 (1) of the Act, a provider of information and communications services who operates and manages clustered information and communications facilities to provide information and communications services of other persons (hereinafter referred to as "business entity of clustered information and communications facilities") shall take the following protective measures to ensure the stable operation of information and communications facilities: <Amended on Jan. 28, 2009; Jun. 11, 2019; Dec. 7, 2021>
1. Technical and administrative measures for controlling and monitoring access by persons who have no authority to access information and communications facilities;
2. Physical and technical measures for uninterrupted and stable operation of information and communications facilities and for protecting information and communications facilities from various disasters and threats, such as fire, earthquake, flood, and terrorism;
3. Measures for selecting and placing personnel for the stable management of information and communications facilities;
4. Formulation and implementation of an internal control plan for the stable operation of information and communications facilities (including an emergency plan);
5. Preparation and implementation of technical and administrative measures to contain the spread of computer security incidents.
(2) The Minister of Science and ICT shall collect opinions from related business entities and determine and publicly notify detailed guidelines for protective measures under paragraph (1). <Amended on Mar. 23, 2013; Jul. 26, 2017>
(3) If any duty carried out by another agency is involved in the course of inspecting implementation of protective measures under paragraph (1), the Minister of Science and ICT shall consult with the relevant agency thereon in advance. <Amended on Mar. 23, 2013; Jul. 26, 2017>
 Article 38 (Insurance)
(1) Pursuant to Article 46 (2) of the Act, a business entities of clustered information and communications facilities shall buy a liability insurance policy simultaneously when he or she commences his or her business operation.
(2) The amount of liability insurance that a business entity is obligated to purchase under paragraph (1) shall be as specified in attached Table 3. <Amended on Aug. 29, 2011; Jun. 11, 2019; Dec. 8, 2020>
 Article 39 Deleted. <Aug. 17, 2012>
 Article 40 Deleted. <Aug. 17, 2012>
 Article 41 Deleted. <Aug. 17, 2012>
 Article 42 Deleted. <Aug. 17, 2012>
 Article 43 Deleted. <Aug. 17, 2012>
 Article 44 Deleted. <Aug. 17, 2012>
 Article 45 Deleted. <Aug. 17, 2012>
 Article 46 Deleted. <Aug. 17, 2012>
 Article 47 (Methods and Procedures for, and Scope of, Certification of Information Security Management Systems)
(1) A person who intends to have his or her information security management system certified under Article 47 (1) or (2) of the Act shall file an application for the certification of the information security management system (or an application in an electronic form) with the Korea Internet and Security Agency, an institution designated pursuant to Article 47 (6) of the Act (hereinafter referred to as “certification body of information security management system”), or an institution designated pursuant to Article 47 (7) of the Act (hereinafter referred to as “examination institution for information security systems”), along with a statement of the information security management system (or a statement in an electronic format) containing explanations about the following matters: <Amended on Mar. 23, 2013; May 31, 2016>
1. The scope of the information security management system;
2. A list of major information and communications facilities included in the information security management system and the system diagram;
3. The method and procedure for the establishment and operation of the information security management system;
4. A list of major documents related to the information security management system;
5. Details of domestic and foreign certifications obtained for the quality management system in connection with the information security management system.
(2) Where the Korea Internet and Security Agency, a certification body of information security systems, or an examination institution for information security systems in receipt of an application referred to in paragraph (1) conducts a certification examination referred to in Article 47 (6) 1 of the Act (hereinafter referred to as “certification examination”), it shall consult with the applicant about the scope, time schedule, etc. of certification on the basis of standards for certification, etc. determined and publicly notified by the Minister of Science and ICT for the certification of information security systems referred to in paragraph (4) of that Article (hereinafter referred to as “public notice of certification of security systems”), including countermeasures for managerial, technical and physical protection. <Amended on Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
(3) The Korea Internet and Security Agency, a certification institution for information protection and management systems, or an examination institution for information protection and management systems shall, in the case of conducting a certification examination, examine whether the information protection and management system established by the applicant for certification meets requirements for public notice of certification of management systems. In such cases, a certification examination shall be conducted by means of a written examination or on-site examination. <Amended on May 31, 2016>
(4) A certification examination may be administered only by a certification examiner under Article 53 (1) 1. <Amended on May 31, 2016>
(5) An examination institution for information protection and management systems shall submit the result of a certification examination to a certification institution for information protection and management systems. <Newly Inserted on May 31, 2016>
(6) The Korea Internet and Security Agency or a certification institution for information protection and management systems shall establish and operate a certificate committee composed of members having abundant knowledge and experience in the information protection field to deliberate on the results of examinations of certification. <Amended on May 31, 2016>
(7) Where an information protection and management system is found to meet the requirements for public notification of certification of management systems as a result of the deliberation by the certificate committee under paragraph (6), the Korea Internet and Security Agency or a certification institution for information protection and management systems shall issue a certificate of the information protection and management system. <Amended on May 31, 2016>
(8) Except as provided in paragraphs (1) through (7), details regarding the application for certification, deliberation on certification, the establishment and operation of a certification committee, and the issuance of certificates shall be determined and publicly notified by the Minister of Science and ICT. <Amended on Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
[This Article Wholly Amended on Aug.17, 2012]
[Moved from Article 50; previous Article 47 moved to Article 53 <Aug. 17, 2012>]
 Article 48 (Fees for Certification of Information Security Management Systems)
(1) A person who intends to apply for certification pursuant to Article 47 (1) shall pay fees to the Korea Internet and Security Agency, a certification institution of information protection and management systems, or an examination institution for information protection and management systems. <Amended on May 31, 2016>
(2) The Minister of Science and ICT shall determine and give a public notice of detailed guidelines for the determination of fees for the certification of information security management systems, taking into consideration the number of certification examiners assigned to a certification examination, the number of days required for the certification examination, etc. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
[Previous Article 48 moved to Article 53-2 <Aug. 17, 2012>]
 Article 49 (Scope of Persons Subject to Certification of Information Security Management Systems)
(1) “Person who renders information and communications services, as prescribed by Presidential Decree” in Article 47 (2) 1 of the Act means a person who provides information and communications network services in Seoul Special Metropolitan City or any Metropolitan City.
(2) “Person falling under the standards determined by Presidential Decree” in Article 47 (2) 3 of the Act means either of the following persons: <Amended on May 31, 2016>
1. A person falling under any of the following items whose annual sales or revenues are at least 150 billion won:
(a) A superior general hospital under Article 3-4 of the Medical Service Act;
(b) A school pursuant to Article 2 of the Higher School Act, the number of the enrolled students of which is at least 10,000 as of December 31, of the immediately preceding year;
2. A person whose sales of information and communication services during the preceding year (referring to the preceding business year, in the case of a corporation) are least 10 billion won: excluding, however, a financial company under subparagraph 3 of Article 2 of the Electronic Financial Transactions Act;
3. A person whose average daily number of users during three months immediately before the end of the preceding year is at least one million: Provided, That a financial company under subparagraph 3 of Article 2 of the Electronic Financial Transactions Act.
[This Article Newly Inserted on Aug. 17, 2012]
[Previous Article 49 moved to Article 53-3 <Aug. 17, 2012>]
 Article 50
[Moved to Article 47 <Aug. 17, 2012>]
 Article 51 (Follow-Up Management of Certification)
(1) Follow-up management under Article 47 (8) of the Act shall be conducted by means of written examination or on-site examination. <Amended on May 31, 2016>
(2) Where as a result of conducting follow-up management pursuant to Article 47 (8) of the Act, an examination institution for information protection and management systems finds there is a ground referred to in any subparagraph of paragraph (10) of that Article, it shall immediately submit the result of the follow-up management so conducted to the Korea Internet and Security Agency or a certification institution for information protection and management systems. <Newly Inserted on May 31, 2016>
(3) In cases falling under any of the following subparagraphs, the Korea Internet and Security Agency or a certification institution for information protection and management systems shall, after undergoing deliberation by the certification committee referred to Article 47 (6), notify the results thereof to the Minister of Science and ICT: <Amended on May 31, 2016; Jul. 26, 2017>
1. Where follow-up management conducted pursuant to Article 47 (8) of the Act finds grounds referred to in any subparagraph of paragraph (10) of that Article;
2. Where the Korea Internet and Security Agency or a certification institution for information protection and management systems receives the result of follow-up management from an examination institution for information protection and management systems pursuant to paragraph (2).
