ENFORCEMENT DECREE OF THE PERSONAL INFORMATION PROTECTION ACT
Presidential Decree No. 23169, Sep. 29, 2011
Amended by Presidential Decree No. 24425, Mar. 23, 2013
Presidential Decree No. 25531, Aug. 6, 2014
Presidential Decree No. 25751, Nov. 19, 2014
Presidential Decree No. 25840, Dec. 9, 2014
Presidential Decree No. 26140, Mar. 11, 2015
Presidential Decree No. 26728, Dec. 22, 2015
Presidential Decree No. 26776, Dec. 30, 2015
Presidential Decree No. 27370, Jul. 22, 2016
Presidential Decree No. 27522, Sep. 29, 2016
Presidential Decree No. 28074, May 29, 2017
Presidential Decree No. 28150, jun. 27, 2017
Presidential Decree No. 28211, Jul. 26, 2017
Presidential Decree No. 28355, Oct. 17, 2017
Presidential Decree No. 29421, Dec. 24, 2018
Presidential Decree No. 30509, Mar. 3, 2020
Presidential Decree No. 30833, Jul. 14, 2020
Presidential Decree No. 30892, Aug. 4, 2020
Presidential Decree No. 31429, Feb. 2, 2021
Presidential Decree No. 32528, Mar. 8, 2022
Presidential Decree No. 32813, Jul. 19, 2022
CHAPTER I GENERAL PROVISIONS
| Article 2 (Scope of Public Institutions) |
| 3. | Local government-invested public corporations and local government public corporations established under the Local Public Enterprises Act; |
| 4. | Special corporations incorporated under any special Act; |
| Article 3 (Scope of Visual Data Processing Devices) |
“Devices prescribed by Presidential Decree” in subparagraph 7 of Article 2 of the Act means any of the following: | 1. | A closed-circuit television means any of the following devices: |
| (a) | A device that shoots videos, etc. through a permanently installed camera at a certain place, or transmits such videos, etc. to the specified place via transmission channel of wired or wireless closed circuits, etc.; |
| (b) | A device that can videotape or record the visual information filed or transmitted under item (a); |
| 2. | A network camera means a device with which its installer or operator may collect, store, or process visual information, filmed through a permanently installed device at a certain place, via the wired or wireless Internet at any place. |
CHAPTER II PERSONAL INFORMATION PROTECTION COMMISSION
| Article 4 Deleted. <Aug. 4, 2020> |
| Article 4-2 (Prohibition on For-Profit Activities) |
The Commissioners of the Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) provided for in Article 7 (1) of the Act shall not engage in any of the following activities in accordance with Article 7-6 (1) of the Act for the purpose of making profits: | 1. | Any activity related to the matters to be deliberated and resolved by the Protection Commission in accordance with Article 7-9 (1) of the Act; |
| 2. | Any activity related to the matters to be mediated by the Personal Information Dispute Mediation Committee referred to in Article 40 (1) of the Act (hereinafter referred to as the “Dispute Mediation Committee”). |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 5 (Expert Committees) |
| (1) | The Protection Commission may establish an expert committee by sector (hereinafter referred to as “expert committee”) to review in advance the matters for deliberation and resolution subject to Article 7-9 (1) of the Act in a professional manner. <Amended on Aug. 4, 2020> |
| (2) | The expert committee established under paragraph (1) shall be comprised of not more than 20 members with gender equality being taken into consideration, including one chairperson, who are designated or commissioned by the Chairperson of the Protection Commission from among the following persons; and the chairperson of the expert committee shall be designated by the Chairperson of the Protection Commission from among the expert committee members: <Amended on Jul. 22, 2016; Aug. 4, 2020> |
| 1. | Commissioners of the Protection Commission; |
| 2. | Public officials of a central administrative agency who are responsible for personal information protection-related activities; |
| 3. | Persons with abundant expertise and experience in personal information protection; |
| 4. | Persons belonging to, or recommended by, personal information protection-related organizations or trade associations. |
| (3) | Deleted. <Aug. 4, 2020> |
| Article 5-2 (Personal Information Protection Policy Council) |
| (1) | For the consistent implementation of personal information protection policies, and to facilitate consultation among the related central administrative agencies with respect to matters related to the protection of personal information, the Personal Information Protection Policy Council (hereinafter referred to as the “Policy Council”) may be established within the Protection Commission. |
| (2) | The Policy Council shall discuss the following matters: |
| 2. | The enactment and amendment of major statutes or regulations related to the protection of personal information; |
| 3. | Cooperation and coordination of opinions on major personal information protection policies; |
| 4. | The prevention of and response to incidents of infringement with respect to personal information; |
| 5. | The development of technology and professional workforce for the protection of personal information; |
| 6. | Other matters requiring consultation among relevant central administrative agencies in connection with the protection of personal information. |
| (3) | The Policy Council shall be comprised of the Senior Executive Service members of the relevant central administrative agencies or equivalent public officials in charge of the activities related to personal information protection, and they shall be appointed by the head of the relevant central administrative agencies, but the chairperson of the Policy Council (hereinafter referred to as the “Chairperson” in this Article) shall be the Vice Chairperson of the Protection Commission. |
| (4) | If necessary to do the work, the Policy Council may have working-level councils or sector-specific councils. |
| (5) | The chairpersons of the sector-specific councils and working-level councils shall be the Protection Commission’s public officials designated by the Chairperson of the Protection Commission. |
| (6) | If necessary to do the work, the Policy Council, and working-level councils and sector-specific councils may request attendance, submission of materials or opinions, or other necessary cooperation from the related agency, organization, expert, etc. |
| (7) | Except as provided in paragraphs (1) through (6), matters necessary for the operation of the Policy Council shall be determined by the chairperson through a resolution of the Policy Council. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 5-3 (City/Provincial Inter-Agency Personal Information Protection Council) |
| (1) | In order to efficiently implement personal information protection policies and strengthen autonomous protection of personal information, each Special Metropolitan City, Metropolitan City, Special Self-Governing City, Do and Special Self-Governing Province (hereinafter collectively referred to as “City/ Do”) may have a City/Do inter-agency personal information protection council (hereinafter referred to as the “City/Do Council”). |
| (2) | The City/Do Councils shall discuss the following matters: |
| 1. | Personal information protection policies of the City/Do; |
| 2. | Collection and delivery of opinions from/to related agencies/organizations; |
| 3. | Sharing of best practices on protecting personal information; |
| 4. | Other matters requiring discussion at the City/Do Councils in relation to the protection of personal information. |
| (3) | Except as provided in paragraphs (1) and (2), matters necessary for the composition and operation of a City/Do Council shall be determined by the ordinance of City/Do. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 6 (Disclosure of Proceedings) |
Meetings of the Protection Commission shall be open to the public: Provided, that a meeting may be held as a closed session, if deemed necessary by the Chairperson of the Protection Commission.
| Article 7 (Dispatch of Public Officials) |
The Protection Commission may request a public institution to dispatch a public official, executive officer, or employee who works for the public institution, where it deems necessary to carry out its functions.
| Article 8 Deleted. <Aug. 4, 2020> |
| Article 9 (Allowances for Attendance) |
A Commissioner who attends a meeting of the Protection Commission, the expert committee, or the Policy Council; or a person who attends a meeting of the Protection Commission, the expert committee, or the Policy Council pursuant to Article 7-9 (2) of the Act may be paid allowances, travel expenses, and other necessary costs within budgetary limits: Provided, that this shall not apply where any public official attends a meeting directly related with his or her own duties. <Amended on Aug. 4, 2020>
| Article 9-2 (Procedures for Advising Improvement of Policies, Systems, Statutes, and Regulations) |
| (1) | The Protection Commission shall advise the improvement of policies, systems, statutes, and regulations to the relevant agency pursuant to Article 7-9 (4) of the Act, along with the details of and reasons for such improvement. <Amended on Aug. 4, 2020> |
| (2) | The Protection Commission may request the relevant agency to submit materials about the results of the implementation of its advice in order to examine whether such advice has been implemented pursuant to Article 7-9 (5) of the Act. <Amended on Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 9-3 (Procedures for Assessment of Data Breach Incident Factors) |
| (1) | The head of a central administrative agency who intends to request an assessment of data breach incident factors pursuant to Article 8-2 (1) of the Act (hereinafter referred to as “assessment of data breach incident factors”) shall submit to the Protection Commission a written request (or an electronic request form) for an assessment of data breach incident factors which contains the following matters: |
| 1. | The purposes and major contents of the policy and systems in need of personal information processing to be adopted or changed by the statutes or regulations (including the draft); |
| 2. | Self-analysis of data breach incident factors with respect to the matters prescribed in paragraph (2) following the adoption and change of the policy and system in need of personal information processing; |
| 3. | Measures to protect personal information following the adoption and change of the policy and system in need of personal information processing. |
| (2) | Upon receipt of a written request under paragraph (1), the Protection Commission shall assess data breach incident factors taking into account the following matters, and shall notify the result thereof to the head of the related central administrative agency: |
| 1. | Necessity for processing personal information; |
| 2. | Appropriateness of guarantees for the rights of data subjects; |
| 3. | Security in the management of personal information; |
| 4. | Other matters necessary to assess data breach incident factors. |
| (3) | The head of a central administrative agency who has been advised as prescribed in Article 8-2 (2) of the Act shall endeavor to implement as advised, such as incorporating such advice in the relevant draft statute or regulation: Provided, that where it is impracticable to implement as advised by the Protection Commission, the reason therefor shall be notified to the Protection Commission. |
| (4) | The Protection Commission may request materials necessary to assess data breach incident factors from the head of the related central administrative agency. |
| (5) | The Protection Commission may establish guidelines necessary to assess data breach incident factors, including detailed criteria for and methods of the assessment of data breach incident factors; and shall notify the heads of central administrative agencies of the guidelines. |
| (6) | The Protection Commission may seek counsel, etc. from relevant experts where necessary to assess data breach incident factors. |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 10 Deleted. <Aug. 4, 2020> |
CHAPTER III PROCEDURES TO ESTABLISH MASTER PLANS AND IMPLEMENTATION PLANS
| Article 11 (Procedures to Establish Master Plans) |
| (1) | The Protection Commission shall establish a Master Plan to protect personal information under Article 9 of the Act (hereinafter referred to as “Master Plan”) every three years by no later than June 30 of the year preceding the start of the third-year plan. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016; Aug. 4, 2020> |
| (2) | To establish the Master Plan pursuant to paragraph (1), the Protection Commission may receive sub-plans by sector, in which mid- and long-term plans, policies, etc. related to personal information protection are reflected, from the heads of the related central administrative agencies, and may reflect them in the Master Plan. In such cases, the Protection Commission shall consult with the heads of the related central administrative agencies about the goals of the Master Plan, intended directions, guidelines to prepare sub-plans by sector, and other relevant matters. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016> |
| (3) | Upon finalizing the Master Plan, the Protection Commission shall notify the heads of the related central administrative agencies of the Master Plan without delay. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016> |
| Article 12 (Procedures to Establish Implementation Plans) |
| (1) | The Protection Commission shall develop guidelines on how to establish implementation plans for the next year by no later than June 30 each year, and notify the heads of the related central administrative agencies of such guidelines. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016; Aug. 4, 2020> |
| (2) | The head of a related central administrative agency shall establish the implementation plan for the sector under his or her jurisdiction, to be implemented during the following year based upon the Master Plan according to the guidelines notified under paragraph (1); and shall submit the same to the Protection Commission by no later than September 30 each year. <Amended on Aug. 4, 2020> |
| (3) | The Protection Commission shall deliberate and resolve on the implementation plans submitted pursuant to paragraph (2) by no later than December 31 of that year. <Amended on Aug. 4, 2020> |
| Article 13 (Scope of Materials Requested and Methods of Request) |
| (1) | The Protection Commission may request materials or opinions regarding the following from a personal information controller pursuant to Article 11 (1) of the Act: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016> |
| 1. | Matters concerning the management of personal information and personal information files processed by the personal information controller and the installation and operation of visual data processing devices; |
| 3. | Matters concerning technical, managerial, and physical measures to ensure the security of personal information; |
| 4. | Matters concerning access by data subjects, requests for correction, deletion, suspension of personal information processing, and the status of measures taken; |
| 5. | Other matters necessary to establish and implement a Master Plan, such as compliance with the Act and this Decree. |
| (2) | When requesting materials, opinions, etc. pursuant to paragraph (1), the Protection Commission shall request the same to the minimum extent necessary to efficiently establish and implement the Master Plan. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016> |
| (3) | Paragraphs (1) and (2) shall apply mutatis mutandis where the head of a central administrative agency requests materials, etc. from a personal information controller under his or her jurisdiction pursuant to Article 11 (3) of the Act. In such cases, the “Protection Commission” shall be construed as the “head of a central administrative agency”, and “Article 11 (1) of the Act” as “Article 11 (3) of the Act”, respectively. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016> |
| Article 14 (Promotion and Support of Self-Regulation) |
The Protection Commission may provide necessary support to agencies and organizations related to the protection of personal information within budgetary limits to promote self-regulating data-protection activities of personal information controllers pursuant to subparagraph 2 of Article 13 of the Act. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020>
CHAPTER IV PROCESSING OF PERSONAL INFORMATION
| Article 14-2 (Standards on Additional Use and Provision of Personal Information) |
| (1) | If a personal information controller uses or provides personal information (hereinafter referred to as “additional use or provision of personal information”) without the consent of the data subject in accordance with Article 15 (3) or Article 17 (4) of the Act, the personal information controller shall consider the following matters: |
| 1. | Whether it is reasonably related to the original purpose for which the personal information was collected; |
