법령조회

뒤로가기 메인화면

ENFORCEMENT DECREE OF THE ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION, ETC.

Wholly Amended by Presidential Decree No. 20668, Feb. 29, 2008

Amended by Presidential Decree No. 20756, Mar. 28, 2008

Presidential Decree No. 20896, Jul. 3, 2008

Presidential Decree No. 20947, Jul. 29, 2008

Presidential Decree No. 21278, Jan. 28, 2009

Presidential Decree No. 21692, Aug. 18, 2009

Presidential Decree No. 21719, Sep. 9, 2009

Presidential Decree No. 22003, Jan. 27, 2010

Presidential Decree No. 22151, May 4, 2010

Presidential Decree No. 22423, Oct. 1, 2010

Presidential Decree No. 22424, Oct. 1, 2010

Presidential Decree No. 22467, Nov. 2, 2010

Presidential Decree No. 22550, Dec. 27, 2010

Presidential Decree No. 22773, Mar. 29, 2011

Presidential Decree No. 23104, Aug. 29, 2011

Presidential Decree No. 23169, Sep. 29, 2011

Presidential Decree No. 23876, jun. 25, 2012

Presidential Decree No. 24047, Aug. 17, 2012

Presidential Decree No. 24076, Aug. 31, 2012

Presidential Decree No. 24102, Sep. 14, 2012

Presidential Decree No. 24445, Mar. 23, 2013

Presidential Decree No. 25050, Dec. 30, 2013

Presidential Decree No. 25532, Aug. 6, 2014

Presidential Decree No. 25751, Nov. 19, 2014

Presidential Decree No. 25789, Nov. 28, 2014

Presidential Decree No. 27188, May 31, 2016

Presidential Decree No. 27510, Sep. 22, 2016

Presidential Decree No. 27751, Dec. 30, 2016

Presidential Decree No. 27951, Mar. 22, 2017

Presidential Decree No. 28210, Jul. 26, 2017

Presidential Decree No. 28283, Sep. 5, 2017

CHAPTER I GENERAL PROVISIONS
 Article 1 (Purpose)
The purpose of this Decree is to provide for matters delegated by the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. and matters necessary for the enforcement thereof.
 Article 2 (Code of Ethics)
(1) The providers of information and communications services, defined under Article 2 (1) 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter referred to as the “Act”), or an association of such providers may establish and enforce a code of ethics in order to protect users’ personal information and to ensure soundness and safety in providing information and communications services. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
(2) An association of users defined under Article 2 (1) 4 of the Act may establish and enforce a users’ code of ethics for the establishment of a sound information society.
(3) The Government may provide assistance to activities for the establishment and enforcement of the code of ethics under paragraph (1) or (2).
 Article 3 (Guidelines for Protection of Personal Information)
(1) In order to protect users’ personal information pursuant to Article 4 of the Act, the Korea Communications Commission may formulate and provide a public notice of guidelines for the protection of personal information and may recommend providers of information and communications services to comply with such guidelines. <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23169, Sep. 29, 2011>
(2) When the Korea Communications Commission intends to formulate and provide a public notice of guidelines for the protection of personal information under paragraph (1), it shall collect opinions from related business circles, associations of users, etc. and shall consult with the heads of related central administrative agencies thereon. <Amended by Presidential Decree No. 23169, Sep. 29, 2011>
CHAPTER II PROMOTION OF UTILIZATION OF INFORMATION AND COMMUNICATIONS NETWORKS
 Articles 4 and 5 Deleted. <by Presidential Decree No. 21692, Aug. 18, 2009>
 Article 6 (Measures, etc. for Establishment of System for Sharing Information)
(1) Pursuant to Article 12 of the Act, the head of a central administrative agency may formulate and provide a public notice of a plan for sharing information about matters under his/her jurisdiction. <Amended by Presidential Decree No. 22151, May 4, 2010>
(2) If the head of a central administrative agency deems it necessary to efficiently implement a plan for sharing information pursuant to paragraph (1), he/she may assist a person in conducting the following business activities:
1. Selection of information to be shared, among the information possessed and managed;
2. Establishment and operation of a system for interconnecting different information and communications networks;
3. Adjustment of expenses allotted to each agency in connection with the interconnection of different information and communications networks;
4. Other activities necessary for the establishment of the system for sharing information.
 Article 7 (Implementation of Projects for Promoting Utilization of Information and Communications Networks)
Projects that the Minister of Science and Information and Communications Technology (ICT) may implement pursuant to Article 13 (1) of the Act are as follows: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. Pilot projects for the establishment and operation of information and communications networks;
2. Pilot projects for the commercialization of new media;
3. Advanced application projects for nurturing the informatization industry and projects for supporting related research projects;
4. Projects to lay a foundation for the development of technologies for electronic transactions and the invigoration of electronic transactions;
5. Supportive projects for the improvement of statutes and systems for promoting the utilization of information and communications networks;
6. Other pilot projects for the efficient utilization and dissemination of technologies, equipment, and application services.
CHAPTER III (Articles 8 and 9) Deleted.
CHAPTER IV PROTECTION OF PERSONAL INFORMATION
 Article 9-2 (Extent, etc. of Access Authority)
(1) A case where a provider of information and communications services shall obtain consent from the users pursuant to Article 22-2 (1) of the Act means a case where such provider needs authority of access to the following information and functions (hereafter referred to as “access authority” in this Article) through the softwares of mobile devices: Provided That this shall not apply to the information and functions accessed by any software, which has been installed in mobile devices in the course of manufacturing and supplying them, to perform their intrinsic functions such as communications, photography, and audio and video replay:
1. Information stored by the users on their mobile devices such as contact points, schedules, videos, communications, biometric information (referring to information concerning physical or behavioral characteristics with which an individual can be identified, such as fingerprints, iris, voice, and handwriting; hereinafter the same shall apply);
2. Information automatically stored on mobile devices in the course of using them, such as location information, communication logs, authentication information, and physical activity records;
3. Unique information assigned to identify mobile devices, including unique international identification number under Article 60-2 (1) of the Telecommunications Business Act;
4. Input and output functions, such as photography, speech recognition, and biometric or health information detecting sensor.
(2) A provider of information and communications services shall, in the course in which the users install or run a software of mobile devices, inform the users of the matters referred to in each subparagraph of Article 22-2 (1) of the Act in a manner displaying such matters on a software’s guidance information screen or other separate screen and shall obtain consent of the users according to the following classifications in the same manner:
1. Where the basic operating system of mobile devices (referring to the based environment in which the software can be executed in mobile devices; hereinafter referred to as “operating system”) is an operating system in which the users can individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services informs the users about the both access authorities under Article 22-2 (1) 1 and 2 of the Act separately from each other, the users choose whether to consent when for the first time they access any information or function the access authority for which is set;
2. Where the operating system of mobile devices is one by which the users can not individually choose whether to consent to the access authority: A method by which, after the provider of information and communications services only sets the access authority under Article 22-2 (1) 1 and informs the users thereof, the users choose whether to consent to the access authority when they install the software;
3. Where the method referred to in subparagraph 1 or 2 is impossible though the operating system of mobile devices is one referred to in subparagraph 1 or 2: A method similar to one referred to in subparagraph 1 or 2, by which the provider of information and communications services informs the users of the content of consent so that they can definitely acknowledge such content and choose whether to give consent.
(3) When determining whether a matter requiring the consent of the users pursuant to Article 22-2 (1) of the Act falls under any access authority under subparagraph 1 or 2 of that Article, the following shall be taken into consideration: the extent of information and communications services as disclosed through the terms and conditions on use, the policies on personal information management or any separate guidance; whether such information and communications services are actually provided; the users’ reasonable expectation for the relevant information and communications services; and technical relevance between the relevant information and communications services and the access authority.
(4) Persons manufacturing and supplying the operating system of mobile devices, manufacturers of mobile devices, and persons manufacturing and supplying softwares of mobile devices shall take necessary measures according to the following classifications in order to protect information on the users referred to in Article 22-2 (3) of the Act:
1. Persons manufacturing and supplying the operating system of mobile devices: They shall manufacture and provide the operating system in which there are embedded functions by which the providers of information and communications services can obtain the consent of the users by the methods classified in subparagraphs of paragraph (2) and the users can revokes their consent, and they also shall prepare and disclose operating standards for the access authority set in the operating system so that the persons manufacturing and supplying the softwares of mobile devices can easily understand such standards;
2. Manufacturers of mobile devices: They shall install on mobile devices the operating system in which functions to give and revoke the consent under subparagraph 1 are embedded;
3. Persons manufacturing and providing softwares of mobile devices; They shall embed in the softwares the operating system for which the measures under subparagraphs 1 and 2 are taken and the methods for giving and revoking consent which are suitable for mobile devices.
[This Article Newly Inserted by Presidential Decree No. 27951, Mar. 22, 2017]
 Article 9-3 (Criteria for Standard Subject to Review)
(1) Criteria for each standard subject to review under Article 23-3 (1) of the Act are as follows: <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
1. A plan for physical/technological/administrative measures: A plan for measures concerning the following shall be formulated:
(a) The management and operation of equipment for identification services under Article 23-3 (1) of the Act (hereinafter referred to as “identification services”);
(b) The prevention of an intrusion on information and communications networks;
(c) The operation, security, and management of systems and networks;
(d) The protection of users and the settlement of complaints;
(e) The response to urgency and emergency;
(f) The formulation and enforcement of internal regulations on identification services;
(g) The securement of safety of an alternative means under Article 23-2 (2) of the Act (hereinafter referred to as “alternative means”);
(h) The prevention of fabrication and alteration of access records;
(i) Other matters specified and publicly notified by the Korea Communications Commission for identification services;