[This Article Wholly Amended on Aug.17, 2012]
[Moved from Article 52; Previous Article 51 Deleted]
 Article 52 (Indication and Public Relation of Certification)
A person who obtains certification of his or her information security management system pursuant to Article 47 (1) or (2) of the Act may use a certification mark determined and publicly notified by the Minister of Science and ICT for the information security management system, when he or she indicates or promotes the certification in a document, invoice, or advertisement in accordance with Article 47 (9) of the Act. In such cases, the scope of certification and the effective period shall be indicated together with the mark. <Amended on Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
[This Article Wholly Amended on Aug.17, 2012]
[Moved from Article 53; previous Article 52 moved to Article 51 <Aug. 17, 2012>]
 Article 53 (Criteria for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) The criteria for the designation of a certification institution for information protection and management systems and an examination institution for information protection and management systems shall be as follows: <Amended on Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
1. A certification institution shall have at least five persons who meet the requirements for the qualification determined and publicly notified by the Minister of Science and ICT (hereinafter referred to as “certification examiners”);
2. A certification institution shall be approved as competent in an examination administered by the Minister of Science and ICT on the requirements and competence for the performance of the duties.
(2) The Minister of Science and ICT shall determine and publicly notify detailed guidelines for the education of certification examiners, the management of qualification of certification examiners, and the examination on the requirements and competence for the performance of the duties under paragraph (1) 2. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Wholly Amended on Aug.17, 2012]
[Title Amended on May 31, 2016]
[Moved from Article 47; previous Article 53 moved to Article 52 <Aug. 17, 2012>]
 Article 53-2 (Procedures for Designation of Certification Institution for Information Security Management Systems and Examination Institution for Information Protection and Management Systems)
(1) A person who intends to have his or her business designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems pursuant to Article 47 (6) or (7) of the Act shall file an application (including in electronic form) for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems with the Minister of Science and ICT, along with the following documents (or electronic documents): <Amended on Aug. 17, 2012; Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
1. Articles of incorporation, or bylaws of an association;
2. A statement of the current status of certification examiners employed and a document certifying the current status;
3. Documents determined and publicly notified by the Minister of Science and ICT as those necessary for the examination on the requirements and competence for the performance of duties, including work experience in performing duties for the protection of information and the level of expertise.
(2) Upon receipt of an application for the designation under paragraph (1), the Minister of Science and ICT shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act, if the applicant is a corporation. <Amended on May 4, 2010; Nov. 2, 2010; Mar. 23, 2013; Jul. 26, 2017>
(3) Upon receipt of an application for the designation under paragraph (1), the Minister of Science and ICT shall examine whether the application meets the criteria for the designation under Article 53 (1), notify the applicant of the results thereof within three months from the date when the application is filed, and issue a certificate of designation of a certification institution for information protection and management systems or a certificate of designation of an examination institution for information protection and management systems to the applicant, if the applicant is designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems. <Amended on Aug. 17, 2012; Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
(4) When the Minister of Science and ICT examines whether an application meets the criteria for the designation under paragraph (3), he or she may require the applicant to submit data or may conduct an on-site inspection. In such cases, a person who conducts an on-site inspection shall produce an identification badge certifying his or her authority to the applicant. <Amended on Aug. 17, 2012; Mar. 23, 2013; Jul. 26, 2017>
(5) Deleted. <Jun. 25, 2012>
[Title Amended on May 31, 2016]
[Moved from Article 48 <Aug. 17, 2012>]
 Article 53-3 (Effective Period for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) The effective period for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems under Article 53-2 shall be three years. <Amended on Aug. 17, 2012; May 31, 2016>
(2) A certification institution may file an application for re-designation during the period from six months before the end of the effective period under paragraph (1) to the expiry date. In such cases, the designation shall be deemed effective until the applicant for re-designation is notified of a decision on the application.
(3) Articles 53 and 53-2, and paragraph (1) shall apply mutatis mutandis to the re-designation under paragraph (2). <Amended on Aug. 17, 2012>
[Title Amended on May 31, 2016]
[Moved from Article 49 <Aug. 17, 2012>]
 Article 53-4 (Follow-Up Management of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) A certification institution for information protection and management systems and an examination institution for information protection and management systems shall submit a report according to the following classification for the preceding year to the Minister of Science and ICT by no later than January 31 each year: <Amended on May 31, 2016; Jul. 26, 2017>
1. A certification institution for information protection and management systems: a report on the performances of certification for the preceding year;
2. An examination institution for information protection and management systems: a report on the performances of certification examination for the preceding year.
(2) If the Minister of Science and ICT deems it necessary to ascertain whether a certification institution for information protection and management systems or an examination institution for information protection and management systems falls under any subparagraph of Article 47-2 (1) of the Act, he or she may require the certification institution or the examination institution to submit data or may conduct an on-site inspection. <Amended on Mar. 23, 2013; May 31, 2016; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
[Title Amended on May 31, 2016]
 Article 54 (Guidelines for Revocation of Designation)
Guidelines for administrative dispositions rendered for the revocation of designation or the suspension of business under Article 47-2 of the Act are as prescribed in attached Table 4.
 Article 54-2 (Measures to Prevent Computer Security Incidents and Preclude Dissemination Thereof)
(1) In order to prevent computer security incidents and precluding spread thereof under Article 47-4 (1) of the Act, the Government may pay a monetary award to a person who reports security vulnerability, within the budget.
(2) Standards, procedures, etc. for the payment of monetary awards under paragraph (1) shall be as listed in attached Table 4-2.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 54-3 (Entrustment of Affairs regarding Measures to Prevent Intrusion Incidents and Preclude Spread Thereof)
(1) The head of a central administrative agency may entrust affairs regarding measures under Article 47-4 (1) of the Act to the Korea Internet and Security Agency or any specialized institution related to the protection of users’ information, as determined by the head of the relevant central administrative agency in consultation with the Minister of Science and ICT.
(2) Where the head of a central administrative agency designates an entrusting agency pursuant to paragraph (1), he or she shall publicly notify an agency entrusted with the affairs and the details of such affairs entrusted.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 55 (Standard Agreements on Requests to Users for Protective Measures)
Matters that shall be stipulated in the terms of service with respect to a request to users for protective measures under Article 47-4 (3) of the Act shall be as follows: <Amended on Aug. 17, 2012; Dec. 8, 2020>
1. Grounds for requesting users to take protective measures and a method of making such request;
2. Details of protective measures that users shall take;
3. The period during which access to an information and communications network is restricted, if a user fails to take protective measures;
4. Procedures for filing a user’s objection and for compensation therefor, if a user’ access is unreasonably restricted on the grounds of the user’s failure to take protective measures.
 Article 55-2 (Criteria for Examination for Rating Management of Information Protection)
(1) The criteria for management rating of information protection under Article 47-5 (1) of the Act shall be as follows:
1. The scope of the system established for the management of information protection and the period of operation;
2. An organization exclusively dedicated to information protection and the budget therefor;
3. Activities for the management of information protection and the level of protective measures.
(2) Matters necessary for the detailed criteria and methods for the evaluation according to the criteria for examination under paragraph (1) shall be determined and publicly notified by the Minister of Science and ICT. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
 Article 55-3 (Methods and Procedures for Rating Management of Information Protection)
(1) A person who intends to be rated as qualified for the protection and management of information under Article 47-5 (1) of the Act shall file an application (including in electronic form) for rating the protection and management of information with the Korea Internet and Security Agency, along with a copy of the letter of certification of the information security management system.
(2) A written examination or an on-site examination shall be administered for the examination for rating the protection and management of information.
(3) Only certification examiners shall be able to conduct the examination under paragraph (2).