| 2. | Whether additional use or provision of personal information is foreseeable in light of the circumstances under which the personal information was collected and processing practices; |
| 3. | Whether additional use or provision of personal information does not unfairly infringe on the interests of the data subject; |
| 4. | Whether the measures required to ensure security such as pseudonymization or encryption have been taken. |
| (2) | The personal information controller shall disclose in advance the criteria for assessing the matters referred to in the subparagraphs of paragraph (1) in the Privacy Policy under Article 30 (1) of the Act, and the privacy officer under Article 31 (1) of the Act shall check whether the personal information controller is using or providing additional personal information in accordance with the relevant standards. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 15 (Control of Out-of-Purpose Use of Personal Information or Provision Thereof to Third Parties) |
Where a public institution uses personal information for other than the intended purpose, or provides it to a third party pursuant to Article 18 (2) of the Act, it shall record the following in the Register for Control of Out-of-Purpose Use or Provision of Personal Information in the form prescribed by Notification of the Protection Commission; and shall manage the Register: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> | 1. | The name of the personal information or personal information file to be used or provided; |
| 2. | The name of the institution that uses, or is provided with, personal information; |
| 3. | The purpose of use or provision; |
| 4. | The statutory ground for such use or provision; |
| 5. | Particulars of personal information to be used or provided; |
| 6. | The date, frequency, or period for using or providing personal information; |
| 7. | Methods of use or provision of personal information; |
| 8. | Any limitation or necessary measure that the personal information controller has requested from the recipient pursuant to Article 18 (5) of the Act. |
| Article 15-2 (Matters subject to Notification, such as Sources of Personal Information Collected, and Methods of and Procedures for Notification) |
| (1) | “Personal information controller satisfying the criteria prescribed by Presidential Decree” in the main clause of Article 20 (2) of the Act means any of the following personal information controllers: |
| 1. | A person who processes sensitive information forest forth in Article 23 of the Act (hereinafter referred to as “sensitive information”) or personally identifiable information provided for in Article 24 (1) of the Act (hereinafter referred to as “personally identifiable information”) of at least fifty thousand data subjects; |
| 2. | A person who processes personal information of at least one million data subjects. |
| (2) | Any of the personal information controllers stated in paragraph (1) shall notify data subjects of the matters referred to in Article 20 (1) of the Act in a manner easily recognizable by the data subjects, such as in writing, or by telephone, text message or electronic mail, within three months from the date of being provided with their personal information: Provided, that where the personal information controller is regularly provided with and processes personal information at least twice a year to the extent the personal information controller has obtained consent from the data subjects prescribed in Article 17 (1) 1 of the Act about the matters prescribed in Article 17 (2) 1 through 4 of the Act, he or she shall notify the data subjects within three months from the date of being provided with their personal information, or at least once a year counting from the date of the consent. |
| (3) | Any of the personal information controllers stated in paragraph (1) who has notified under paragraph (2) shall retain and manage the following matters until the relevant personal information is destroyed pursuant to Article 21 or 37 (4) of the Act: |
| 1. | The fact that data subjects are notified; |
| 2. | When notification is made; |
| 3. | How notification is made. |
[This Article Newly Inserted on Sep. 29, 2016]
| Article 16 (Methods of Destroying Personal Information) |
| (1) | A personal information controller shall destroy personal information pursuant to Article 21 of the Act by the following methods: <Amended on Aug. 6, 2014; Jul. 19, 2022> |
| 1. | Personal information in electronic files shall be permanently deleted so that it cannot be restored: Provided, That where it is substantially impracticable to permanently delete the files due to technical characteristics, the personal information controller shall take measures to make it impossible to restore the information by treating it as information falling under Article 58-2 of the Act; |
| 2. | Other records, printouts, paper documents, and media containing personal information, other than those referred to in subparagraph 1, shall be shredded or incinerated. |
| (2) | Detailed matters concerning the safe destruction of personal information subject to paragraph (1) shall be prescribed by Notification of the Protection Commission. <Newly Inserted on Aug. 6, 2014; Nov. 19, 2014; Jul. 26, 2017; Sep. 29, 2016> |
| Article 17 (Methods of Obtaining Consent) |
| (1) | A personal information controller shall obtain consent from a data subject to the processing of his or her personal information pursuant to Article 22 of the Act by any of the following methods: |
| 1. | To issue a document stating the matters requiring consent, either in person or by mail or facsimile, to the data subject, and obtain a written consent on which the data subject has affixed his or her signature or seal; |
| 2. | To inform the data subject of the matters requiring consent, and confirm his or her intent of consent by telephone; |
| 3. | To inform the data subject of the matters requiring consent by telephone, have the data subject confirm the matters requiring his or her consent posted on a designated website, etc.; and reconfirm his or her intent of consent by telephone; |
| 4. | To post the matters requiring consent on a designated website, etc., and have the data subject express his or her consent thereto; |
| 5. | To send an electronic mail containing the matters requiring consent to the data subject, and receiving an e-mail indicating his or her consent thereto; |
| 6. | Other methods to inform the data subject of the matters requiring consent by a method similar to those referred to in subparagraphs 1 through 5 and confirm his or her intent of consent. |
| (2) | “Important matters prescribed by Presidential Decree” in Article 22 (2) of the Act means: <Newly Inserted on Oct. 17, 2017> |
| 1. | The fact that a data subject may be contacted to promote goods or services or solicit purchase thereof using the data subject’s personal information with respect to the purpose of collecting and using personal information; |
| 2. | The following matters with respect to the particulars of personal information to be processed: |
| (a) | Sensitive information as set forth in Article 18; |
| (b) | Passport numbers, driver’s license numbers, and alien registration numbers as set forth in subparagraphs 2 through 4 of Article 19; |
| 3. | The period for retaining and using personal information (in the case of provision, meaning the period for retaining and using personal information by the recipient); |
| 4. | The recipient of personal information and the purpose for which the recipient of the personal information uses such information. |
| (3) | Where a personal information controller intends to obtain consent from a data subject under Articles 18 (2) 1 and 22 (4) of the Act or consent to the matters for optional consent under Article 22 (3) of the Act, the personal information controller shall distinguish the matters for optional consent from the other matters so that the data subject may clearly recognize his or her right to such optional consent. <Newly Inserted on Dec. 30, 2015; Oct. 17, 2017> |
| (4) | To obtain consent from the legal representative of a child under 14 years of age pursuant to Article 22 (6) of the Act, a personal information controller may collect information on the name and contact information of the legal representative directly from such child. <Amended on Dec. 30, 2015; Oct. 17, 2017> |
| (5) | The head of a central administrative agency may, from the various methods of consent stated in paragraph (1), advise personal information controllers to obtain consent based on standards on the appropriate receipt of consent established through the personal information protection guidelines (hereinafter referred to as “personal information protection guidelines”) as set forth under Article 12 (2) of the Act in consideration of the activities of each personal information controller under his or her jurisdiction, the characteristics of their business, the number of data subjects, etc. <Newly Inserted on Dec. 30, 2015; Oct. 17, 2017> |
| Article 18 (Scope of Sensitive Information) |
“Information prescribed by Presidential Decree” in the main clause, with the exception of the subparagraphs, of Article 23 (1) of the Act means the following data or information: Provided, that where the public institutions process any of the following data or information pursuant to Article 18 (2) 5 through 9 of the Act, the said information shall be excluded herefrom: <Amended on Sep. 29, 2016; Aug. 4, 2020> | 1. | DNA information acquired from genetic testing, etc.; |
| 3. | Personal information resulting from specific technical processing of data relating to the physical, physiological or behavioral characteristics of an individual for the purpose of uniquely identifying that individual; |
| 4. | Personal information revealing racial or ethnic origin. |
| Article 19 (Scope of Personally Identifiable Information) |
“Information prescribed by Presidential Decree” in the provisions, with the exception of the subparagraphs, of Article 24 (1) of the Act means any of the following information: Provided, that such information does not include any of the following information processed by the public institutions pursuant to Article 18 (2) 5 through 9 of the Act: <Amended on Sep. 29, 2016; Jun. 27, 2017; Aug. 4, 2020>
| Article 20 Deleted. <Aug. 6, 2014> |
| Article 21 (Measures to Ensure Security of Personally Identifiable Information) |
| (2) | “Personal information controller meeting the criteria prescribed by Presidential Decree” in Article 24 (4) of the Act means any of the following personal information controllers: |
| 2. | A person who processes personally identifiable information of at least 50 thousand data subjects. |
| (3) | The Protection Commission shall inspect, at least once every two years, whether the personal information controllers provided for in paragraph (2) have taken necessary measures to ensure security pursuant to Article 24 (4) of the Act. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
| (4) | The inspection referred to in paragraph (3) shall be conducted by requiring the personal information controllers provided for in paragraph (2) to submit necessary material online or in writing. |
| (5) | “Specialized institutions prescribed by Presidential Decree” in Article 24 (5) of the Act means any of the following institutions: <Amended on Jul. 26, 2017; Aug. 4, 2020> |
| 2. | A corporation, organization, or institution determined and prescribed by Notification of the Protection Commission as deemed to have technical and financial capacity and equipment to conduct the inspection pursuant to Article 24 (4) of the Act. |
[This Article Wholly Amended on Sep. 29, 2016]
| Article 21-2 (Persons Who Must Encrypt Resident Registration Numbers) |
| (1) | Any personal information controller who retains resident registration numbers by electronic means shall take encryption measures pursuant to Article 24-2 (2) of the Act. |
| (2) | The encryption of resident registration numbers by a personal information controller under paragraph (1) shall start from one of the following dates: |
| 1. | As to the personal information controllers who retain the resident registration numbers of less than one million data subjects: January 1, 2017; |
| 2. | As to the personal information controllers who retain the resident registration numbers of at least one million data subjects: January 1, 2018. |
| (3) | The Protection Commission may determine and publicly notify the detailed matters regarding encryption measures under paragraph (1), taking into account the technical and economic feasibility and other factors. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Dec. 30, 2015]
| Article 22 (Exception to Limitation to Installation and Operation of Visual Data Processing Devices) |
| (1) | “Facilities prescribed by Presidential Decree” in the proviso of Article 25 (2) of the Act means the following facilities: <Amended on May 29, 2017; Aug. 4, 2020> |
| 1. | Correctional facilities defined in subparagraph 1 of Article 2 of the Execution of Sentences and Treatment of Inmates; |
| (2) | The head of a central administrative agency may establish a Privacy Policy which includes the detailed matters necessary to minimize infringement of the privacy of data subjects; and may encourage the personal information controllers under his or her jurisdiction to comply with the Privacy Policy when they install and operate visual data processing devices at the facilities referred to in paragraph (1) pursuant to the proviso of Article 25 (2) of the Act. |
| Article 23 (Gathering Opinions on Installation of Visual Data Processing Devices) |
| (1) | The head of a public institution that intends to install and operate visual data processing devices pursuant to Article 25 (1) of the Act shall gather opinions from relevant experts and interested parties through any of the following procedures: |
| 2. | To hold an information session or to conduct a survey or polling with respect to the neighborhood residents, etc. directly affected by the installation of that visual data processing devices. |
| (2) | A person who intends to install and operate visual data processing devices at the facilities subject to the proviso of Article 25 (2) of the Act shall gather opinions from the following persons: |
| 2. | Persons working in the relevant facilities, persons detained or accommodated in the relevant facilities, or interested parties, including the guardians of such persons. |
| Article 24 (Posting of Notice on Signboard) |
| (1) | A person who installs and operates visual data processing devices pursuant to Article 25 (1) of the Act (hereinafter referred to as “VDPD operator”) shall post the matters referred to in Article 25 (4) of the Act on a signboard so that data subjects may recognize with ease that such devices are in operation: Provided, that a signboard, indicating the operation of visual data processing devices in the pertinent facilities and whole area, may be posted at the entry and other easily noticeable place where a multitude of visual data processing devices are installed in a building: <Amended on Sep. 29, 2016> |
| 1. | Deleted; <Sep. 29, 2016> |
| 2. | Deleted; <Sep. 29, 2016> |
| 3. | Deleted. <Sep. 29, 2016> |
| (2) | Notwithstanding paragraph (1), where any of the following applies to a visual data processing device installed and operated by a VDPD operator, the VDPD operator may post the matters referred to in Article 25 (4) of the Act on its website, instead of posting them on the signboard: <Amended on Sep. 29, 2016> |
| 1. | Where the visual data processing devices is installed by a public institution for the purpose of long range filming, over-speed and traffic signal violation enforcement service, or traffic flow survey and the possibility of infringement with respect to personal information is significantly low; |
| 2. | Where a signboard cannot be posted because of terrain characteristics or is not easily noticeable by data subjects even if posted, e.g., a visual data processing device installed for surveillance of mountain fire. |
| (3) | If the matters referred to in Article 25 (4) of the Act cannot be posted on a website under paragraph (2), a VDPD operator shall make public the said matters in one or more of the following manners: <Amended on Sep. 29, 2016; Aug. 2020> |
| 1. | Posting at easily noticeable places of the VDPD operator’s workplace, business premise, office, shop, etc. (hereinafter referred to as “workplace, etc.”); |
| 2. | Publishing them in the Official Gazette (only in case the VDPD operator is a public institution) or a general daily newspaper, weekly newspaper or online newspaper, as defined in subparagraphs 1 (a) and (c), or 2 of Article 2 of the Act on the Promotion of Newspapers circulating mainly over the Special Metropolitan City, Metropolitan City, Do, or Special Self-Governing Province (hereinafter referred to as “City/ Do”) where the VDPD operator’s workplace is located. |
| (4) | “Facilities prescribed by Presidential Decree” in the proviso, with the exception of the subparagraphs, of Article 25 (4) of the Act means the national security facilities provided for in Article 32 of the Regulations on Security Work. <Amended on Sep. 29, 2016> |