2. Technological capability: An identification service agency shall have at least eight persons who meet any of the following requirements:
(a) Each person shall hold a national technical qualification as an information and communications engineer, information processing engineer, or an engineer specializing in application of electronic computer systems or a qualification recognized by the Korea Communications Commission as equivalent to such qualification;
(b) Each person shall have work experience of at least two years in a field specified and publicly notified by the Korea Communications Commission as related to the protection of information or the operation and management of information and communication systems;
3. Financial capability: An identification service agency’s equity capital shall be at least eight billion won (excluding state agencies and local governments);
4. Appropriateness of the scale of facilities: An identification service agency shall possess the following facilities in a scale necessary for the proper provision of identification services:
(a) Facilities for the verification, management, and protection of users’ personal information;
(b) Facilities for the generation, issuance, and management of alternative means;
(c) Security facilities for controlling and restricting access;
(d) Facilities for the protection of systems and networks;
(e) Facilities for the prevention of fire, flood, power failure, and other disasters;
(2) Matters necessary for guidelines and methods for the evaluation of criteria for each standard subject to the review under paragraph (1) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
 Article 9-4 (Procedures for Designation of Identification Service Agencies)
(1) A person who intends to be designated as an identification service agency under Article 23-3 (1) of the Act shall file an application for the designation of an identification service agency (or an application in the form of an electronic document) with the Korea Communications Commission, along with the following documents (or electronic documents):
1. A business plan describing the current conditions of its organization, human resources, facilities, etc.;
2. Documents certifying that criteria for each standard subject to the review under Article 9-3 are satisfied;
3. Articles of incorporation or bylaws of organization (applicable only if an applicant is a legal person or organization);
4. Other documents specified and publicly notified by the Korea Communications Commission as documents necessary for ascertaining the expertise in providing identification services, the soundness of the financial structure, etc.
(2) Upon receipt of an application for the designation of an identification service agency under paragraph (1), the Korea Communications Commission shall verify the relevant corporate registration (applicable only if an applicant is a corporation) by sharing administrative information under Article 36 (1) of the Electronic Government Act.
(3) If the Korea Communications Commission deems it necessary to review an application under paragraph (1), it may request an applicant to submit data or may hear the applicant’s opinions.
(4) Upon receipt of an application under paragraph (1), the Korea Communications Commission shall examine whether the application meets criteria for each standard subject to the review under Article 9-3 and shall notify the applicant of the outcomes of the review within 90 days from the date when such application is filed: Provided, That the period may be extended by up to 30 days in an exceptional situation by giving notice of the reasons therefor.
(5) When the Korea Communications Commission designates an identification service agency based on the result of the review under paragraph (4), it shall issue a letter of designation of an identification service agency to an applicant and shall provide a public notice of the details of designation, including the name and location of the identification service agency and the date of designation, through the Official Gazette.
(6) Matters necessary for procedures and methods for the application for designation and the review on the designation under the provisions of paragraphs (1) through (5) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
 Article 9-5 (Suspension or Discontinuation of Identification Services)
(1) When an identification service agency intends to suspend or discontinue its services as referred to in Article 23-3 (2) or (3) of the Act, it shall notify users of the following matters:
1. The reasons for suspension or discontinuation;
2. The date and time of suspension or discontinuation (including the date and time of resumption of services in cases of suspension);
3. Restrictions on the use of alternative means and personal information (applicable only to suspension);
4. The destruction of alternative means and personal information (applicable only to discontinuation).
(2) When an identification service agency reports the suspension or discontinuation of its identification services in accordance with Article 23-3 (2) or (3) of the Act, it shall file a report on the suspension or discontinuation of its identification services with the Korea Communications Commission, along with the following documents:
1. A notice of the matters under paragraph (1);
2. A document concerning a plan to restrict the use or to destroy alternative means and personal information;
3. A document concerning a plan for measures for the protection of users;
4. The letter of designation of an identification service agency (applicable only to discontinuation).
(3) Detailed matters necessary for procedures, guidelines, methods, etc. for the notification and reporting of suspension or discontinuation under paragraph (1) or (2) shall be prescribed and publicly notified by the Korea Communications Commission.
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
 Article 9-6 (Suspension of Identification Services or Cancellation of Designation)
(1) Standards for the suspension of identification services or the cancellation of designation under Article 23-4 (1) of the Act are as prescribed in Table 1 attached hereto.
(2) When the Korea Communications Commission suspends identification services or cancels designation under paragraph (1), it shall publish notice thereof in the Official Gazette.