(4) If the results of an examination administered under paragraph (2) meet the criteria for examination under Article 55-2, the Korea Internet and Security Agency shall issue a certificate of the rating for the protection and management of information to the applicant for the rating qualified for management.
(5) Except as provided in paragraphs (1) through (4), further details necessary for the application and examination for rating the management of information protection and the issuance of certificates of the rating for the management of information protection shall be determined and publicly notified by the Minister of Science and ICT. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Aug. 17, 2012]
 Article 55-4 (Fees for Rating Management of Information Protection)
Articles 48 and 52 shall apply mutatis mutandis to fees for rating for the management of information protection and indication and publicity thereof.
[This Article Newly Inserted on Aug. 17, 2012]
 Article 55-5 (Effective Period of Rating for Management of Information Protection)
The effective period of the rating for the management of information protection under Article 55-3 shall be one year.
[This Article Newly Inserted on Aug. 17, 2012]
 Article 56 (Countermeasures against Computer Security Incidents)
“Other countermeasures against computer security incidents prescribed by Presidential Decree” in Article 48-2 (1) 4 of the Act means the following measures: <Amended on Jan. 28, 2009; Dec. 8, 2020>
1. Requesting a major provider of information and telecommunications services or a business entity who operates and manages clustered information and telecommunications facilities for other persons to provide information and telecommunications services under Article 46 (1) of the Act to cut off access channels (limited to access channels that have been used, or are likely to be used, for spreading computer security incidents);
2. Requesting a software business entity, defined under subparagraph 4 of Article 2 of the Software Promotion Act, who produced or distributed the software involved in a computer security incident, to produce and distribute a program by which the vulnerability in security of the software is cured and corrected (hereinafter referred to as “program for curing the vulnerability in security”) or requesting the provider of information and communications services to release the program for curing the vulnerability in security through information and communications networks;
3. Spreading forecasts and warnings of computer security incidents under Article 48-2 (1) 2 of the Act to mass media and providers of information and communications services;
4. Providing information about computer security incidents to the heads of related agencies, if necessary for the security of national information and communications networks.
 Article 57 (Persons Providing Information about Computer Security Incidents)
“Persons prescribed by Presidential Decree from among those who operate an information and communications network” in Article 48-2 (2) 3 of the Act means any of the following persons among those who operate an information and communications network: <Amended on Mar. 28, 2008; Jan. 28, 2009; Oct. 1, 2010; Aug. 29, 2011; Mar. 23, 2013; Jul. 26, 2017>
1. An institution subject to a protection plan and protection guidelines on critical information and communications infrastructure, formulated and established by the Minister of Science and ICT pursuant to Articles 6 and 10 of the Act on the Protection of Information and Communications Infrastructure;
2. A person who observes the current status of operation of information and communications networks by providers of information and communications services and provides information on computer security incidents;
3. A person specified and publicly notified by the Minister of Science and ICT among private business entities who operate information and communications networks independently with Internet protocol addresses allocated by the Korea Internet and Security Agency under subparagraph 1 (a) of Article 2 of the Internet Address Resources Act;
4. A producer of antivirus software against computer viruses among persons who engage in the information protection industry.
 Article 58 (Provision of Information on Computer Security Incidents)
A person who provides information on computer security incidents under Article 48-2 (2) of the Act shall comply with the following subparagraphs in providing information on computer security incidents: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. A method which a person applies to providing such information shall conform to a method determined by the Minister of Science and ICT, taking into consideration characteristics of information and communications networks, trends in computer security incidents, etc.;
2. The person shall take measures to prevent the destruction, obliteration, and alteration of information on computer security incidents;
3. The person shall adopt encryption techniques determined by the Minister of Science and ICT;
4. The person shall comply with other methods and procedures determined and publicly notified by the Minister of Science and ICT.
 Article 59 (Organization of Private-Public Joint Investigation Team)
(1) The Minister of Science and ICT shall organize an investigation team with the following persons when he or she organizes a private-public joint investigation team pursuant to Article 48-4 (2) (hereinafter referred to as “investigation team”): <Amended on Oct. 1, 2010; Mar. 23, 2013; Jul. 26, 2017>
1. Public officials in charge of investigation of computer security incidents;
2. Persons who have expertise and experience in investigating computer security incidents;
3. Employees of the Korea Internet and Security Agency;
4. Other persons deemed necessary for the analysis of causes of computer security incidents.
(2) The organization of an investigation team under paragraph (1) may be adjusted according to the scale and type of each computer security incident.
 Article 60 (Entry into Places of Business by Investigation Team)
(1) When an investigation team enters a place of business of a person involved under Article 48-4 (4) of the Act, the team members shall present identification badges indicating their authority to a person involved.
(2) The identification badges under paragraph (1) are as prescribed in attached Table 5.
 Article 60-2 (Institutions Specialized in Countermeasures against Computer Security Incidents Related to Equipment Connected to Information and Communications Networks)
"Specialized institutions prescribed by Presidential Decree" in the provisions, with the exception of the subparagraphs, of Article 48-5 (4) of the Act means the following institutions:
1. The Korea Internet and Security Agency;
2. An institution determined through consultation between the Minister of Science and ICT and the heads of relevant central administrative agencies, which has expertise in dealing with computer security incidents related to equipment connected to information and communications networks, etc.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-3 (Procedures for Information Security Certification)
(1) A person who intends to obtain information security certification under Article 48-6 (1) of the Act (hereinafter referred to as "information security certification") shall submit an application for information security certification prescribed by Ordinance of the Ministry of Science and ICT to the Minister of Science and ICT along with the following documents and shall produce equipment connected to information and communications networks, etc., subject to information security certification:
1. Documents proving that the certification standards under Article 48-6 (2) of the Act (hereinafter referred to as "information security certification standard") have been satisfied;
2. A user manual of equipment connected to information and communications networks, etc. subject to information security certification;
3. Other documents prescribed by Ordinance of the Ministry of Science and ICT as necessary for information security certification.
(2) Upon receipt of an application for information security certification pursuant to paragraph (1), the Minister of Science and ICT shall request a testing agency for certification designated pursuant to Article 48-6 (4) of the Act (hereinafter referred to as "testing agency for certification") to conduct a test to confirm compliance with the certification standards under paragraph (2) of that Article (hereinafter referred to as "information security certification test").
(3) Where necessary for conducting an information security certification test, a testing agency for certification may conduct a test on the site where the relevant equipment connected to information and communications networks, etc. are installed.
(4) A testing agency for certification shall submit a report on the results of information security certification tests to the Minister of Science and ICT.
(5) The Minister of Science and ICT shall examine a report on the results of information security certification tests submitted pursuant to paragraph (4); and where the equipment connected to information and communications networks, etc. meet the information security certification standards, he or she shall issue an information security certification prescribed by Ordinance of the Ministry of Science and ICT to a person who applies for information security certification pursuant to paragraph (1), and shall publicly announce such fact on the Ministry's website.
(6) The Minister of Science and ICT who has revoked information security certification pursuant to Article 48-6 (3) of the Act shall notify the relevant person of such fact and publicly announce it on the Ministry's website.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-4 (Effective Period of Information Security Certification)
(1) The effective period of information security certification shall be three years and may be extended only once by up to two years.
(2) A person who intends to extend the effective period of information security certification pursuant to paragraph (1) shall file an application for an extension of the effective period of information security certification with the Minister of Science and ICT no later than six months before the expiration of the effective period, as prescribed by Ordinance of the Ministry of Science and ICT.
(3) Upon receipt of an application for extension of the effective period under paragraph (2), the Minister of Science and ICT may extend the effective period only where the sameness of the characteristics and configuration is recognized for the equipment connected to information and communications networks, etc. for which information security certification has been granted.
(4) The Minister of Science and ICT who extends the effective period under paragraph (3) shall issue information security certification reflecting the extended effective period as prescribed by Ordinance of the Ministry of Science and ICT to the applicant for extension of the effective period, and shall publicly announce such fact on the Ministry's website.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-5 (Fees for Information Security Certification)
(1) A person who intends to apply for information security certification shall pay a fee.