| Article 25 (Policy on Operation and Management of Visual Data Processing Devices) |
| (1) | Each VDPD operator shall establish a policy to operate and manage visual data processing devices including the following matters pursuant to Article 25 (7) of the Act: |
| 1. | The statutory ground and purpose to install the visual data processing devices; |
| 2. | The number of visual data processing devices installed, the locations of installation and the scope of filming; |
| 3. | The manager and department in charge, and the person who is entitled to access the visual information; |
| 4. | The duration of filming, retention period, retention place and processing method of the visual information; |
| 5. | How and where the VDPD operator checks the visual information; |
| 6. | The measures taken to deal with the data subject’s request to access the visual information; |
| 7. | The technical, managerial and physical safeguards to protect the visual information; |
| 8. | Other matters necessary to install, operate, and manage the visual data processing devices. |
| (2) | Article 31 (2) and (3) shall apply mutatis mutandis to the disclosure of the policy to operate and manage visual data processing devices established pursuant to paragraph (1). In such cases, “personal information controller” shall be construed as “VDPD operator”, “Article 30 (2) of the Act” as “Article 25 (7) of the Act”, and “Privacy Policy” as “policy to operate and manage visual data processing devices”, respectively. <Amended on Sep. 29, 2016> |
| Article 26 (Outsourcing of Installation and Operation of Visual Data Processing Devices by Public Institutions) |
| (1) | Where a public institution outsources the installation and operation of visual data processing devices to a third party pursuant to the proviso of Article 25 (8) of the Act, it shall do so in writing stating the following: |
| 1. | The purpose and scope of outsourced work; |
| 2. | Matters concerning limitation to re-outsourcing; |
| 3. | Matters concerning the measures to ensure security, including limitation to access to visual data; |
| 4. | Matters concerning the inspection of the status of visual data retained; |
| 5. | Matters concerning damage liability in case of breach of contractual obligation on the part of the outsourcee. |
| (2) | Where work is outsourced pursuant to paragraph (1), the name and contact information of the outsourcee shall be posted on the signboard, etc. referred to in Article 24 (1) through (3). |
| Article 27 (Guidelines for Installing and Operating Visual Data Processing Devices) |
Except as provided in the Act and this Decree, the Protection Commission may establish the Standard Personal Information Protection Guidelines referred to in Article 12 (1) of the Act regarding the standards for installing and operating visual data processing devices or outsourcing their installation and operation; and may advise VDPD operators to comply with the Standard Guidelines. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020>
| Article 28 (Measures to be Taken when Outsourcing Personal Information Processing) |
| 1. | The purpose and scope of outsourced work; |
| 2. | Matters concerning limitation to re-outsourcing; |
| 3. | Matters concerning measures to ensure security, including limitation to access to personal information; |
| 4. | Matters concerning supervision and inspection of the status of management of personal information retained in relation to outsourced work; |
| 5. | Matters concerning liability, such as compensation for damages caused by a breach of contractual obligations on the part of an outsourcee under Article 26 (2) of the Act (hereinafter referred to as “outsourcee”). |
| (2) | “Manner prescribed by Presidential Decree” in Article 26 (2) of the Act means the method wherein a personal information controller that has outsourced personal information processing (hereinafter referred to as “outsourcer”) continuously posts details of the outsourced work and the outsourcee on its website. |
| (3) | Where it is impossible to post on the website as prescribed in paragraph (2), the outsourcer shall make public the outsourced work and the outsourcee in one or more of the following manners: |
| 1. | Posting at easily noticeable places of the outsourcer’s workplace, etc.; |
| 2. | Publishing in the Official Gazette (only where the outsourcer is a public institution) or a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers which mainly covers the City/Do where the outsourcer’s workplace, etc. is located; |
| 3. | Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice annually and distributed to data subjects on a continual basis; |
| 4. | Stipulating in an agreement, etc. for the supply of goods and services executed between the outsourcer and the data subjects and providing a copy of the same to the data subject. |
| (4) | “Manners prescribed by Presidential Decree” in the former part of Article 26 (3) of the Act means in writing, or by electronic mail, facsimile, telephone, or text message, or by other equivalent manners (hereinafter referred to as “in writing, etc.”). |
| (5) | Where an outsourcer is unable to inform the data subjects of the outsourced work and the outsourcee in the manner stated in paragraph (4) without its negligence, the outsourcer shall post the relevant matters on its website for at least 30 days: Provided, that an outsourcer who has no website shall post them at easily noticeable places of its workplace, etc. for at least 30 days. |
| (6) | Where an outsourcee processes personal information, the outsourcer shall supervise whether the outsourcee complies with the obligations of a personal information controller provided for in the Act and this Decree and the matters referred to in Article 26 (1) of the Act, pursuant to Article 26 (4) of the Act. |
| Article 29 (Notification of Transfer of Personal Information Following Business Transfer) |
| (2) | Where a person who intends to transfer personal information pursuant to Article 27 (1) of the Act (hereinafter referred to as “business transferor, etc.” in this Article) fails to inform the data subjects of the matters stated in Article 27 (1) of the Act in the manner stated in paragraph (1) without his or her negligence, the person shall post the relevant matters on the website for at least 30 days: Provided, that if there is a good reason for not being able to post the required information on its website, the business transferor, etc. may inform the data subjects of the matters stated in each subparagraph of Article 27 (1) of the Act through any of the following methods: <Amended on Aug. 4, 2020> |
| 1. | Posting the information at easily noticeable places of the workplace, etc. of the business transferor, etc. for at least 30 days; |
| 2. | Publishing the information in a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) or 2 of Article 2 of the Act on the Promotion of Newspapers which mainly covers the City/Do where the business transferor, etc.’s workplace, etc. is located. |
CHAPTER IV-II SPECIAL CASES CONCERNING PROCESSING OF PSEUDONYMIZED INFORMATION
| Article 29-2 (Designation and Cancellation of Designation of Expert Data Combination Agency) |
| (1) | The standards for the designation of an expert agency (hereinafter referred to as “Expert Data Combination Agency”) pursuant to Article 28-3 (1) of the Act shall be as follows: |
| 1. | Under Notification prescribed by the Protection Commission, the agency shall have formed an organization responsible for the combination and release of pseudonymized information and employed at least three full-time personnel with qualifications or experience relating to personal information protection; |
| 2. | Under Notification prescribed by the Protection Commission, the agency shall have set up space, facilities and equipment necessary to combine pseudonymized information safely and prepared policies and procedures relating to the combination and release of pseudonymized information; |
| 3. | Under Notification prescribed by the Protection Commission, the agency shall have financial capabilities; |
| (2) | Any corporation, organization, or institution intending to be designated as an Expert Data Combination Agency pursuant to Article 28-3 (1) of the Act shall submit to the head of the Protection Commission or the related central administrative agency an application for the Designation of Expert Data Combination Agency prescribed by Notification of the Protection Commission with the following documents attached (including electronic documents; the same shall apply hereinafter): |
| 1. | Articles of incorporation or bylaws; |
| 2. | Documents prescribed and notified by the Protection Commission supporting that the agency satisfies the designation standards under paragraph (1). |
| (3) | The head of the Protection Commission or related central administrative agency may designate the corporation, organization, or institution which submitted the application for the Designation of Expert Data Combination Agency under paragraph (2) as an Expert Data Combination Agency if it satisfies the designation standards under paragraph (1). |
| (4) | Designation as an Expert Data Combination Agency shall be effective for three years from the date of designation, and if the Expert Data Combination Agency requests extension of the effective period, and such request satisfies the designation standards under paragraph (1), the head of the Protection Commission or the related central administrative agency may re-designate it as an Expert Data Combination Agency. |
| (5) | If the Expert Data Combination Agency falls under any of the following, the head of the Protection Commission or related central administrative agency may cancel the designation of the Expert Data Combination Agency: Provided, that in the cases of subparagraph 1 or 2, designation shall be canceled: |
| 1. | If the agency has received the designation by fraud or improper means; |
| 2. | If the agency voluntarily requests cancellation of its designation or discontinues its business; |
| 3. | If the agency becomes non-compliant with the standards for designation of an Expert Data Combination Agency under paragraph (1); |
| 4. | If an incident of infringement with respect to personal information, including divulgence of information, occurs in connection with data combination, release, etc.; |
| 5. | If the agency otherwise violates any obligation under the Act or this Decree. |
| (6) | The head of the Protection Commission or related central administrative agency shall hold a hearing when seeking to cancel the designation of an Expert Data Combination Agency in accordance with paragraph (5). |
| (7) | The head of the Protection Commission or related central administrative agency shall publicly announce any designation, re-designation or cancellation of designation of an Expert Data Combination Agency in the Official Gazette or the websites of the Protection Commission or related central administrative agency. In such cases, if the head of the related central administrative agency designated, re-designated, or canceled the designation of any Expert Data Combination Agency, the head of the central administrative agency shall notify the Protection Commission of the same. |
| (8) | Except as provided in paragraphs (1) through (7), matters necessary in connection with the designation, re-designation and cancellation of designation of an Expert Data Combination Agency shall be prescribed by Notification of the Protection Commission. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 29-3 (Combination and Release of Pseudonymized Information Processed by Different Personal Information Controllers) |
| (1) | Any personal information controller intending to request an Expert Data Combination Agency to combine pseudonymized information (hereinafter referred to as “Applicant”) shall submit the data combination request in the form prescribed by Notification of the Protection Commission, together with the following documents, to the relevant Expert Data Combination Agency: |
| 1. | Documents related to the Applicant such as business registration certificate, certified copy of register of corporation, etc.; |
| 2. | Documents related to the pseudonymized information for combination; |
| 3. | Documents proving the purpose of combination; |
| 4. | Other documents prescribed by Notification of the Protection Commission’s notification as necessary for combining and releasing pseudonymized information. |
| (2) | Any Expert Data Combination Agency intending to combine pseudonymized information under Article 28-3 (1) of the Act shall make sure that the combined information does not identify a particular individual. In such cases, the Protection Commission may make the Korea Internet and Security Agency or other agencies designated by Notification of the Protection Commission assist with relevant work necessary to make a particular individual unidentifiable. |
| (3) | The Applicant that intends to take the information which was combined by the Expert Data Combination Agency pursuant to Article 28-3 (2) of the Act out of the Expert Data Combination Agency shall pseudonymize or otherwise process the information combined pursuant to paragraph (2) as the information under Article 58-2 of the Act at a place which was established within the Expert Data Combination Agency and underwent the necessary technical, managerial and physical measures required to ensure security and receive permission therefor from the Expert Data Combination Agency. |
| (4) | The Expert Data Combination Agency shall permit the release pursuant to Article 28-3 (2), if each of the following standards are met. In such cases, the Expert Data Combination Agency shall form a Release Review Committee to grant permission for release of combined information: |
| 1. | There is a relationship between the purpose of combination and the released information; |
| 2. | It is not possible to identify any particular individual using such information; |
| 3. | A security plan is established with regard to the released information. |
| (5) | The Expert Data Combination Agency may charge the Applicant for the costs necessary for the combination, release, etc. of information. |
| (6) | Except as provided in paragraphs (1) through (5), the procedures and methods of combining pseudonymized information, release of combined information and permission therefor, shall be set forth in Notification of the Protection Commission. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 29-4 (Management, and Supervision of Expert Data Combination Agency) |
| (1) | Any head of the Protection Commission or related central administrative agency who has designated an Expert Data Combination Agency shall manage and supervise, among others, whether the Expert Data Combination Agency has maintained the work performance capacity, technologies and facilities required. |
| (2) | The Expert Data Combination Agency shall submit to the head of the Protection Commission or the related central administrative agency the following documents every year for the management and supervision pursuant to paragraph (1): |
| 1. | Report on the combination and release of pseudonymized information; |
| 2. | Documents supporting that the agency continues to meet the standards for designation as an Expert Data Combination Agency; |
| 3. | Documents prescribed by Notification of the Protection Commission supporting that the agency has taken measures to secure the security of pseudonymized information. |
| (3) | The Protection Commission shall manage/supervise the following matters: |
| 1. | The Expert Data Combination Agency’s violation of law in the process of approving the combination and release of pseudonymized information; |
| 2. | The Applicant’s processing status with respect to pseudonymized information; |
| 3. | Other necessary matters required for the safe processing of pseudonymized information prescribed by Notification of the Protection Commission. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 29-5 (Measures to Ensure Security of Pseudonymized Information) |
| (1) | A personal information controller shall implement the following security measures for pseudonymized information and additional information to restore pseudonymized information to the original state (hereinafter in this Article referred to as “additional information”) in accordance with Article 28-4 (1) of the Act: <Amended on Feb. 2, 2021> |
| 2. | Separate storage of pseudonymized information and additional information: Provided, That any unnecessary additional information shall be destroyed; |
| 3. | Separation of access rights to pseudonymized information and additional information: Provided, That if the personal information controller finds it difficult to separate access rights due to good reason such as the personal information controller being a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises which cannot afford an additional employee to handle pseudonymized information, it shall manage and control access rights by granting the minimum degree of access necessary to do the work and recording the status of access rights granted. |