(2) The criteria for calculating fees under paragraph (1) shall be determined and publicly notified by the Minister of Science and ICT.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-6 (Follow-Up Management of Information Security Certification)
(1) Where equipment connected to information and communications networks, etc. for which information security certification has been granted fail to meet the standards for information security certification due to discovery of vulnerabilities, the Minister of Science and ICT may request a person who has obtained the relevant information security certification to fix such vulnerabilities for a specified period.
(2) Details necessary for a request to fix vulnerabilities under paragraph (1) shall be determined and publicly notified by the Minister of Science and ICT.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-7 (Standards for Designating Testing Agencies for Certification)
(1) "Institution satisfying the designation standards prescribed by Presidential Decree" in Article 48-6 (4) of the Act means an institution meeting all of the following standards:
1. It shall be a corporation engaged in the affairs related to information security certification tests;
2. It shall have human resources (including two full-time workers) with technical capabilities, who are in charge of the affairs related to information security certification tests, and an organization dedicated to such affairs;
3. It shall have a test environment, such as facilities and laboratory spaces, to perform the affairs related to information security certification tests;
4. It shall have the operational ability to perform the affairs related to information security certification tests.
(2) A person seeking designation as a testing agency for certification shall file with the Minister of Science and ICT an application for such designation accompanied by documents evidencing that he or she meets the designation standards provided in paragraph (1).
(3) Upon receipt of an application under paragraph (2), the Minister of Science and ICT may designate a testing agency for certification after examining whether it satisfies the designation standards under paragraph (1).
(4) Upon designating a testing agency for certification under paragraph (3), the Minister of Science and ICT shall issue a certificate of designation prescribed by Ordinance of the Ministry of Science and ICT to the relevant applicant, and shall publicly announce such fact in the Official Gazette and on the Ministry's website.
(5) The effective period of designation under paragraph (3) shall be determined by the Minister of Science and ICT for up to three years; and where it is intended to continue to conduct the affairs of a testing agency for certification after the effective period expires, an application for re-designation shall be filed from six months before the expiration date of the effective period until the expiration date of the effective period.
(6) The designation shall be deemed valid until the applicant is notified of the results of the examination of the application for re-designation under paragraph (5).
(7) Details regarding designation standards, designation procedures, re-designation, etc. of testing agencies for certification under paragraphs (1) through (6) shall be determined and publicly notified by the Minister of Science and ICT.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-8 (Follow-Up Management of Testing Agencies for Certification and Revocation of Designation)
(1) A testing agency for certification shall enter the results of certification tests for the preceding year in a report prescribed by Ordinance of the Ministry of Science and ICT and submit it to the Minister of Science and ICT by January 31 of each year.
(2) The Minister of Science and ICT may request a testing agency for certification to submit data or visit the site to ascertain whether the designation standards under Article 48-6 (4) of the Act are met or whether the agency gives rise to grounds for revocation of designation under the subparagraphs of paragraph (5) of that Article.
(3) Upon revoking a designation as a testing agency for certification under Article 48-6 (5) of the Act, the Minister of Science and ICT shall notify the relevant institution of the revocation and publicly announce such revocation in the Official Gazette and on the Ministry’s website.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 60-9 (Entrustment of Information Security Certification Affairs)
Pursuant to Article 48-6 (6) of the Act, the Minister of Science and ICT shall entrust the following affairs to the Korea Internet and Security Agency:
1. Receiving applications for information security certification, requesting the implementation of information security certification tests, receiving reports on the results of information security certification tests, issuing information security certificates, and publicly announcing information security certification and revocation thereof, under Articles 60-3 (1), (2), and (4) through (6);
2. Receiving applications for extension of the effective period of information security certification, issuing an information security certificate, and publicly announcing information security certification pursuant to Article 60-4 (2) and (4);
3. Reviewing the fix of vulnerabilities of information security certification and supporting the delivery of requests to fix vulnerabilities under Article 60-6.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 61 (Guidelines for Transmission of Advertising Information for Profit)
(1) “Period prescribed by Presidential Decree” in Article 50 (1) 1 of the Act means six months from the date the trade of the relevant goods, etc. is concluded. <Amended on Nov. 28, 2014>
(2) “Media prescribed by Presidential Decree” in the proviso of Article 50 (3) of the Act means electronic mail. <Newly Inserted on Nov. 28, 2014>
(3) Matters that a person who transmits advertising information for profit, using an electronic transmission medium pursuant to Article 50 (4) of the Act shall clearly state in the relevant information, and methods therefor shall be as specified in attached Table 6. <Amended on Nov. 28, 2014>
 Article 62 (Provision of Free Telephone Services for Refusal of Reception or Withdrawal of Consent to Reception)
A person who transmits advertising information for profit, using an electronic transmission medium shall clearly state information about free telephone services, etc. for the refusal of reception or for the withdrawal of consent to reception, as prescribed in attached Table 6, and shall provide such services to addressees in accordance with Article 50 (6) of the Act. <Amended on Mar. 29, 2011; Nov. 28, 2014>
 Article 62-2 (Notification of Results of Handling of Consent to Receive Messages)
A person who intends to transmit advertising information for profit, using an electronic transmission medium pursuant to Article 50 (7) of the Act shall notify an addressee of the following matters within 14 days from the date the relevant addressee expresses his or her consent to receipt of messages, refusal to receive messages or withdrawal of his or her consent to receive messages:
1. Name of a sender;
2. Fact that the addressee has consented to receive messages, refused to receive messages, or withdrawn his or her consent to receive messages, and the date he or she expresses the relevant intent;
3. Results of the handling thereof.
[This Article Newly Inserted on Nov. 28, 2014]
 Article 62-3 (Verification of Addressees' Consents to Receive Messages)
(1) A person who has obtained prior consent from an addressee pursuant to Article 50 (1) or (3) of the Act shall verify whether the relevant addressee gives consent to receive messages every two years from the date he or she obtains consent to receive messages from the addressee (referring to the day before every second year from the date he or she obtains consent to receive messages) pursuant to paragraph (8) of the aforesaid Article.
(2) A person who intends to verify whether an addressee gives his or her consent to receive messages pursuant to paragraph (1) shall advise the addressee of the following matters:
1. Name of a sender;
2. Fact that the addressee gives consent to receive messages, and the date he or she gives consent to receive messages;
3. Methods for expressing his or her intent to maintain or withdraw his or her consent to receive messages.
[This Article Newly Inserted on Nov. 28, 2014]
 Article 63 (Devices for Restricting Installation of Advertising Programs for Profits)
“Information processing device prescribed by Presidential Decree” in the former part of Article 50-5 of the Act means an information processing device with which information can be transmitted and received by connecting it to an information and communications network, such as mobile Internet and mobile telephones. <Amended on Aug. 29, 2011>
 Article 64 (Subsidization for Development of Software Designed to Cut Off Transmission of Advertising Information for Profits)
(1) Pursuant to Article 50-6 of the Act, the Korea Communications Commission may fully or partially subsidize a project of a public institution, corporation, or organization that develops and distributes a piece of software or a computer program for conveniently blocking or reporting advertising information transmitted for profits in violation of Article 50 of the Act (hereinafter referred to as “software for blocking or reporting advertisements”), within the budget.
(2) The Korea Communications Commission may recommend providers of information and communications services and users to use the software for blocking or reporting advertisements developed in accordance with paragraph (1). <Amended on Jan. 28, 2009; Aug. 4, 2020>
 Article 65 (Operation of the Korea Internet and Security Agency)
(1) The Minister of Science and ICT, the Minister of the Interior and Safety, the Korea Communications Commission, or the Personal Information Protection Commission may request the head of a related agency to dispatch public officials related to the affairs of the Korea Internet and Security Agency under the subparagraphs of Article 52 (3) of the Act. <Amended on Oct. 1, 2010; Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020>
(2) When the head of a related agency who dispatched a public official under paragraph (1) needs to have the public official returned during the period of dispatch service, he or she shall consult with the head of the agency that requested for such dispatch.
(3) The head of the Korea Internet and Security Agency may authorize a research institute related to information and communications to conduct part of the business affairs specified in Article 52 (3) 4 of the Act, with approval therefor from the Minister of Science and ICT, the Minister of the Interior and Safety or the Korea Communications Commission. <Amended on Oct. 1, 2010; Mar. 23, 2013; Nov. 28, 2014; Jul. 26, 2017>
(4) If a business affair that the head of the Korea Internet and Security Agency conducts in accordance with Article 52 (3) of the Act is related to the protection of a public institution’s information, he or she shall obtain approval therefor from the head of the related institution. <Amended on Oct. 1, 2010>
(5) The Korea Internet and Security Agency shall perform the following affairs to promote programs for transmitting advertising information under Article 52 (3) 10 and 21 of the Act: <Newly Inserted on Aug. 4, 2020>
1. Settlement of grievances relating to the transmission of advertising information and counseling thereon;
2. Provision of technical advice under Article 64 (10) of the Act related to the transmission of advertising information and other necessary assistance;
3. Research on measures to prevent illegal transmission of advertising information;
4. Education and publicity for the prevention of illegal transmission of advertising information;
5. Affairs related to the duties under subparagraphs 1 through 4.
(6) If deemed necessary for requiring providers of information and communications services to submit relevant articles, documents, etc. or for efficiently conducting inspections under Article 64 (1) or (3) of the Act related to the transmission of advertising information, the Korea Communications Commission may dispatch its public officials to the Korea Internet and Security Agency pursuant to Article 32-4 of the State Public Officials Act. <Newly Inserted on Aug. 4, 2020>
[Title Amended on Oct. 1, 2010]
 Article 66 Deleted. <Aug. 4, 2020>
CHAPTER VI-2 TELECOMMUNICATIONS BILLING SERVICES
 Article 66-2 (Requirements for Registration)
(1) A person who intends to be registered as a provider of telecommunications billing services under Article 53 of the Act shall meet all the following requirements: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. The ratio of the total liabilities to the equity capital, total contributions, or endowment shall not exceed a ratio determined and publicly notified by the Minister of Science and ICT, which shall not exceed 200/100. If the majority stockholder is a company that belongs to a conglomerate, defined under subparagraph 2 of Article 2 of the Monopoly Regulation and Fair Trade Act, (excluding conglomerates defined under Article 17 (1) 1 and 2 of the Enforcement Decree of the aforesaid Act) in such cases, the calculation of such ratio shall be based on the conglomerate, but companies that engage in financial business or insurance business, from among companies that belong to the conglomerate, shall be excluded from the calculation;
2. The person shall be fully equipped with the following human resources and physical facilities with which the person can conduct the business:
(a) At least five executive officers and employees who have work experience of at least two years in operating electronic computer systems;
(b) Electronic computer systems and various computer programs necessary for smoothly providing telecommunications billing services;
(c) An information protection system under Article 57 (2) of the Act;
3. The equity capital, total contributions, or endowment shall be at least an amount specified in paragraph (2).
(2) “Amount prescribed by Presidential Decree” in Article 53 (2) of the Act means one billion won.
[This Article Newly Inserted on Mar. 28, 2008]
 Article 66-3 (Procedures for Registration)
(1) A person who intends to be registered as a provider of telecommunications billing services under Article 53 of the Act shall file an application for registration, describing the following matters, with the Minister of Science and ICT: <Amended on Mar. 23, 2013; Jul. 26, 2017>
1. Trade name and the principal place of business;
2. The representative’s name;
3. Equity capital, total contributions, or endowment;
4. The names or titles of contributors (excluding small contributors specified and publicly notified by the Minister of Science and ICT) and their shares.
(2) An application for registration under paragraph (1) shall be accompanied by the following documents:
1. Articles of incorporation;
2. Documents proving that an applicant meets the requirements for registration under Article 66-2;
3. A business plan for three years after the commencement of business (including estimated financial statements and a statement of estimated revenues and expenditures);
4. A plan for the protection of users of telecommunications billing services (including matters under Articles 66-7 through 66-9).
(3) Upon receipt of an application for registration under paragraph (1), the Minister of Science and ICT shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act. <Amended on May 4, 2010; Nov. 2, 2010; Mar. 23, 2013; Jul. 26, 2017>
(4) If the Minister of Science and ICT finds any defect in a document submitted pursuant to paragraph (1) or (2), he or she may request the applicant to supplement and submit the document within 10 days from the date when such document is submitted. <Amended on Mar. 23, 2013; Jul. 26, 2017>
(5) When the Minister of Science and ICT registers a provider of telecommunications billing services, he or she shall publish the details of the registration through in the Official Gazette and shall inform the general public thereof through the Internet, etc. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Mar. 28, 2008]
 Article 66-4 (Grounds for Disqualification from Registration)
“Investor prescribed by Presidential Decree” in subparagraph 1 of Article 54 of the Act means any of the following persons: <Amended on Jul. 29, 2008; Sep. 5, 2017>
1. The principal who holds the largest number of outstanding voting stocks of, or shares in contributions to, the relevant corporation (hereafter referred to as “stocks or the like” in this Article), when the stocks held by the principal and those held by persons related to the principal, as defined under any subparagraph of Article 3 (1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies, on their own accounts respectively in whosever name are aggregated;
2. A person who holds at least 10/100 of stocks or the like of the relevant corporation on his or her account in whosever name or a stockholder who exercises the de facto control over important matters relating to the management of the corporation through appointment and dismissal of executive officers or by other means, who is a related person defined under any subparagraph of Article 3 (1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies.
[This Article Newly Inserted on Mar. 28, 2008]
 Article 66-5 (Administrative Dispositions)
(1) Deleted. <Dec. 22, 2015>
(2) When the Minister of Science and ICT intends to revoke the registration of a provider of telecommunications billing services under Article 55 of the Act, he or she shall hold a hearing. <Amended on Mar. 23, 2013; Jul. 26, 2017>
(3) When the Minister of Science and ICT revokes the registration of a provider of telecommunications billing services under Article 55 of the Act, he or she shall publish the details thereof in the Official Gazette and shall notify the general public thereof through the Internet or by other means. <Amended on Mar. 23, 2013; Jul. 26, 2017>
[This Article Newly Inserted on Mar. 28, 2008]
 Article 66-6 (Measures Necessary for Securing Stability and Reliability of Telecommunications Billing Services)
Administrative and technical measures that a provider of telecommunications billing services shall take in accordance with Article 57 (2) of the Act in order to secure the stability and reliability of transactions through telecommunications billing services are as prescribed in attached Table 7.
[This Article Newly Inserted on Mar. 28, 2008]
 Article 66-7 (Period for Retention of Transaction Records and Methods for Changing Contractual Terms)
(1) Pursuant to Article 58 (4) and (7) of the Act, a provider of telecommunications billing services shall preserve records of the following matters for one year from the date on which each transaction is conducted: Provided, That the records of a transaction, the amount of which exceeds 10,000 won, shall be preserved for five years: <Amended on Aug. 29, 2011; Mar. 23, 2013; Nov. 28, 2014; Jul. 26, 2017; Dec. 11, 2018>
1. The type of a transaction conducted through telecommunications billing services;
2. The amount of a transaction;
3. The other party to a transaction of purchase or use through telecommunications billing services (referring to a person who sells goods or provides services in return for a price therefor through telecommunications billing services; hereinafter referred to as the “other party to a transaction”);