| 1. | Purpose of processing pseudonymized information; |
| 2. | Items of pseudonymized personal information; |
| 3. | Use history of pseudonymized information; |
| 4. | Recipient of pseudonymized information provided by a third party; |
| 5. | Other matters prescribed by Notification of the Protection Commission as deemed necessary for the management of the processing of pseudonymized information. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 29-6 (Standards on Imposition of Penalty Surcharges with Respect to Processing of Pseudonymized Information) |
| (1) | The sales under Article 28-6 (1) of the Act shall refer to the relevant personal information controller’s annual average sales revenue over the previous three business years: Provided, That if three years have not passed since the commencement of business as of the first day of the relevant business year, the total sales shall be the amount calculated by converting the sales revenue from the commencement of business until the end of the immediately preceding business year into the annual average sales revenue, and if the personal information controller has commenced business during the business year in which the violation occurs, the total sales shall be the amount calculated by converting the sales revenue from the commencement date of business until the date of violation into annual sales revenue. |
| 1. | The personal information controller has no sales because it fails to commence, or suspended, etc. its business; |
| 2. | It is difficult to objectively calculate the sales revenue because the sales materials are lost or damaged due to a disaster, etc. |
| (3) | If the Protection Commission is in need of financial statements or other materials to calculate the sales revenue under paragraph (1), the Protection Commission may request the personal information controller to submit the relevant materials within a certain period not exceeding 20 days. |
| (4) | The standards and procedures for calculating the penalty surcharges under Article 28-6 (1) of the Act shall be specified in attached Table 1. |
[This Article Newly Inserted on Aug. 4, 2020]
CHAPTER V SAFEGUARD OF PERSONAL INFORMATION
| Article 30 (Measures to Ensure Security of Personal Information) |
| (1) | Each personal information controller shall take the following measures to ensure security pursuant to Article 29 of the Act: |
| 1. | To formulate and implement an internal management plan for the safe processing of personal information; |
| 2. | To control access to personal information and restrict the authority to access personal information; |
| 3. | To adopt encryption technology to safely store and transmit personal information and other equivalent measures; |
| 4. | To retain login records to respond to incidents of infringement with respect to personal information and to take measures to prevent the forgery and falsification thereof; |
| 5. | To install and upgrade security programs to protect personal information; |
| 6. | To take physical measures, such as a storage or locking system, to keep personal information safely. |
| (2) | The Protection Commission may provide necessary assistance, such as building a system with which personal information controllers can take the measures to ensure security pursuant to paragraph (1). <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4. 2020> |
| (3) | Detailed standards for the measures to ensure security under paragraph (1) shall be prescribed by Notification of the Protection Commission. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 31 (Details of Privacy Policy and Methods for Disclosure Thereof) |
| (1) | “Matters prescribed by Presidential Decree” in Article 30 (1) 8 of the Act means the following: <Amended on Sep. 29, 2016; Aug. 4, 2020> |
| 1. | Particulars of personal information to be processed; |
| 2. | Deleted; <Aug. 4, 2020> |
| 3. | Matters concerning measures to ensure the security of personal information subject to Article 30 or Article 48-2. |
| (2) | A personal information controller shall post continuously the Privacy Policy established or modified pursuant to Article 30 (2) of the Act on its website. |
| (3) | Where it is impossible to post the Privacy Policy on the website as prescribed in paragraph (2), the personal information controller shall make public the established or modified Privacy Policy in at least one of the following manners: |
| 1. | Posting at easily noticeable location of the personal information controller’s workplace, etc.; |
| 2. | Publishing in the Official Gazette (only in case the personal information controller is a public institution) or general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers circulating mainly over the City/Do where the personal information controller’s workplace, etc. is located; |
| 3. | Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice a year and distributed to data subjects on a continual basis; |
| 4. | Stipulating in an agreement, etc. for the supply of goods and services executed between the personal information controller and the data subjects and providing a copy of the same to the data subject. |
| Article 32 (Function of Privacy Officer and Requirements for Designation) |
| 2. | To manage materials related to the protection of personal information; |
| 3. | To destroy personal information whose purpose of processing is attained or retention period expires. |
| (2) | A personal information controller shall designate a privacy officer pursuant to Article 31 (1) of the Act according to the following classifications: <Amended on Jul. 22, 2016> |
| 1. | Public institutions: Public officials, etc. who satisfy the below standards: |
| (a) | The administrative bodies of the National Assembly, the Court, the Constitutional Court, and the National Election Commission; and central administrative agencies: A member of the Senior Executive Service (hereinafter referred to as “senior executive”) or equivalent public official; |
| (b) | Other national agencies than item (a), headed by a public official in political service: A public official of Grade III or higher (including a senior executive) or equivalent thereto; |
| (c) | Other national agencies than items (a) and (b), headed by a senior executive, a Grade III or higher public official, or an equivalent public official: A public official of Grade IV or higher or equivalent thereto; |
| (d) | Other national agencies than items (a) through (c) (including their affiliated bodies): The head of a department in charge of the work related to personal information processing in the relevant agency; |
| (e) | City/Do, City/Do Offices of Education: A public official of Grade III or higher or equivalent thereto; |
| (f) | Si/Gun or autonomous Gu: A public official of Grade IV or equivalent thereto; |
| (g) | Schools of each level referred to in subparagraph 5 of Article 2: A person who takes overall control of the administrative affairs of the relevant school; |
| (h) | Other public institutions than items (a) through (g): The head of a department in charge of the work related to personal information processing in the relevant institution: Provided, That where the heads of at least two departments are in charge of the work related to personal information processing, the head of the relevant institution shall designate the privacy officer from among them; |
| 2. | An institution other than public institutions: Any of the following persons: |
| (a) | The business owner or representative; |
| (b) | An executive officer (or the head of a department in charge of the work related to personal information processing, if no executive officer exists). |
| (3) | Notwithstanding paragraph (2), if the personal information controller is a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises, it shall be deemed that the enterprise owner or representative has been designated as the privacy officer without separate designation: Provided, that this shall not apply if the personal information controller has separately designated a privacy officer. <Newly Inserted on Aug. 4, 2020; Feb. 2, 2021> |
| (4) | The Protection Commission may provide necessary assistance, such as developing and providing educational programs for privacy officers so that they may efficiently perform the functions provided for in Article 31 (2) of the Act. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 33 (Registered Items of Personal Information Files) |
| 1. | The name of the public institution that operates personal information files; |
| 2. | The number of data subjects whose personal information is retained in personal information files; |
| 3. | The department in charge of the work related to personal information processing in the relevant public institution; |
| 4. | The department that receives and processes requests for access to personal information pursuant to Article 41; |
| 5. | The scope of personal information to which access can be limited or denied pursuant to Article 35 (4) of the Act, among personal information in personal information files, and the grounds for limitation or denial. |
| Article 34 (Registration, and Disclosure of Personal Information Files) |
| (1) | The head of a public institution that operates personal information files shall apply for registration of the matters provided for in Article 32 (1) of the Act and Article 33 of this Decree (hereinafter referred to as “registered matters”) to the Protection Commission within 60 days from the date it starts operating the personal information files, as prescribed by Notification of the Protection Commission. The same shall also apply to any modification of registered matters. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| (2) | The Protection Commission shall post the status of personal information files registered pursuant to Article 32 (4) of the Act on the Protection Commission’s website. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| (3) | The Protection Commission may build and operate a system so that the registration or modification of the registered matters, referred to in paragraph (1), of personal information files may be electronically processed. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 34-2 (Criteria, Method, and Procedure for Certification of Personal Information Protection) |
| (1) | The Protection Commission shall determine and publicly notify the criteria for certification referred to in Article 32-2 (1) of the Act, including the establishment of managerial, technical, and physical safeguards to protect personal information, taking into account the matters provided for in Article 30 (1) and Article 48-2 (1). <Amended on Jul. 26, 2017; Aug. 4, 2020> |
| (2) | A person who intends to obtain certification of personal information protection pursuant to Article 32-2 (1) of the Act (hereafter in this Article and Article 34-3, referred to as “applicant”), shall submit an application (including an electronic application) for certification of personal information protection which includes the following matters to an institution specializing in the certification of personal information protection referred to in Article 34-6 (hereinafter referred to as “certification institution”): |
| 1. | A list of personal information processing systems subject to certification; |
| 2. | Methods and procedures for establishing and operating the personal information protection system; |
| 3. | A list of documents related to the personal information protection system and the implementation of safeguards. |
| (3) | Upon receipt of an application for certification pursuant to paragraph (2), a certification institution shall consult with the applicant regarding the scope, time schedule, etc. of certification. |
| (4) | An examination to certify personal information protection under Article 32-2 (1) of the Act shall be either a paper-based examination or an on-site examination conducted by the certification examiners for personal information protection subject to Article 34-8. |
| (5) | Each certification institution shall establish and operate a certification committee comprised of members with considerable knowledge and experience in information protection to deliberate on the results of examinations for certification conducted pursuant to paragraph (4). |
| (6) | Except as provided in paragraphs (1) through (5), detailed matters necessary for certification of personal information protection, including filing an application for certification, examination for certification, establishment and operation of the certification committee, and issuance of certificates, shall be prescribed by Notification of the Protection Commission. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 34-3 (Fees for Certification of Personal Information Protection) |
| (1) | Each applicant shall pay a fee incurred in examining certification of personal information protection to the certification institution. |
| (2) | The Protection Commission shall provide Notification of the detailed standards for calculating fees referred to in paragraph (1), based upon the number of certification examiners required for examining certification of personal information protection, number of days necessary to examine certification, and other relevant matters. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 34-4 (Revocation of Certification) |
| (1) | A certification institution that intends to revoke certification of personal information protection pursuant to Article 32-2 (3) of the Act shall submit the case for deliberation and resolution by the certification committee established under Article 34-2 (5). |
| (2) | Upon revoking certification pursuant to Article 32-2 (3) of the Act, the Protection Commission or the certification institution shall notify the affected party of such revocation; and shall publicly announce or post the same in the Official Gazette or on the certification institution’s website. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 34-5 (Follow-up Management of Certification) |
| (1) | An examination for follow-up management subject to Article 32-2 (4) of the Act shall be either a paper-based examination or an on-site examination. |
| (2) | Where a certification institution discovers any of the causes provided for in Article 32-2 (3) of the Act through its follow-up management pursuant to paragraph (1), the certification institution shall submit the case for deliberation by the certification committee established under Article 34-2 (5) for deliberation; and shall notify the Protection Commission of the results of such deliberation. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 34-6 (Institutions Specializing in Certifying Personal Information Protection) |
| (1) | “Specialized institutions prescribed by Presidential Decree” in Article 32-2 (5) of the Act means the following: <Amended on Sep. 29, 2016; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | The Korea Internet and Security Agency; |
| 2. | A corporation or an organization or institution designated by Notification of the Protection Commission among the corporations, organizations or institutions that satisfy all of the following requirements: |
| (a) | To have at least five certification examiners for personal information protection referred to in Article 34-8; |
| (b) | To have been qualified by the Protection Commission through an examination of requirements and capacity for performing its work. |
| (2) | Detailed criteria, etc. necessary for designating a corporation, organization or institution referred to in paragraph (1) 2 and revocation of such designation shall be determined by Notification of the Protection Commission. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 34-7 (Certification Mark and Promotion) |
Where a person who has obtained certification pursuant to Article 32-2 (6) of the Act intends to indicate or promote the certification, the person may use the personal information protection mark prescribed by Notification of the Protection Commission. In such cases, the person shall also indicate the scope and term of validity of the certification in the personal information protection mark. <Amended on Jul. 26, 2017; Aug. 4, 2020> [This Article Newly Inserted on Jul. 22, 2016]
| Article 34-8 (Qualifications for Certification Examiners for Personal Information Protection and Grounds for Disqualification) |
| (1) | A certification institution shall qualify persons with expertise in personal information protection, who pass an examination after having completed a specialized educational program necessary for certification examinations, as certification examiners for personal information protection (hereinafter referred to as “certification examiners”) pursuant to Article 32-2 (7) of the Act. |
| (2) | A certification institution may disqualify a certification examiner pursuant to Article 32-2 (7) of the Act in any of the following cases: Provided, that the certification examiner must be disqualified in cases falling under subparagraph 1: |
| 1. | Where the certification examiner has been qualified by fraud or other unjust means; |