4. The date and time of a transaction;
5. The subscriber number of telecommunications services for which charges are billed and collected;
6. Matters regarding access to telecommunications services in connection with the relevant transaction;
7. Matters regarding an application for a transaction and amendment to terms and conditions;
8. Matters regarding approval for a transaction;
9. Other matters determined and publicly notified by the Minister of Science and ICT.
(2) Transaction records under paragraph (1) shall be preserved in paper, microfilms, discs, magnetic tapes, or other electronic information processing systems: Provided, That where such records are preserved in discs, magnetic tapes, or other electronic information processing systems, the requirements under Article 5 (1) of the Framework Act on Electronic Documents and Transactions shall be fully met. <Amended on Aug. 31, 2012>
(3) When a provider of telecommunications billing services (limited to a person who provides services under Article (2) (1) 10 (a)) changes contractual terms pursuant to Article 58 (6) of the Act, he or she shall notify users of telecommunications billing services by any means of e-mail, writing, facsimile, telephone or other means similar thereto. <Newly Inserted on Nov. 28, 2014; Jan. 5, 2021>
(4) A user of telecommunications billing services may raise an objection to the changed contractual terms from the date he or she receives notification under paragraph (3) until the business day before the effective date of the changed contractual terms. <Newly Inserted on Nov. 28, 2014>
[This Article Newly Inserted on Mar. 28, 2008]
[Title Amended on Nov. 28, 2014]
[Moved from Article 66-8 <Dec. 11, 2018>]
 Article 66-8 (Content of and Procedures for Requesting Information on Purchasers)
(1) Where a user of telecommunications billing services requests the other party to a transaction pursuant to the former part of Article 58-2 (1) of the Act for information about the name and date of birth of a person who purchased or used goods or service (hereinafter referred to as "purchaser information"), he or she shall submit a written request (including an electronic document) for purchaser information, stating the following information:
1. Personal data of the user of telecommunications billing services: Name, date of birth, and contact information (referring to a telephone number, electronic mail address, etc.);
2. Requested details of payment: The telephone number used for payment and the date, time, and amount of payment;
3. The statement that purchaser information needs to be written separately for each type of goods or services.
(2) Where any institution or organization authorized to mediate in and resolve disputes under Article 59 (2) of the Act requests for purchaser information on behalf of a user of telecommunications billing services, it shall submit a document (including an electronic document) confirming that the user of telecommunications billing services has given consent to requesting purchaser information on behalf of the user, along with the written request under paragraph (1).
[This Article Newly Inserted on Dec. 11, 2018]
[Previous Article 66-8 moved to Article 66-7 <Dec. 11, 2018>]
 Article 66-9 (Procedures for Filing Objections and Redressing Violations of Rights)
(1) A provider of telecommunications billing services shall designate a manager and an officer in charge of the protection of users of telecommunications billing services for filing objections and redressing violations of rights under Article 59 (3) of the Act and shall notify the contact information of such manager and officer (referring to telephone numbers, facsimile numbers, e-mail addresses, etc.) to users of telecommunications billing services through the Internet and by other means. <Amended on Dec. 11, 2018; Jan. 5, 2021>
(2) A user of telecommunications billing services may file an objection with regard to telecommunications billing services to the relevant provider of telecommunications billing services in writing (or by an electronic document), telephone, facsimile, or other similar means. <Amended on Jan. 5, 2021>
(3) Upon receipt of an objection under paragraph (2), the provider of telecommunications billing services shall notify the user of the results of the relevant investigation or decision within two weeks from the date when such objection is filed.
[This Article Newly Inserted on Mar. 28, 2008]
CHAPTER VI-3 INTERNATIONAL COOPERATION
 Article 67 Deleted. <Aug. 4, 2020>
CHAPTER VII SUPPLEMENTARY PROVISIONS
 Article 68 (Submission of Data)
“Ground prescribed by Presidential Decree to believe that it is necessary for the protection of users” in Article 64 (1) 3 of the Act means either of the following cases: <Amended on Mar. 28, 2008; Aug. 29, 2011>
1. Where it is necessary to prepare measures for the protection of youths under Article 41 (1) of the Act;
2. Where it is necessary to ascertain whether a person responsible for the protection of youths under Article 42-3 (3) of the Act performs the duty of protecting youths;
3. Deleted. <Aug. 17, 2012>
 Article 68-2 (Methods for Publication of Order of Corrective Measures)
(1) When the Minister of Science and ICT or the Korea Communications Commission orders a provider of information and communications services under Article 64 (4) of the Act to make a public publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and ICT or the Korea Communications Commission shall prescribe the details, number of times, and media of publication, the size of pages, etc. in issuing such order, taking the following factors into consideration: <Amended on Sep. 29, 2011; Mar. 23, 2013; Jul. 26, 2017; Aug. 4, 2020>
1. Details and severity of relevant violations;
2. The duration and number of times of relevant violations.
(2) When the Minister of Science and ICT or the Korea Communications Commission orders a provider of information and communications services under paragraph (1) to make a publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and ICT or the Korea Communications Commission may consult on the text of the publication with the provider of information and communications services. <Amended on Sep. 29, 2011; Mar. 23, 2013; Jul. 26, 2017; Aug. 4, 2020>
[This Article Newly Inserted on Jan. 28, 2009]
 Article 69 (Disclosure of Order to Take Corrective Measures)
(1) In either of the following cases, the fact that a provider of information and communications services is ordered to take corrective measures under Article 64 of the Act may be disclosed. In such cases, the Minister of Science and ICT or the Korea Communications Commission shall notify the relevant provider of information and communications services of the disclosure in advance: <Amended on Mar. 28, 2008; Jan. 28, 2009; Sep. 29, 2011; Mar. 23, 2013; Jul. 26, 2017; Aug. 4, 2020>
1. Where a provider of information and communications services is ordered to take corrective measures for an act specified in any provision of Articles 71 through 74 of the Act;
2. Where a provider of information and communications services has been ordered to take corrective measures at least twice a year.
(2) The disclosure of an order to take corrective measures under paragraph (1) shall be made by publishing it on Internet websites or general daily newspapers circulated nationwide under the Act on the Promotion of Newspapers. <Amended on Jan. 27, 2010>
 Article 69-2 (Scope of Persons Required to Submit Transparency Reports)
"Person who meets the standards prescribed by Presidential Decree" in the provisions, with the exception of the subparagraphs, of Article 64-5 (1) of the Act means a person obligated to designate a person responsible for preventing the circulation of illegally filmed materials, etc.
[This Article Newly Inserted on Dec. 8, 2020]
 Article 69-3 Deleted. <Aug. 4, 2020>
 Article 69-4 Deleted. <Aug. 4, 2020>
 Article 70 (Delegation of Authority and Entrustment of Affairs)
(1) Pursuant to Article 65 (1) of the Act, Minister of Science and ICT shall delegate the authority to impose administrative fines under Article 76 of the Act upon the following persons and to collect administrative fines from them to the Director General of the Central Radio Management Service: <Amended on Mar. 28, 2008; Jul. 3, 2008; Oct. 1, 2010; Mar. 23, 2013; Nov. 28, 2014; Jul. 26, 2017; Sep. 28, 2018; Jun. 11, 2019; Jun. 25, 2019>
1. A business operator not possessing line equipment under Article 22 (2) 2 of the Enforcement Decree of the Telecommunications Business Act;
2. A person required to designate and a chief information security officer, and report thereon pursuant to the proviso of Article 45-3 (1) of the Act;
2-2. A person required to ensure that the chief information security officer may not concurrently hold another office, other than the one performing duties prescribed in Article 45-3 (4) of the Act pursuant to Article 45-3 (3) of the Act;
3. A person who has registered as a provider of telecommunications billing services pursuant to Article 53 (1) of the Act.
(2) The Minister of Science and ICT shall delegate the following authority to the President of the Central Radio Management Service pursuant to Article 65 (1) of the Act: <Newly Inserted on Aug. 4, 2020; Dec. 7, 2021>
1. Reporting on the designation of a chief information security officer under Article 45-3 (1) of the Act;
2. Registration of providers of telecommunications billing services under Article 53 (1) of the Act;
3. Registration of changes in providers of telecommunications billing services, the transfer or acquisition of business, or the merger or inheritance of business, succession to business and reporting on the suspension, closure or dissolution of business under Article 53 (4) of the Act;
4. Revocation of the registration of a provider of telecommunications billing services under Article 55 (1) of the Act;
5. Reporting on contractual terms (including reporting on changes in contractual terms) on telecommunications billing services under Article 56 (1) of the Act;
6. Recommending a provider of telecommunications billing services to change contractual terms under Article 56 (2) of the Act;
7. Issuing orders to refuse, suspend, or restrict the provision of telecommunications billing services under Article 61 of the Act;
8. Requesting the submission of data and conducting inspections under Article 64 (1) and (3) of the Act to verify facts of violations of Articles 45-3 and 53 through 61 of the Act;
9. Issuing an order to a person who has obtained registration as a provider of telecommunications billing services pursuant to Article 53 (1) of the Act to take corrective measures under Article 64 (4) of the Act.