| 2. | Where the certification examiner has received money, goods, or other profits in relation to the examination for certification of personal information protection; |
| 3. | Where the certification examiner has divulged any information acquired in the course of examining the certification of personal information protection, or has used such information for other than the purpose for work without good cause. |
| (3) | Detailed matters concerning completion of the specialized educational programs, qualification and disqualification as certification examiners, and other relevant matters under paragraphs (1) and (2) shall be prescribed by Notification the Protection Commission. <Amended on Jul. 26, 2017; Aug. 4, 2020> |
[This Article Newly Inserted on Jul. 22, 2016]
| Article 35 (Object of Privacy Impact Assessment) |
“Personal information files meeting the criteria prescribed by Presidential Decree” in Article 33 (1) of the Act means any of the following personal information files that can be processed electronically: <Amended on Sep. 29, 2016> | 1. | Personal information files that will be established, operated, or modified, and contain sensitive information or personally identifiable information of at least 50 thousand data subjects for processing; |
| 2. | Personal information files that is established and operated, and will be matched with other personal information files being established and operated inside or outside the relevant public institution, and, as a result of matching, will contain the personal information of at least 500 thousand data subjects; |
| 3. | Personal information files that will be established, operated, or modified, and contain the personal information of at least one million data subjects; |
| 4. | Personal information files whose operating system, including the data retrieval system, will be changed after the privacy impact assessment under Article 33 (1) of the Act (hereinafter referred to as “privacy impact assessment”). In such cases, the privacy impact assessment shall be limited to the changed system. |
| Article 36 (Consideration at the time of Privacy Impact Assessment) |
| 1. | Whether sensitive information or personally identifiable information will be processed; |
| 2. | The retention period of personal information. |
| Article 37 (Designation of PIA Institutions and Revocation of Designation) |
| (1) | The Protection Commission may designate a corporation that satisfies all of the following requirements as a privacy impact assessment institution (hereinafter referred to as “PIA institution”) pursuant to the latter part of Article 33 (1) of the Act: <Amended on Mar. 23, 2013; Nov. 19, 2014; Dec. 22, 2015; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | A corporation whose total revenue derived from any of the following activities is 200 million won or more during the last five years: |
| (a) | Privacy impact assessments or activities similar thereto; |
| (b) | Data protection consulting (which means the analysis and assessment of information systems and the provision of corresponding countermeasures against electronic infringement incidents; hereinafter the same shall apply) among the activities related to establishing information systems, as defined in subparagraph 13 of Article 2 of the Electronic Government Act (including the information protection system); |
| (d) | Data protection consulting among the activities related to the information protection industry, as defined in subparagraph 2 of Article 2 of the Act on the Promotion of the Information Security Industry; |
| 2. | A corporation that employs at least 10 full-time experts specified in attached Table 1-2; |
| 3. | A corporation with the following offices and facilities: |
| (a) | An office with facilities for identification and access control; |
| (b) | Facilities for the safe management of records and materials. |
| (2) | A person who intends to be designated as a PIA institution shall file an application for designation as a PIA institution, in the form prescribed by Notification of the Protection Commission, with the Protection Commission, along with the following documents (including electronic documents; hereinafter the same shall apply): <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| 1. | The articles of incorporation; |
| 2. | The representative’s name; |
| 3. | Documents verifying the qualifications of the experts referred to in paragraph (1) 2; |
| 4. | Other documents prescribed by Notification of the Protection Commission. |
| (3) | Upon receipt of an application for designation as a PIA institution filed under paragraph (2), the Protection Commission shall verify the following documents through the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act: Provided, That where the applicant does not give consent to the verification of subparagraph 2, the Protection Commission shall require the applicant to submit the relevant document: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | The corporation registration certificate; |
| (4) | Upon designating a PIA institution pursuant to paragraph (1), the Protection Commission shall, without delay, issue a written designation to the relevant applicant, and provide Notification thereof in the Official Gazette. The same shall also apply to any revision to the Notification: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | The name, address, and telephone number of the PIA institution, and the name of its representative; |
| 2. | Terms and conditions attached to the designation, if any. |
| (5) | The Protection Commission may revoke the designation of a PIA institution subject to paragraph (1) in any of the following cases: Provided, That the Protection Commission shall revoke the designation in cases falling under subparagraph 1 or 2: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | Where the PIA institution is designated by fraud or other improper means; |
| 2. | Where the PIA institution wants revocation of such designation or has closed its business; |
| 3. | Where the PIA institution fails to satisfy the requirements for designation provided for in paragraph (1); |
| 4. | Where the PIA institution fails to submit a report subject to paragraph (6); |
| 5. | Where the PIA institution unconscientiously conducts the privacy impact assessment either by intent or gross negligence, and is deemed incapable of duly conducting the privacy impact assessment; |
| 6. | Where the PIA institution breaches any of the duties provided for in the Act or this Decree. |
| (6) | A PIA institution designated under paragraph (1) shall, upon occurrence of any of the following events after designation, submit a report to the Protection Commission, as prescribed by Notification the Protection Commission, within 14 days from the date of occurrence: Provided, that it shall submit a report to the Protection Commission within 60 days from the date of occurrence in cases falling under subparagraph 3: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| 1. | Where any matter referred to in paragraph (1) is changed; |
| 2. | Where any matter referred to in paragraph (4) 1 is changed; |
| 3. | Where the transfer, acquisition, or merger of the PIA institution, or similar event occurs. |
| (7) | Where intending to revoke the designation of a PIA institution pursuant to paragraph (5), the Protection Commission shall hold a hearing. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 38 (Criteria for Privacy Impact Assessment) |
| (1) | Criteria for privacy impact assessments referred to in Article 33 (6) of the Act are as follows: <Amended on Jul. 22, 2016> |
| 1. | The type and nature of personal information contained in the relevant personal information files, the number of data subjects, and the possibility of subsequent infringement with respect to personal information; |
| 3. | Countermeasures against risk factors of infringement with respect to personal information, if any; |
| 4. | Other necessary measures subject to the Act or this Decree, or any factor affecting breach of duties. |
| (2) | A PIA institution in receipt of a request for a privacy impact assessment pursuant to Article 33 (1) of the Act shall analyze and assess the risk factors of infringement with respect to personal information arising out of the operation of personal information files according to the criteria for privacy impact assessments prescribed in paragraph (1); prepare a privacy impact assessment report containing the following matters; and submit the report to the head of the relevant public institution. The head of such public institution shall submit the report (including measures for improvement referred to in subparagraph 3, if any matter requiring improvement in such report) to the Protection Commission prior to building, operating, or changing personal information files provided for in Article 35: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 22, 2016; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | Summary of the project related to, and the purpose of, the operation of personal information files; |
| 2. | General description of personal information files subject to the privacy impact assessment; |
| 3. | Analysis and assessment of risk factors of infringement with respect to personal information according to the criteria for privacy impact assessments, and matters requiring improvement; |
| 4. | Human resources and costs required to conduct the privacy impact assessment. |
| (3) | Except as provided in the Act and this Decree, the Protection Commission may prescribe and provide Notification of detailed standards for designating PIA institutions, procedures for privacy impact assessments, etc. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 39 (Scope of Data Breach Notification and Where to Report) |
| (1) | “Personal information above the scale prescribed by Presidential Decree” in the former part of Article 34 (3) of the Act means personal information of at least one thousand data subjects. <Amended on Oct. 17, 2017> |
| (2) | “Specialized institution prescribed by Presidential Decree” in the former part and the latter part of Article 34 (3) of the Act means the Korea Internet and Security Agency. <Amended on Dec. 30, 2015; Jul. 22, 2016> |
| Article 40 (Method and Procedure for Data Breach Notification) |
| (1) | A personal information controller who becomes aware that personal information has been divulged shall, without delay, notify the aggrieved data subject of the matters prescribed in Article 34 (1) of the Act, in writing, etc.: Provided, That the personal information controller may without delay give notice to the data subjects, right after it has taken contingent measures, including shut-down of the access route, check-up of weak points and deletion of divulged personal information, necessary to prevent the dissemination of divulged personal information and additional divulgence. |
| (2) | Notwithstanding paragraph (1), where a personal information controller has become aware of personal information divulgence pursuant to the main clause of paragraph (1) or has taken contingent measures after awareness of the data breach pursuant to the proviso of paragraph (1), but cannot confirm details of personal information divulgence provided for in Article 34 (1) 1 or 2 of the Act, the personal information controller may first notify the aggrieved data subject of the fact of personal information divulgence and the information divulged, in writing, etc.; and then notify the details confirmed additionally. |
| (3) | Notwithstanding paragraphs (1) and (2), where personal information of at least one thousand data subjects has been divulged pursuant to Article 34 (3) of the Act and Article 39 (1) of this Decree, the relevant personal information controller shall notify the aggrieved data subjects of such divulgence in writing, etc. and post the matters provided for in Article 34 (1) of the Act on his or her website for at least seven days so that the data subjects may easily recognize them: Provided, that if a personal information controller has no website, the personal information controller shall provide notice of the divulgence of personal information in writing, etc. and post the matters provided for in Article 34 (1) of the Act at easily noticeable places of his or her workplace, etc. for at least seven days. <Amended on Oct. 17, 2017> |
| Article 40-2 (Criteria for Imposition of Penalty Surcharges) |
| (1) | Penalty surcharges provided for in Article 34-2 (1) of the Act shall be imposed in accordance with attached Table 1-3. <Amended on Aug. 4, 2020> |
| (2) | To impose a penalty surcharge pursuant to Article 34-2 (1) of the Act, the Protection Commission shall give a written notice stating the violation, amount of the penalty surcharge, and methods of, and period for filing an objection, to the violator. <Amended on Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| (3) | A person in receipt of the written notice given under paragraph (2) shall pay a penalty surcharge to a collecting agency designated by the Protection Commission within 30 days from the receipt of such written notice: Provided, That, where the person cannot pay the penalty surcharge within such period due to a natural disaster or other unavoidable causes, he or she shall pay it within seven days from the date the relevant cause ceases to exist. <Amended on Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| (4) | “Late-payment penalty prescribed by Presidential Decree” in the former part of Article 34-2 (3) of the Act means an amount calculated for the period from the day following the due date for payment until the day preceding the payment date of the penalty surcharge by adding the amount equivalent to 5/1,000 of the unpaid penalty surcharge for each month past due. |
[This Article Newly Inserted on Aug. 6, 2014]
CHAPTER VI GUARANTEE OF RIGHTS OF DATA SUBJECTS
| Article 41 (Procedures for Access to Personal Information) |
| (1) | A data subject who intends to request access to his or her own personal information processed by a personal information controller pursuant to Article 35 (1) of the Act shall submit a request, stating the information that he or she intends to access among the following information, in the manner and following the procedure determined by the personal information controller; <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017> |
| 1. | Particulars and substance of personal information; |
| 2. | The purpose of collecting and using personal information; |
| 3. | The period for retaining and using personal information; |
| 4. | Status of personal information provided to a third party; |
| 5. | The fact that the data subject has given consent to the processing of his or her personal information and the content thereof. |
| (2) | To determine the manner and procedure for requesting access under paragraph (1), a personal information controller shall comply with the following to ensure that such manner and procedure are not more difficult than the manner and procedure that the personal information controller uses to collect the relevant personal information: <Newly Inserted on Oct. 17, 2017> |
| 1. | To provide the requested personal information in a data subject-friendly manner, such as in writing, by telephone or electronic mail, or via the Internet; |
| 2. | To allow data subjects to request access to their own personal information at least through the same window or in the same manner that the personal information controller uses to collect such personal information, unless just cause exists, such as difficulty in continuously operating such window; |
| 3. | To post on a website the manner and procedure for requesting access if the personal information controller operates the website. |
| (3) | A data subject who intends to request access to his or her own personal information via the Protection Commission pursuant to Article 35 (2) of the Act shall submit to the Protection Commission a Personal Information Access Request specifying the information to access among the information referred to in paragraph (1), as prescribed by Notification of the Protection Commission. In such cases, the Protection Commission shall forward the Personal Information Access Request to the relevant public institution without delay. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| (4) | “Period prescribed by Presidential Decree” in the former part of Article 35 (3) of the Act means 10 days. <Amended on Oct. 17, 2017> |
| (5) | Where a personal information controller allows a data subject to access the relevant personal information within 10 days from the receipt of the Personal Information Access Request under paragraph (1) or (3), or limits access to the relevant person information under Article 42 (1), the personal information controller shall serve the data subject with the Access Notice, stating the accessible personal information, date and time, venue, etc. for access (in the case of partial access pursuant to Article 42 (1), the ground therefor and how to appeal shall be included), in the form prescribed by Notification of the Protection Commission: Provided, That where he or she allows immediate access, the Access Notice may be omitted. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| Article 42 (Limitation to, and Postponement and Denial of, Access to Personal Information) |
| (1) | Where any information to which a personal information controller receives a request for access pursuant to Article 41 (1) falls under Article 35 (4) of the Act, the personal information controller may limit access to such information; and shall allow the data subject to access other personal information than the restricted part. |
| (2) | Where a personal information controller intends to postpone a data subject’s access to his or her own personal information pursuant to the latter part of Article 35 (3) of the Act, or to deny the access pursuant to Article 35 (4) of the Act, the personal information controller shall serve the data subject with the Access Postponement or Denial Notice, stating the grounds for postponement or denial and how to appeal, in the form prescribed by Notification of the Protection Commission within 10 days from the receipt of the access request. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 43 (Correction, and Erasure of Personal Information) |
| (1) | A data subject who intends to request a personal information controller to correct or erasure his or her own personal information pursuant to Article 36 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the correction or erasure of personal information; and “access” shall be construed as “correction or erasure”. <Amended on Oct. 17, 2017> |
| (2) | Upon receipt of a request to correct or erasure personal information pursuant to Article 36 (1) of the Act, a personal information controller who processes personal information files provided by other personal information controller shall correct or erase the relevant personal information as requested; or shall, without delay, notify the personal information controller who has provided the relevant personal information of the request to correct or erasure the personal information, and take necessary measures based on the result of such processing. <Amended on Oct. 17, 2017> |
| (3) | A personal information controller shall inform the relevant data subject of the fact that he or she has duly corrected or erased the relevant personal information pursuant to Article 36 (2) of the Act within 10 days from the receipt of a request to correct or erasure personal information under paragraph (1) or (2); otherwise, if the erasure of personal information is denied because it falls under the proviso of Article 36 (1) of the Act, the personal information controller shall serve the data subject with the Personal Information Correction or erasure Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form determined and publicly notified by prescribed by Notification of the Protection Commission. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| Article 44 (Suspension of Processing Personal Information) |
| (1) | A data subject who intends to request a personal information controller to suspend the processing of his or her own personal information pursuant to Article 37 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the suspension of processing personal information; and “access” shall be construed as “suspension of processing”. <Amended on Oct. 17, 2017> |
| (2) | A personal information controller shall inform the relevant data subject of the fact that it has duly suspended the processing of personal information pursuant to the main clause of Article 37 (2) of the Act within 10 days from the receipt of a request to suspend the processing of personal information made under paragraph (1); otherwise, if the suspension of processing personal information is denied because it falls under the proviso of Article 37 (2) of the Act, the personal information controller shall serve the relevant data subject with the Personal Information Processing Suspension Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form prescribed by Notification of the Protection Commission. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Oct. 17, 2017; Aug. 4, 2020> |
| Article 45 (Scope of Representative) |
| 1. | A legal representative of the data subject; |
| 2. | A person delegated by the data subject. |
| (2) | A representative referred to in paragraph (1), representing a data subject pursuant to Article 38 of the Act, shall submit a power of attorney of the data subject, in the form prescribed by Notification of the Protection Commission, to the personal information controller. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 46 (Confirmation of Data Subjects or Representatives) |
| (1) | Upon receipt of request for access under Article 41 (1), correction or erasure of personal information under Article 43 (1), suspension of processing of personal information under Article 44 (1) or withdrawal of consent under Article 39-7 (1) of the Act (hereafter in this Article and Articles 47 and 48 referred to as “Access Request, etc.”), a personal information controller shall confirm whether the person who has submitted the Access Request, etc. is the principal or the duly authorized representative. <Amended on Aug. 4, 2020> |
| (2) | Any personal information controller, which is a public institution eligible for the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act, shall confirm as provided in paragraph (1) through the sharing of administrative information: Provided, that this shall not apply where the public institution is unable to share administrative information or the data subject does not consent to such confirmation. |
| Article 47 (Amounts of Fees) |
| (1) | The amounts of fees and postage provided for in Article 38 (3) of the Act shall be determined by the relevant personal information controller within the actual expenses necessary for the processing of the Access Request, etc.: Provided, that where a personal information controller is a local government, they shall be prescribed by ordinance of the relevant local government. |
| (2) | A personal information controller shall not demand any fee or postage if the cause for submitting the Access Request, etc. lies with the personal information controller. |
| (3) | Any fee and postage provided for in Article 38 (3) of the Act shall be paid as follows: Provided, that a personal information controller, which is the National Assembly, the Court, the Constitutional Court, the National Election Commission, a central administrative agency, or its affiliated body (hereafter in this Article referred to as “national agency”) or a local government, may claim such fee and postage by the electronic payment means, as defined in subparagraph 11 of Article 2 of the Electronic Financial Transactions Act, or telecommunications billing services, as defined in subparagraph 10 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection: |
| 1. | Where the fee or postage is paid to a personal information controller that is a national agency: Revenue stamp; |
| 2. | Where the fee or postage is paid to a personal information controller that is a local government: Revenue certificate; |
| 3. | Where the fee and postage is paid to other personal information controller than a national agency or local government: In the manner determined by the relevant personal information controller. |
| Article 48 (Establishing Access Request Support System) |
| (1) | A personal information controller may establish and operate a support system that enables the Access Request, etc. to be processed and notified electronically, and determine other work procedures. |
| (2) | The Protection Commission may establish and operate a system to support the public institutions which are personal information controllers efficiently process the Access Request, etc. for personal information they possess and notify the results thereof. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
CHAPTER VI-2 SPECIAL CASES CONCERNING PROCESSING OF PERSONAL INFORMATION BY INFORMATION AND COMMUNICATIONS SERVICE PROVIDERS
| Article 48-2 (Special Cases concerning Measures to Ensure Security of Personal Information) |
| (1) | Any information and communications service provider (as set forth in Article 2 (1) 3 of the Act on Promotion of Information and Telecommunications Network Utilization and Information Protection; hereinafter the same shall apply) and any third party who receives personal information of users (as set forth in Article 2 (1) 4 of the same Act; hereinafter the same shall apply) from the information and communications service provider in accordance with Article 17 (1) 1 of the Act (hereinafter collectively referred to as “Information and Communications Service Providers, etc.”) shall implement the following measures to ensure security when processing users’ personal information in accordance with Article 29 of the Act, notwithstanding Article 30: |
| 1. | Establishment and implementation of an internal management plan which includes each of the following for safe processing of personal information: |
| (a) | Matters concerning the structure and operation of the personal information protection organization, including the designation of a privacy officer; |
| (b) | Matters concerning training of the persons who process users’ personal information under the direction and supervision of Information and Communications Service Providers, etc. (hereinafter referred to as “personal information handlers” in this Article); |
| (c) | Detailed matters required for implementing measures under subparagraphs 2 through 6; |
| 2. | Each of the following measures for preventing illegal access to personal information: |
| (a) | Establishment and implementation of standards on granting, changing, canceling, etc. the access to the database system which was systematically configured to process personal information (hereinafter referred to as the “Personal Information Processing System” in this Article); |
| (b) | Establishment and operation of an intrusion prevention system and intrusion detection system for the Personal Information Processing System; |
| (c) | Blocking of external Internet access to the computers, etc. of personal information handlers connected to the Personal Information Processing System [only applicable to the Information and Communications Service Providers, etc. (as set forth in Article 2 (1) 2 of the Act on Promotion of Information and Telecommunications Network Utilization and Information Protection; hereinafter the same shall apply) who stores and manages personal information of one million users or more on average per day during the three-month period immediately preceding the end of the previous year, or who generates sales revenue of 10 billion won or more in the information and communications service sector during the previous year (previous business year for a corporation)]; |
| (d) | Establishment and implementation of the standards on the methods of creating passwords, password change interval, etc.; |
| (e) | Other measures necessary to control access to personal information; |
| 3. | Each of the following measures to prevent falsification and alteration of access records: |
| (a) | Storage, confirmation and monitoring of the dates on which the Personal Information Processing System was accessed, details of personal information processed, etc. if a personal information handler processes personal information by accessing the Personal Information Processing System; |
| (b) | Back-up storage of records on access to the Personal Information Processing System in a separate storage device; |
| 4. | Each of the following measures to ensure safe storage and transmission of personal information: |
| (a) | Storage of passwords in one-way encrypted format; |
| (b) | Encrypted storage of resident registration numbers, account information, information under subparagraph 3 of Article 18 and other information prescribed by Notification of the Protection Commission; |
| (c) | Establishment of secure server, etc. if user’s personal and authentication information is transmitted or received via telecommunications network; |
| (d) | Other security measures using encryption technology. |
| 5. | Installation, periodic update and inspection of vaccine software to detect and cure at all times any malicious program, including computer virus and spyware, which may intrude the Personal Information Processing System and other information appliance used by any personal information handler to process personal information; |
| 6. | Other measures necessary to ensure the security of personal information. |
| (2) | The Protection Commission may provide necessary assistance, such as building a system with which Information and Communications Service Providers, etc. can take the measures to ensure security pursuant to paragraph (1). |
| (3) | Detailed standards for the measures to ensure security under paragraph (1) shall be prescribed by Notification of the Protection Commission. |
[This Article Newly Inserted on Aug. 4, 2020]
[Previous Article 48-2 moved to Article 48-14 <Aug. 4, 2020>]
| Article 48-3 (Method of Confirming Legal Representative’s Consent) |
| (1) | In accordance with Article 39-3 (4) of the Act, an information and communications service provider shall confirm whether the legal representative has provided his or her consent through any of the following means: |
| 1. | Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and informing the legal representative via mobile text message that the information and communications service provider confirmed the indication of consent; |
| 2. | Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and receiving credit, debit, etc. card information of the legal representative’s; |
| 3. | Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and verifying the identity of the legal representative via the identity verification process on the legal representative’s mobile phone, etc.; |
| 4. | Issuing or delivering the document that specifies the consent items to the legal representative directly or via mail or fax, and having the legal representative submit the document after signing and affixing seal on the document with respect to the consent items; |
| 5. | Sending an electronic email that specifies the consent items and having the legal representative send an e-mail with an indication of consent; |
| 6. | Informing the legal representative of the consent items and receiving the legal representative’s consent via phone call, or providing the legal representative with the means (e.g., web address) to confirm the consent items and obtaining the legal representative’s consent via a phone call; |
| 7. | Other method of informing the legal representative of the consent items and confirming the legal representative’s indication of consent in a comparable manner to subparagraphs 1 through 6. |
| (2) | If it is difficult for an Information and Communications Service Provider, etc. to indicate all the consent items due to the particular nature of the medium by which the personal information is collected, the information and communications service provider may provide the legal representative with the means to confirm the consent items (e.g., web address, telephone number of the workplace, etc.). |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-4 (Special Cases concerning Notification and Report of Data Breach) |
| (2) | If an Information and Communications Service Provider, etc. becomes aware of any loss, theft or divulgence of personal information, the Information and Communications Service Provider, etc. shall inform the users of all information listed under Article 39-4 (1) of the Act in writing, etc. without delay, and report the loss, theft or divulgence to the Protection Commission or Korea Internet and Security Agency. |
| (3) | If an Information and Communications Service Provider, etc. has yet to ascertain the specifics of the information under Article 39-4 (1) 1 or 2 of the Act when filing the notification/report under paragraph (2), the Information and Communications Service Provider, etc. shall first notify/report the details ascertained up to date and the information under subparagraphs 3 through 5 of the same paragraph, and later notify and report any other information as soon as such information is confirmed. |
| (4) | If an Information and Communications Service Provider, etc. has a good reason under the proviso, with the exception of the subparagraphs, of Article 39-4 (1) of the Act, the Information and Communications Service Provider, etc. may publish matters prescribed in each subparagraph under Article 39-4 (1) of the Act on its website for at least 30 days in lieu of the notification under paragraph (2). |
| (5) | If it is difficult to publish on the website in accordance with paragraph (4) due to a force majeure event or another unavoidable cause, public announcement of the required information on two or more general daily nationwide newspapers under the Act on the Promotion of Newspapers on at least one occasion may be provided in lieu of the online disclosure under paragraph (4). |