(3) The Korea Communications Commission shall delegate the following authority to the President of the Broadcasting and Communications Office under Article 65 (1) of the Act: <Newly Inserted on Aug. 4, 2020>
1. Issuance of orders to take corrective measures and orders for making a public announcement under Article 64 (4) of the Act for a person who has violated Articles 50, 50-3 (1), 50-4, 50-5, 50-7 and 50-8 of the Act;
2. Imposition and collection of administrative fines under Article 76 of the Act on and from persons who violate Articles 50, 50-4 (4), 50-5, and 50-7 (1) and (2) of the Act.
(4) Pursuant to Article 65 (3) of the Act, the Korea Communications Commission shall entrust the following affairs to the head of the Korea Internet and Security Agency: <Amended on Mar. 28, 2008; Oct. 1, 2010; Sep. 29, 2011; Nov. 28, 2014; Aug. 4, 2020>
1. Affairs relating to a request for the submission of data and inspections under Article 64 (1) and (3) of the Act (limited to grievances and counseling items filed with the Korea Internet and Security Agency for the protection of users) to verify whether a person violates Article 22-2, 23-2, or 23-3 of the Act or falls under any subparagraph of Article 23-4 (1);
2. Duties relating to a request for the submission of data and inspections under Article 64 (1) through (3) of the Act for ascertaining a violation of any provision of Articles 50, 50-3 through 50-5, 50-7, and 50-8 of the Act (limited to grievances filed with the Korea Internet and Security Agency for settlement or counseling in connection with the transmission of advertising information).
(5) Deleted. <Aug. 4, 2020>
[Title Amended on Dec. 7, 2021]
 Article 70-2 (Processing of Personally Identifiable Information)
Where it is inevitable to conduct affairs regarding request for submission, perusal, inspection of data, etc. under Article 64 (1) through (3) of the Act, the Minister of Science and ICT or the Korea Communications Commission (including a person entrusted with the authority of the Korea Communications Commission pursuant to Article 70) may process resident registration numbers or foreigner registration numbers under subparagraph 1 or 4 of Article 19 of the Enforcement Decree of the Personal Information Protection Act: <Amended on Jul. 26, 2017; Aug. 4, 2020>
1. Deleted; <Aug. 4, 2020>
2. Deleted. <Aug. 4, 2020>
[This Article Newly Inserted on Aug. 6, 2014]
 Article 71 (Re-Examination of Regulation)
(1) Deleted. <Mar. 3, 2020>
(2) The Minister of Science and ICT shall examine the appropriateness of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended on Dec. 30, 2016; Jul. 26, 2017; Dec. 11, 2018; Jun. 11, 2019; Dec. 8, 2020; Dec. 7, 2021>
1. Qualifications of chief information security officers under Article 36-7 (4) and (6) and the scope of providers of information and communications services under paragraph (5) of that Article: January 1, 2020;
2. Protective measures taken by business entities operating and managing clustered information and telecommunications facilities under Article 37: January 1, 2017;
3. Obligations to purchase an insurance policy and the minimum amount of insurance coverage under Article 38: January 1, 2017;
4. Scope of persons subject to the certification of information protection and management systems under Article 49: January 1, 2014;
5. Follow-up management and notification on the certification of information protection and management systems under Article 51: January 1, 2017;
6. Guidelines for designating a certification institution for information protection and management systems under Article 53: January 1, 2017;
7. Procedures for designating a certification institution for information protection and management systems under Article 53-2: January 1, 2017;
8. Requirements for the registration of a provider of telecommunications billing services under Article 66-2: January 1, 2014;
9. Period and methods for preservation of transaction records under Article 66-7: January 1, 2014.
(3) Deleted. <Dec. 30, 2016>
(4) The Korea Communications Commission shall review the suitability of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended on Nov. 28, 2014; Dec. 30, 2016; Jun. 11, 2019>
1. Deleted; <Aug. 4, 2020>
2. Deleted; <Aug. 4, 2020>
3. Deleted; <Aug. 4, 2020>
4. Scope of persons liable to designate a person responsible for the protection of youths under Article 25: January 1, 2015;
5. Deadline for designation of a person responsible for the protection of youths under Article 27: January 1, 2015.
[This Article Newly Inserted on Dec. 30, 2013]
 Article 72 Deleted. <Dec. 27, 2010>
 Article 73 Deleted. <Aug. 18, 2009>
 Article 74 (Guidelines for Imposition of Administrative Fines)
Guidelines for the imposition of administrative fines under the provisions of Article 76 (1) through (3) of the Act are as prescribed in attached Table 9.
[This Article Wholly Amended on Oct. 1, 2010]
ADDENDA <Presidential Decree No. 20668, Feb. 29, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Relationship to Other Statutes or Regulations)
A citation of the previous Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, or a provision of either of them by any other statutes or regulations in force as at the time this Decree enters into force shall be deemed a citation of this Decree or the relevant provision of this Decree in lieu of the previous provision, if this Decree prescribes such relevant provision.
ADDENDUM <Presidential Decree No. 20756, Mar. 28, 2008>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 20896, Jul. 3, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 Omitted.
ADDENDA <Presidential Decree No. 20947, Jul. 29, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 4, 2009. (Proviso Omitted.)
Articles 2 through 28 Omitted.
ADDENDA <Presidential Decree No. 21278, Jan. 28, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That the amended provisions of Article 15 (4) 2 and 4 shall enter into force one year after the date of its promulgation.
Article 2 (Preparation for Public Notice)
Notwithstanding the proviso to Article 1 of the Addenda, the public notice under the amended provisions of Article 15 (6) may include the public notice of guidelines under the amended provisions of Article 15 (4) 2 and 4.
ADDENDA <Presidential Decree No. 21692, Aug. 18, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 23, 2009.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 21719, Sep. 9, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 10, 2009.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 22003, Jan. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 1, 2010.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 22151, May 4, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on May 5, 2010.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 22423, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Transitional Measures concerning Guidelines for Administrative Dispositions)
(1) Notwithstanding the amended provisions of attached Tables 4 and 8, the previous provisions shall apply to the application of guidelines for administrative dispositions (including guidelines for the imposition of penalty surcharges) against violations committed before this Decree enters into force.
(2) Administrative dispositions imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of attached Table 4.
Article 3 (Transitional Measures concerning Administrative Fines)
(1) Notwithstanding the amended provisions of attached Table 9, the previous practices shall apply to the imposition of administrative fines for violations committed before this Decree enters into force.
(2) Administrative fines imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of attached Table 9.
ADDENDA <Presidential Decree No. 22424, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 10 Omitted.
ADDENDUM <Presidential Decree No. 22467, Nov. 2, 2010>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 22550, Dec. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 22773, Mar. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDUM <Presidential Decree No. 23104, Aug. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 23169, Sep. 29, 2011>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 30, 2011. (Proviso Omitted.)
Articles 2 through 8 Omitted.
ADDENDUM <Presidential Decree No. 23876, Jun. 25, 2012>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 24047, Aug. 17, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 18, 2012: Provided, That the amended provisions of Articles 15 (2), 36-2 through 36-6, 39 through 49, 51 through 53, 53-2 through 53-4, 54-2, 55-2 through 55-5, attached Table 2, attached Table 3, paragraph 2 (v) and (w) of attached Table 9, and Article 3 of Addenda shall enter into force on February 18, 2013.