| (6) | An Information and Communications Service Provider, etc. shall explain the good reason under the main clause or proviso, with the exception of the subparagraphs, of Article 39-4 (1) of the Act to the Protection Commission without delay in writing. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-5 (Special Cases concerning Destruction of Personal Information) |
| (1) | If any user of an information and communications service does not use the service for the period under Article 39-6 (1) of the Act, the Information and Communications Service Provider, etc. shall immediately destroy the user’s personal information, or store and manage such information separately from other users’ personal information after expiration of the period: Provided, That if retaining the user’s personal information is required by other statutes or regulations even after the expiration of the period under the main clause of Article 39-6 (1) of the Act (or any other period determined at the request of the user in accordance with the proviso of Article 39-6 (1) of the Act), the personal information of such user shall be stored and managed separately from other users’ personal information until the preservation period required by other statutes or regulation expires. |
| (2) | When storing and managing personal information in a segregated manner in accordance with paragraph (1), the Information and Communications Service Provider, etc. shall not use or provide the personal information, except as otherwise provided in the Act or other statutes or regulations. |
| (3) | “Matters prescribed by Presidential Decree such as the fact that their personal information will be destroyed, the expiration date, and the particulars of personal information to be destroyed” in Article 39-6 (2) of the Act means to the following: |
| 1. | If personal information will be destroyed: The fact that personal information will be destroyed, expiration date of the retention period and items of personal information to be destroyed; |
| 2. | If personal information is stored and managed separately from other users’ personal information: The fact that the storage and management of personal information is segregated, expiration date of the retention period and items of personal information that are separately stored and managed. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-6 (Notification of Details of Personal Information Usage) |
| (1) | The “information and communications service provider, etc. meeting standards prescribed by President Decree” in the main clause of Article 39-8 (1) of the Act means any of the following providers: |
| 1. | Any Information and Communications Service Provider, etc. who generated sales revenue of 10 billion won or more in the information and communications service sector during the previous year (previous business year for a corporation); |
| 2. | Any Information and Communications Service Provider, etc. who stored and managed personal information of one million users or more on average per day during the three-month period immediately preceding the end of the previous year. |
| 1. | Purpose of collecting and using personal information, and items of personal information collected; |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-7 (Scope, and Standards of the Parties Required to Purchase an Insurance for Performance of Damage Compensation Responsibilities) |
| (1) | The Information and Communications Service Providers, etc. which meet all of the following requirements (hereafter in this Article referred to as the “Subject Personal Information Controllers”) shall purchase insurance, join a mutual aid organization or accumulate reserves in accordance with Article 39-9 (1) of the Act: |
| 1. | The Information and Communications Service Providers, etc. whose sales revenue for the previous business year (the previous business year for a corporation) was 50 million won or more; |
| 2. | The Information and Communications Service Providers, etc. who stored and managed personal information of one thousand users or more on average per day during the three-month period immediately preceding the end of the previous year. |
| (2) | The standards for the minimum insurance subscription amount (minimum reserve amount in case of accumulating reserves; hereafter in this Article the same shall apply) applicable to the Subject Personal Information Controllers in case of purchasing insurance, joining a mutual aid organization or accumulating reserves shall be as set forth in attached Table 1-4: Provided, that if any Subject Personal Information Controller purchases insurance or joins a mutual aid organization, and accumulates reserves at the same time, the sum of the insured or mutual aid amount and reserves should be equal to or exceed the minimum insurance subscription amount set forth in attached Table 1-4. |
| (3) | If a Subject Personal Information Controller purchases insurance, joins a mutual aid organization or accumulates reserves which guarantee the performance of the damage liabilities under Articles 39 and 39-2 of the Act in accordance with other statutes, the Subject Business Entity shall be deemed to have purchased insurance, joined a mutual aid organization or accumulated reserves pursuant to Article 39-9 (1) of the Act. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-8 (Institution Receiving Request for Deletion and Blocking of Exposed Personal Information) |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-9 (Scope of Persons Required to Designate Local Representative) |
| (1) | “Information and communications service provider, etc. meeting the criteria prescribed by Presidential Decree” in the main clause, with the exception of the subparagraphs, of Article 39-11 (1) of the Act means any of the following providers: |
| 1. | Any provider whose sales revenue for the previous year (previous business year for a corporation) is one trillion won or more; |
| 2. | Any provider who generates sales revenue of 10 billion won or more in the information and communications service sector during the previous year (previous business year for a corporation); |
| 3. | Any provider who stores and manages personal information of one million users or more on average per day during the three-month period immediately preceding the end of the previous year; |
| 4. | Any provider who violates the Act and was requested to submit relevant materials, including articles and documents, in accordance with Article 63 (1) of the Act for having caused, or having the potential to cause a case or incident of infringement with respect to personal information. |
| (2) | The sales revenue under paragraph (1) 1 and 2 shall be based on the amount converted into Korean won at the average exchange rate of the previous year (previous business year for a corporation). |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-10 (Safeguards in the Event of Overseas Transfer of Personal Information) |
| (1) | If any Information and Communications Service Provider, etc. intends to transfer personal information overseas in accordance with the main clause of Article 39-12 (2) of the Act, it shall implement the following safeguards according to paragraph (4) of the same Article: |
| 1. | Measures to ensure security for protection of personal information in accordance with Article 48-2 (1); |
| 2. | Matters concerning handling of complaints and dispute resolution concerning infringement with respect to personal information; |
| 3. | Other measures necessary to protect users’ personal information. |
| (2) | If any Information and Communications Service Provider, etc. intends to transfer personal information overseas in accordance with the main clause of Article 39-12 (2) of the Act, the Information and Communications Service Provider, etc. shall discuss each subparagraph of paragraph (1) with the recipient in advance and incorporate the same into the terms of the agreement. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-11 (Special Cases concerning the Calculation Standards of Penalty Surcharges) |
| (1) | The revenue pursuant to Article 39-15 (1) of the Act shall be the annual average sales revenue generated by the relevant Information and Communications Service Provider, etc. from the information and communications service related to the violation over the previous three business years: Provided, That if three years have not passed since the commencement of business as of the first day of the relevant business year, the total sales shall be the amount calculated by converting the sales revenue from the commencement of business until the end of the immediately preceding business year into the annual average sales revenue, and if the Information and Communications Service Provider, etc. commenced business during the business year in which the violation occurred, the total sales shall be the amount calculated by converting the sales revenue from the commencement date of business until the date of violation into annual sales revenue. |
| 1. | The personal information controller has no sales because it did not commence, or suspended, etc. its business; |
| 2. | It is difficult to objectively calculate the sales revenue because the sales materials were lost or damaged due to a disaster, etc. |
| (3) | If the Protection Commission is in need of financial statements or other materials to calculate the sales revenue under paragraph (1), the Protection Commission may request the Information and Communications Service Provider, etc. to submit the relevant materials within a period of no more than 20 days. |
| (4) | The standards and procedures for calculating the penalty surcharges under Article 39-15 (4) of the Act shall be as specified in attached Table 1-5. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-12 (Imposition and Payment of Penalty Surcharges) |
| (1) | If the Protection Commission intends to impose a penalty surcharge in accordance with Article 39-15 of the Act, the Protection Commission shall investigate and verify the violation, and then provide the imposed party with written notice specifying the violation, imposed amount, appealing procedures, deadline for filing an appeal, etc. |
| (2) | The violator who received the notice under paragraph (1) shall pay the penalty surcharge to a financial institution designated by the Protection Commission within 30 days from the date of receiving the notice: Provided, that if the violator is unable to pay the penalty surcharge within the deadline due to a natural disaster or other unavoidable cause, the violator shall pay the surcharge within seven days from the date on which such cause no longer exists. |
| (3) | The financial institution which received the penalty surcharge in accordance with paragraph (2) shall issue a receipt to the payer of penalty surcharge. |
[This Article Newly Inserted on Aug. 4, 2020]
| Article 48-13 (Interest Rate of Surcharge Refund) |
[This Article Newly Inserted on Aug. 4, 2020]
CHAPTER VIII PERSONAL INFORMATION DISPUTE MEDIATION
| Article 48-14 (Ex Officio Members) |
The ex officio members of the Dispute Mediation Committee shall be appointed by the Chairperson of the Protection Commission from among members in general service of the Senior Executive Service of the Protection Commission, who are in charge of the activities related to the protection of personal information. <Amended on Jul. 26, 2017; Aug. 4, 2020>
[This Article Newly Inserted on Jul. 22, 2016]
[Moved from Article 48-2 <Aug. 4, 2020>]
| Article 49 (Composition and Operation of Mediation Panels) |
| (1) | The mediation panel referred to in Article 40 (6) of the Act (hereinafter referred to as “mediation panel”) shall be comprised of not more than five members appointed by the chairperson of the Dispute Mediation Committee, and one of whom shall be a commissioner with an attorney-in-law license. <Amended on Jul. 22, 2016> |
| (2) | The chairperson of the Dispute Mediation Committee shall convene the meetings of the mediation panel. |
| (3) | The chairperson of the Dispute Mediation Committee shall notify each member of the mediation panel of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency. |
| (4) | The presider of the mediation panel shall be elected by and from among its members. |
| (5) | Except as provided in paragraphs (1) through (4), matters necessary for the composition and operation of the mediation panel, and other necessary matters, shall be determined by the chairperson of the Dispute Mediation Committee subject to the resolution of the Dispute Mediation Committee. |
| (1) | The secretariat of the Protection Commission shall conduct administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding pursuant to Article 40 (8) of the Act. <Amended on Aug. 4, 2020> |
| (2) | The secretariat may establish and operate a dispute mediation system in order to electronically process the affairs required for dispute mediation, including receiving dispute mediation requests, advancing the dispute mediation process and providing notifications to the parties. <Newly Inserted on Aug. 4, 2020> |
[This Article Wholly Amended on Jul. 22, 2016]
| Article 51 (Operation of Dispute Mediation Committee) |
| (1) | The chairperson of the Dispute Mediation Committee shall convene and preside over meetings of the Dispute Mediation Committee. |
| (2) | The chairperson of the Dispute Mediation Committee shall notify each member of the Dispute Mediation Committee of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency. |
| (3) | The meetings of the Dispute Mediation Committee and the mediation panel shall not be open to the public: Provided, That attendance of the parties or interested parties is allowed by the resolution of the Dispute Mediation Committee, if deemed necessary. |
| Article 52 (Incidents Eligible for Collective Dispute Mediation) |
“Incident is prescribed by Presidential Decree” in Article 49 (1) of the Act means any incident that satisfies all of the following conditions: | 1. | The number of data subjects suffering from damage or infringement on their rights shall be not less than 50 persons, except the following: |
| (a) | Data subjects who have agreement with the personal information controller on the dispute settlement or compensation for damage; |
| (b) | Data subjects whose dispute is based on the same cause and is dealt with by a dispute mediation body established by other statutes or regulations; |
| (c) | Data subjects who have filed a lawsuit with a court regarding damages from the relevant infringement with respect to personal information; |
| 2. | Major issues of the incident are common factually or legally. |
| Article 53 (Commencement of Collective Dispute Mediation Proceedings) |
| (1) | “Period prescribed by Presidential Decree” in the latter part of Article 49 (2) of the Act means a period of at least 14 days. |
| (2) | Public announcement of commencing the collective dispute mediation proceedings referred to in the latter part of Article 49 (2) of the Act shall be posted on the website of the Dispute Mediation Committee or a general daily newspaper circulating nationwide under the Act on the Promotion of Newspapers. <Amended on Dec. 30, 2015> |
| Article 54 (Applications for Participation in Collective Dispute Mediation Proceedings) |
| (1) | A data subject or personal information controller, other than the parties to collective dispute mediation subject to Article 49 of the Act (hereinafter referred to as “collective dispute mediation”), who intends to participate in such collective dispute mediation additionally as a party pursuant to Article 49 (3) of the Act, shall file a written application during the notice period subject to the latter part of Article 49 (2) of the Act. |
| (2) | Upon receiving a written application for collective dispute mediation as a party pursuant to paragraph (1), the Dispute Mediation Committee shall inform the applicant of whether it has accepted his or her application within 10 days from the expiry of the application period referred to in paragraph (1). |
| Article 55 (Collective Dispute Mediation Proceedings) |
| (1) | After the collective dispute mediation proceedings commence, a data subject who falls under any of subparagraph 1 (a) through (c) of Article 52 shall be excluded from participation as a party. |
| (2) | Once the collective dispute mediation proceedings of the case which satisfies the conditions referred to in Article 52 commence, such proceedings shall not be suspended even if the conditions referred to in subparagraph 1 of Article 52 are not satisfied because a data subject falls under any of subparagraph 1 (a) through (c) of the same Article. |
| Article 56 (Allowances and Travel Expenses) |
Members, etc. who attend a meeting of the Dispute Mediation Committee or the mediation panel may be paid allowances and travel expenses within budgetary limits: Provided, that this shall not apply where a public official attends any meeting directly related with his or her own work.
| Article 57 (Dispute Mediation Rule) |
Except as provided in the Act and this Decree, matters necessary for the operation of the Dispute Mediation Committee and collective dispute mediation shall be determined by the chairperson subject to the resolution of the Dispute Mediation Committee.
CHAPTER IX SUPPLEMENTARY PROVISIONS AND PENALTY PROVISIONS
| Article 58 (Recommendation for Improvements and Disciplinary Action) |
| (2) | A person who has received an advice under paragraph (1) shall take necessary measures as advised, and notify the Protection Commission or the head of the related central administrative agency of the outcome in writing: Provided, That special circumstances, in which it is deemed impracticable to take measures as advised, shall be explained in the notice. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017: Aug. 4, 2020> |
| Article 59 (Reporting on Infringements) |
The Protection Commission shall designate the Korea Internet and Security Agency as a specialized institution to efficiently receive and handle the claim reports on infringements on personal information-related rights or interests pursuant to Article 62 (2) of the Act. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020>
| Article 60 (Requests for Materials and Inspections) |
| (1) | “Cases prescribed by Presidential Decree” in Article 63 (1) 3 of the Act means circumstances in which a case or incident which infringes on data subject’s right or interest related to personal information, such as a divulgence of personal information, has occurred or is likely to occur. |
| (2) | The Protection Commission may request the head of the Korea Internet and Security Agency to provide necessary assistance, including technical advice, in order to request materials and to conduct inspections, etc. pursuant to Article 63 (1) and (2) of the Act. <Amended on Mar. 23, 2013; Nov. 19, 2014; Dec. 30, 2015; Jul. 26, 2017; Aug. 4, 2020> |
| (3) | The Protection Commission may request the head of the related central administrative agency (or a corporation that has the authority to perform an inspection under the direction and supervision of the head of the central administrative agency; hereafter in this Article the same shall apply) to inspect a personal information controller by specifying the subject of and reason for inspection in accordance with the former part of Article 63 (4) of the Act, and if necessary, request that a public official from the Protection Commission jointly participate in the inspection by specifying the relevant public official. <Newly Inserted on Aug. 4, 2020> |
| (4) | After receiving the request under paragraph (3), the head of the related central administrative agency shall establish an inspection plan, which includes the schedule, scope, method, etc. of inspection, and notify the Protection Commission of the same within 15 days from receiving the request. <Newly Inserted on Aug. 4, 2020> |
| (5) | The head of the related central administrative agency shall complete the inspection and notify the Protection Commission of the results of inspection within 60 days from notifying the inspection plan under paragraph (4): Provided, That the inspection period may be extended by up to 30 days through consultation with the Protection Commission. <Newly Inserted on Aug. 4, 2020> |
| (6) | If the head of the related central administrative agency receives any request for corrective measures or opinion on dispositions, etc. against a personal information controller in accordance with Article 63 (5) of the Act, the head of the related central administrative agency shall endeavor to implement the request or opinion. <Newly Inserted on Aug. 4, 2020> |
| (7) | If it is necessary to prevent or effectively respond to incidents of infringement with respect to personal information in accordance with Article 63 (7) of the Act, the Protection Commission may request the head of the related central administrative agency to undertake joint action as prescribed by the Protection Commission. <Newly Inserted on Aug. 4, 2020> |
| Article 61 (Disclosure of Results) |
| (1) | The Protection Commission or the head of a related central administrative agency may make public the following matters pursuant to Article 66 (1) or (2) of the Act by posting them on the website of the Protection Commission or the relevant agency or in a general daily nationwide newspaper under the Act on the Promotion of Newspapers: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| 1. | The substance of violations; |
| 3. | The advice for improvement, corrective measures, accusation, and advice for disciplinary action, and imposition of administrative fines, and the outcomes thereof. |
| (2) | To make public the matters prescribed in paragraph (1) pursuant to Article 66 (1) or (2) of the Act, the Protection Commission or the head of a related central administrative agency shall take into account the substance and severity of violations, the period and frequency of violations, the scope of damage caused by the relevant violations, and the outcomes thereof. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| (3) | At the time of the following, the Protection Commission and head of the related central administrative agency shall inform the affected person that the person is subject to public disclosure prior to the deliberation and resolution of the Protection Commission, and give him or her the opportunity to submit evidentiary materials or opinion. <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017; Aug. 4, 2020> |
| Article 62 (Entrustment of Affairs) |
| (1) | Deleted. <Dec. 30, 2015> |
| (2) | The Protection Commission may entrust the affairs to support the provision of alternative sign-up tool subject to Article 24-2 (4) of the Act to the following institutions under Article 68 (1) of the Act: <Amended on Mar. 23, 2013; Nov. 19, 2014; Dec. 30, 2015; Jul. 26, 2017; Aug. 4, 2020; Jul. 19, 2022> |
| 2. | The Korea Internet and Security Agency; |
| 3. | A corporation, institution, or organization prescribed by Notification of the Protection Commission after being recognized as having technical and financial capacity and facilities to develop, provide, and manage the alternative sign-up tool safely. |
| (3) | The Protection Commission shall entrust the following affairs to an institution provided in paragraph (4), under Article 68 (1) of the Act: <Amended on Mar. 23, 2013; Nov. 19, 2014; Dec. 30, 2015; Jul. 26, 2017; Aug. 4, 2020; Jul. 19, 2022> |
| 1. | Exchange and cooperation with international organizations and foreign personal information protection agencies for the protection of personal information under subparagraph 5 of Article 7-8 of the Act; |
| 2. | Surveys and research on statutes and regulations, policies, systems, actual conditions, etc. related to the protection of personal information under subparagraph 6 of Article 7-8 of the Act; |
| 3. | Support for and dissemination of technology development for the protection of personal information under subparagraph 7 of Article 7-8 of the Act; |
| 4. | Education and public relations regarding the protection of personal information under subparagraph 1 of Article 13 of the Act; |
| 5. | Promotion of and support for agencies and organizations related to the protection of personal information under subparagraph 2 of Article 13 of the Act; |
| 6. | Training of relevant specialists and development of criteria for privacy impact assessments under Article 33 (5) of the Act; |
| 9. | Receipt of applications for designating a PIA institution under Article 37 (2) and receipt of reports under Article 37 (6). |
| (4) | The institutions to which the Protection Commission may entrust its affairs regarding the matters specified in the subparagraphs of paragraph (3) shall be as follows: <Newly Inserted on Jul. 19, 2022> |
| 1. | The Korea Internet and Security Agency; |
| 2. | A corporation, institution, or organization determined and publicly notified by the Protection Commission as having expertise in the field of personal information protection. |
| (5) | Where the Protection Commission entrusts its affairs pursuant to paragraphs (2) through (4), it shall publicly announce the institutions to be entrusted with the affairs and details of the entrusted affairs in the Official Gazette or on its website. <Amended on Jul. 19, 2022> |
[Title Amended on Jul. 19, 2022]
| Article 62-2 (Processing of Sensitive Information and Personally Identifiable Information) |
| (1) | The Protection Commission (including persons entrusted with the authority of the Protection Commission under Article 62 (3)) may process sensitive information under Article 23 of the Act and data that contain resident registration numbers, passport numbers, driver’s license numbers or alien registration numbers referred to in Article 19 if inevitable to perform affairs of the following: <Amended on Aug. 4, 2020> |
| 2. | Preparing for and supporting the establishment of systems providing alternative sign-up tools pursuant to Article 24-2 (4) of the Act; |
| (2) | The Dispute Mediation Committee may process the data that contains resident registration numbers, passport numbers, driver’s license numbers or alien registration numbers referred to in Article 19, and sensitive information referred to in Article 23 of the Act if inevitable to perform the affairs related to personal information dispute mediation under Articles 45 and 47 of the Act. <Amended on Aug. 4, 2020> |
[This Article Newly Inserted on Aug. 6, 2014]
[Title Amended on Aug. 4, 2020]
| Article 62-3 (Re-Examination of Regulation) |
| (1) | The Protection Commission shall examine the appropriateness of the following matters every three years, counting from each base date specified in the following (referring to the period that ends on the day before the base date of every third year), and shall take measures, such as making improvements: <Newly Inserted on Aug. 4, 2020; Mar. 8, 2022> |
| 1. | Those eligible to be designated as PIA institutions, requirements for revocation of designation, and grounds for reporting changes under Article 37: January 1, 2022; |
| 2. | Scope of the persons required to be notified of the details of personal information usage, types of information required to be notified, frequency and method of notification under Article 48-6: August 5, 2020; |
| 3. | Scope and standards of the parties required to purchase an insurance, etc. for performance of damage compensation responsibilities under Article 48-7: August 5, 2020. |
| (2) | The Protection Commission shall examine the appropriateness of the following matters every two years, counting from each base date specified in the following (referring to the period that ends on the day before the base date of every second year), and shall take measures, such as making improvements: <Amended on Dec. 30, 2015; Jul. 26, 2017; Aug. 4, 2020; Mar. 8, 2022> |
| 1. | Combination of pseudonymized information processed by different personal information controllers under Article 29-3: January 1, 2022; |
| 2. | Details, and method of disclosure, of the Privacy Policy under Article 31: January 1, 2015; |
| 2-2. | Deleted; <Mar. 8, 2022> |
| 3. | Deleted; <Dec. 24, 2018> |
| 4. | Deleted; <Dec. 24, 2018> |
| 5. | Deleted. <Dec. 24, 2018> |
| (3) | Deleted. <Mar. 8, 2022> |
[This Article Wholly Amended on Dec. 9, 2014]
| Article 63 (Criteria for Imposition of Administrative Fines) |
ADDENDA <Presidential Decree No. 23169, Sep. 29, 2011>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 30, 2011: Provided, That Article 20 and subparagraph 2 (i) of attached Table 2 shall enter into force on March 30, 2012. Article 2 (Repeal of other Acts)
Article 3 (Transitional Measures concerning Establishment of Master Plans and Implementation Plans)
| (1) | Notwithstanding Article 11, the Minister of Public Administration and Security shall establish the Master Plan for the period from 2012 to 2014 by December 31, 2011 subject to the deliberation and resolution of the Protection Commission. |
| (2) | Notwithstanding Article 12, the head of a central administrative agency shall submit the implementation plan for the period from 2012 and 2013 according to the relevant Master Plan established under paragraph (1) and submit it to the Protection Commission by February 28, 2012 and establish it by April 30, 2012 subject to the deliberation and resolution of the Protection Commission. |
Article 4 (Transitional Measures concerning Encryption of Personal Information Collected and Retained by Personal Information Controllers)
Personal information controllers who have collected and retained personal information as at the time this Decree enters into force shall complete the encryption of the personal information stored in electronic media (including the encryption of personally identifiable information to which Article 21 shall apply mutatis mutandis) pursuant to Article 30 (1) 3 by no later than December 31, 2012. Article 5 (Transitional Measures concerning Registration of Personal Information Files)
The head of a public institution that operates personal information files as at the time this Decree enters into force (excluding institutions that have already registered personal information files before this Decree enters into force) shall apply for the registration thereof to the Minister of Public Administration and Security pursuant to Article 34 within 60 days from the date this Decree enters into force. Article 6 (Transitional Measures concerning Privacy Impact Assessment)
The head of a public institution operating, or building up to operate, personal information files prescribed in the subparagraphs of Article 35 as at the time this Act enters into force shall conduct a privacy impact assessment of such personal information and submit the result thereof to the Minister of Public Administration and Security within five years from the date this Decree enters into force. Article 7 Omitted.
Article 8 (Relationship with Other Statutes or Regulations)
ADDENDA <Presidential Decree No. 24425, Mar. 23, 2013>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment made by Presidential Decree promulgated before this Act enters into force, but the dates on which such amendment enters into force has yet arrived among the Presidential Decrees amended pursuant to Article 6 of the Addenda shall respectively enter into force on the date such Presidential Decree enters into force. Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 25531, Aug. 6, 2014>
This Decree shall enter into force on August 7, 2014.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment made by Presidential Decree promulgated before this Act enters into force, but the dates on which such amendment enters into force has yet arrived among the Presidential Decrees amended pursuant to Article 5 of the Addenda shall respectively enter into force on the date such Presidential Decree enters into force. Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25840, Dec. 9, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2015.
Articles 2 through 16 Omitted.
ADDENDA <Presidential Decree No. 26140, Mar. 11, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 26728, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 26776, Dec. 30, 2015>
This Decree shall enter into force on the date of its promulgation: Provided, That the amended provisions of Articles 21-2, 62 (2), 62-2 (1) 1, and attached Table 2 shall enter into force on January 1, 2016.
ADDENDA <Presidential Decree No. 27370, Jul. 22, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on July 25, 2016.
Article 2 (Transitional Measures concerning Establishment of Master Plans and Implementation Plans)
| (1) | The Master Plan for 2015 to 2017 established pursuant to the former provisions of Article 11 shall be deemed the Master Plan established pursuant to the amended provisions of Article 11. |
| (2) | The implementation plans for 2016 and 2017 established pursuant to the former provisions of Article 12 shall be deemed the implementation plans established pursuant to the amended provisions of Article 12, respectively. |
ADDENDUM <Presidential Decree No. 27522, Sep. 29, 2016>
This Decree shall enter into force on September 30, 2016.
ADDENDA <Presidential Decree No. 28074, May 29, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on May 30, 2017.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 28150, Jun. 27, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on July 1, 2017: Provided, That the amended provisions of Article 3 of this Addenda shall enter into force on the date of its promulgation. Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 28211, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendment of the Presidential Decrees made pursuant to Article 8 of this Addenda, which were promulgated before this Decree comes into force, but the enforcement date of which has yet to arrive, shall enter into force on the date the corresponding Presidential Decree takes effect. Articles 2 through 8 Omitted.
ADDENDA <Presidential Decree No. 28355, Oct. 17, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on October 19, 2017.
Article 2 (Applicability to Reporting on Data Breach Notification)
The amended provisions of Articles 39 (1) and 40 (3) shall begin to apply from the first divulgence of any personal information after this Decree enters into force. Article 3 (Transitional Measures concerning Request for Access, etc. to Personal Information)
Notwithstanding the amended provisions of Articles 41 (1), 43 (1), and 44 (1), a person who has requested access to, correction or erasure, or suspension of processing of, his/her personal information before this Decree enters into force shall be governed by the former provisions.
ADDENDUM <Presidential Decree No. 29421, Dec. 24, 2018>
This Decree shall enter into force on January 1, 2019.
ADDENDUM <Presidential Decree No. 30509, Mar. 3, 2020>
This Decree shall enter into force on the date of its promulgation.
ADDENDUM <Presidential Decree No. 30833, Jul. 14, 2020>
This Decree shall enter into force on July 15, 2020.
ADDENDA <Presidential Decree No. 30892, Aug. 4, 2020. >
Article 1 (Date of Enforcement)
This Decree shall enter into force on August 5, 2020: Provided, That the amended provisions of Article 5-3 shall enter into force six months after the date of its promulgation. Article 2 (General Transitional Measures)
Article 3 (Transitional Measures on Processing Sensitive Information)
Personal information that has been lawfully processed pursuant to this Decree or other statutes or regulations before this Decree enters into force and falls under the amended provisions of subparagraphs 3 and 4 of Article 18 shall be deemed to have been processed in accordance with this Decree or other statutes and regulations. Article 4 (Transitional Measures on Calculating Penalty Surcharge)
Article 5 (Transitional Measures on Imposing Penalty Surcharge)
Penalty surcharges imposed pursuant to the Act on Promotion of Information and Communication Network Utilization and Information Protection, Etc. or the previous provisions for violations prior to the enforcement of this Decree shall be included in the calculation of the number of violations stipulated in the amended provisions of attached Table 2.
Article 6 Omitted
Article 7 (Relationship to Other Statutes or Regulations)
Upon the enforcement of this Decree, if other statutes and regulations in relation to the protection of personal information refer to the Enforcement Decree of the Act on Promotion of Information and Communication Network Utilization and Information Protection, Etc. or its provisions, and if there are concerning regulations, it shall be deemed that this Decree or the relevant regulations of this Decree was referred in place of the previous regulations.
ADDENDA <Presidential Decree No. 31429, Feb. 2, 2021>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 5, 2021.
Articles 2 and 3 Omitted.
ADDENDUM <Presidential Decree No. 32528, Mar. 8, 2022>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 32813, Jul. 19, 2022>
Article 1 (Enforcement Date)
This Decree shall enter into force three months after the date of its promulgation: Provided, That the amended provisions of Articles 16 (1) and 62 shall enter into force on the date of the promulgation. Article 2 (Applicability to Standards for Calculation of Penalty Surcharge)
The amended provisions of attached Tables 1, 1-3 and 1-5 shall also apply to violations committed before this Decree enters into force.