Article 2 (Applicability to Counting of Unused Period)
Counting a period under the amended provisions of Article 16 (1) shall begin where information and communications services are not used on and after August 18, 2012.
Article 3 Omitted.
ADDENDA <Presidential Decree No. 24076, Aug. 31, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 2, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24102, Sep. 14, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 16, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24445, Mar. 23, 2013>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 4 Omitted.
ADDENDUM <Presidential Decree No. 25050, Dec. 30, 2013>
This Decree shall enter into force on January 1, 2014. (Proviso Omitted.)
ADDENDUM <Presidential Decree No. 25532, Aug. 6, 2014>
This Decree shall enter into force on August 7, 2014.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25789, Nov. 28, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on November 29, 2014: Provided, That the
amended provision of the main sentence of Article 16 (1) shall enter into force on August 18, 2015.
Article 2 (Applicability to Destruction of Personal Information)
The amended provision of the main sentence of Article 16 (1) shall also apply to personal information collected or provided before August 18, 2015.
Article 3 (Applicability to Notification of Results of Handling of Consent to Receive Messages)
The amended provisions of Article 62-2 shall begin to apply to cases where an addressee expresses his or her consent to receive messages, refuse to receive messages or withdraw his or her consent to receive messages after this Decree enters into force.
Article 4 (Special Cases concerning Reporting on Chief Information Security Officers)
Notwithstanding the amended provisions of Article 36-7, an information and telecommunications service provider falling under any of the subparagraphs of the amended provisions of Article 36-6 as at the time this Decree enters into force shall submit a report on the designation of a chief information security officer to the Minister of Science, ICT and Future Planning within 90 days from the date this Decree enters into force.
Article 5 (Special Cases on Guidelines for Transmitting Advertising Information for Purposes of Generating Profits)
Where the amended provision of Article 61 (1) applies to cases where the sale of goods, etc. is concluded before this Decree enters into force, the enforcement date of this Decree shall be deemed the date the sale of the relevant goods, etc. is concluded.
Article 6 (Special Cases concerning Verification as to Whether Addressee Has Consented to Receive Messages)
Where the amended provisions of Article 62-3 (1) applies to cases where a person has obtained consent to receive messages from an addressee before this Decree enters into force, he or she shall be deemed to have obtained the relevant consent to receive messages on the date this Decree enters into force.
Article 7 (Transitional Measures concerning Measures to Protect Personal Information)
Where an information and telecommunications service provider has taken security measures under the previous provisions of Article 15 (4) 1 and 2 before this Decree enters into force, the previous provisions shall apply, notwithstanding the amended provisions of Article 15 (4) 1 and 2.
Article 8 (Transitional Measures concerning Guidelines for Calculating Penalty Surcharges)
When a penalty surcharge is imposed on any offense committed before this
Decree enters into force, notwithstanding the amended provisions of attached
Table 8, the previous provisions thereof shall apply.
Article 9 (Transitional Measures concerning Administrative Fines)
(1) When guidelines for imposing administrative fines apply to offenses committed before this Decree enters into force, notwithstanding the amended provisions of attached Table 9, the previous provisions thereof shall apply.
(2) A disposition of the imposition of an administrative fine due to an offense committed before this Act enters into force shall be included in the calculation of the number of times of offenses under the amended provisions of attached Table 9.
ADDENDA <Presidential Decree No. 26757, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Article 2 (Transitional Measures concerning Administrative Fines)
Administrative fines, imposed pursuant to the previous provisions of subparagraph 2 (n) of attached Table 9, for violations committed before this Decree enters into force, shall not be included in the count of violations under the amended provisions of subparagraph 2 (f) of attached Table 9.
ADDENDUM <Presidential Decree No. 27188, May 31, 2016>
This Decree shall enter into force on June 2, 2016: Provided, That the amended provisions of Article 16 shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 27510, Sep. 22, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 23, 2016: Provided, That the amended provisions of the proviso to Article 16 (2) shall enter into force one year after this Decree enters into force.
Article 2 (Applicability to Separate Storage and Management of Personal Information)
The amended provisions of the proviso to Article 16 (2) shall also apply to the personal information collected or provided before the enforcement date referred to in the proviso to Article 1 of Addenda.
ADDENDA <Presidential Decree No. 27751, Dec. 30, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2017. (Proviso Omitted.)
Articles 2 through 12 Omitted.
ADDENDA <Presidential Decree No. 27951, Mar. 22, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on March 23, 2017.
Article 2 (Applicability to Consent to Access Authority)
The amended provisions of Article 9-2 (1) through (3) shall begin to apply from the first case where a provider of information and communications services needs access authority to provide the relevant services through such software (including software which have been manufactured before this Decree enters into force, but are provided thereafter, and software which have been provided before this Decree enters into force, but are supplied thereafter) of mobile devices as are supplied after this Decree enters into force.
Article 3 (Applicability to Measures Necessary for Protecting Information on Users)
The amended provisions of Article 9-2 (4) shall begin to apply from the first case of providing the operating system or software of mobile devices after this Decree enters into force (including a case of having manufactured the operating system or software before this Decree enters, but providing it thereafter and a case of having provided the operating system or software before this Decree enters into force, but upgrading either thereafter) and the first case of manufacturing mobile devices after this Decree enters into force (excluding a case where mobile devices are being manufactured as at the time this Decree enters into force, but the operating system has been installed in them therebefore).
ADDENDA <Presidential Decree No. 28210, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 28283, Sep. 5, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force three months after the date of its promulgation: Provided, That ... <omitted> ... Article 6 of the Addenda shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 28919, May 28, 2018>
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
ADDENDUM <Presidential Decree No. 29053, Jul. 17, 2018>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 29192, Sep. 28, 2018>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 29339, Dec. 11, 2018>
This Decree shall enter into force on December 13, 2018.
ADDENDUM <Presidential Decree No. 29633, Mar. 19, 2019>
This Decree shall enter into force on March 19, 2019.
ADDENDA <Presidential Decree No. 29852, Jun. 11, 2019>
Article 1 (Enforcement Date)
This Act shall enter into force on June 13, 2019: Provided, That the amended provisions of Articles 34 (1) shall enter into force on the date of its promulgation, and the amended provisions of Articles 16-2 and 17-2 shall enter into force on June 25, 2019.
Article 2 (Applicability to Qualifications of Chief Information Security Officers)
The amended provisions of Article 36-6 (2) and (4) shall begin to apply to chief information security officers designated and reported after this Act enters into force.
Article 3 (Special Cases concerning Methods and Procedures for Reporting on Chief Information Security Officers)
Where a provider of information and communications services becomes obligated to report his or her chief information security officer pursuant to Article 45-3 (1) of the Act as at the time this Decree enters into force, the deadline for reporting on the chief information security officer under the amended provisions of Article 36-7 shall be counted from the date this Decree enters into force.
ADDENDA <Presidential Decree No. 29886, Jun. 25, 2019>
Article 1 (Enforcement Date)
This Decree shall enter into force on June 25, 2019.
Article 2 Omitted.
ADDENDUM <Presidential Decree No. 30509, Mar. 3, 2020>
This Decree shall enter into force on the date of its promulgation.
ADDENDUM <Presidential Decree No. 30691, May 19, 2020>
This Decree shall enter into force on June 11, 2020.
ADDENDUM <Presidential Decree No. 30894, Aug. 4, 2020>
This Decree shall enter into force on August 5, 2020.
ADDENDA <Presidential Decree No. 31221, Dec. 8, 2020>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 10, 2020.
Articles 2 through 9 Omitted.
ADDENDUM <Presidential Decree No. 31247, Dec. 8, 2020>
This Decree shall enter into force on December 10, 2020: Provided, That the amended provisions of Article 35-2 (4) shall enter into force on January 1, 2021.
ADDENDUM <Presidential Decree No. 31380, Jan. 5, 2021>
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
ADDENDA <Presidential Decree No. 31429, Feb. 2, 2021>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 5, 2021.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 32179, Dec. 7, 2021>
This Decree shall enter into force on December 9, 2021.