[This Article Newly Inserted by Presidential Decree No. 23104, Aug. 29, 2011]
 Article 10 (Notification of Entrustment of Management of Personal Information)
“A manner prescribed by Presidential Decree” in the former part of Article 25 (2) of the Act means electronic mail, writing, facsimile, telephone, or other similar means. <Amended by Presidential Decree No. 23169, Sep. 29, 2011>
 Article 11 (Notification upon Transfer of Personal Information Following Transfer of Business, etc.)
(1) “Means specified by Presidential Decree” in the part other than subparagraphs of Article 26 (1) and the main sentence of Article 26 (2) of the Act means electronic mail, writing, facsimile, telephone, or other similar means. <Amended by Presidential Decree No. 23169, Sep. 29, 2011>
(2) If a provider of information and communications services or a business transferee does not get any information about how to contact a user without any fault on the part of the service provider or business transferee and so he/she is unable to give notice to the user by any means specified in paragraph (1), it shall publish the notice on its web-site for at least 30 days. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
(3) If it is impracticable to post a public announcement on the website in accordance with paragraph (2) due to a natural disaster or any other justifiable cause, such notice may be substituted by public notice given at least once through two or more general daily newspapers circulated nationwide under the Act on the Promotion of Newspapers, Etc. (or general daily newspapers circulated in a certain region, if most users reside in the region). <Amended by Presidential Decree No. 22003, Jan. 27, 2010>
 Article 12 (Methods for Obtaining Consent)
(1) Pursuant to Article 26-2 of the Act, a provider of information and communications services shall obtain consent by any of the following methods: In such cases, a provider of information and communications services shall state matters for which he/she shall obtain consent (hereinafter referred to as “matters subject to consent”) so that users can clearly recognize and check such matters: <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
1. Publishing matters subject to consent in his/her website and requesting each user to express whether he/she consents thereto;
2. Delivering a document containing matters subject to consent to each user in person or by mail or facsimile and requesting the user to return the document with his/her signature or seal affixed, if he/she consents thereto;
3. Sending a document containing matters subject to consent to each user by e-mail and requesting the user to return it with his/her consent expressed thereon by e-mail;
4. Informing each user of matters subject to consent by telephone and obtaining consent from the user or informing each user of a method by which the user can check the relevant Internet address and matters subject to consent and then calling the user again to obtain consent over the telephone.
(2) If it is impracticable for a provider of information and communications services to fully state matters subject to consent due to the characteristics of the medium for collecting personal information, he/she may inform each user of a method by which the user can check matters subject to consent (Internet address, telephone numbers of the place of business, etc.) to obtain consent from the user. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
 Article 13 (Qualification Requirements, etc. for Persons Responsible for Protection of Personal Information)
(1) In order for a person to be qualified as a person designated by a provider of information and communications services or by any person to whom a provider of information and communications services provides users’ personal information (hereinafter referred to as “provider of information and communications services”) as one responsible for the protection of personal information under the main sentence of Article 27 (1) of the Act, the person shall be in any of the following positions: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016>
1. An executive officer;
2. The head of a department in charge of the settlement of users’ grievances concerning personal information.
(2) “If it falls under the criteria prescribed by Presidential Decree” in the proviso to Article 27 (1) of the Act means a provider of information and communications services who has less than five full-time employees: Provided, That if the main business of a provider of information and communications services is to provide information and communications service through the Internet, the number of full-time employees working for the provider shall be less than five persons and the average number of daily users shall not be more than 1,000 persons during three months immediately before the end of the preceding year. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
 Article 14 (Methods, etc. for Public Disclosure of Policies on Handling of Personal Information)
(1) Where a provider, etc. of information and communications services manages (referring to acts of collecting, creating, connecting, linking, recording, storing, holding, processing, editing, searching, printing, correcting, recovering, using, providing, disclosing, or destructing personal information or other similar acts; hereinafter the same shall apply in this Article, and Articles 15, 17 and 34) personal information, such provider shall, pursuant to Article 27-2 (1) of the Act, disclose his/her policy on management of personal information to the public under the title “policy on management of personal information” by any of the following methods, based upon the place, media, etc. from which personal information has been collected: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016>
1. Displaying the information about matters specified in Article 27-2 (2) of the Act on the front page of his/her website or a page linked to the front page to ensure that users can read the information. In such cases, the provider of information and communications services shall display the policy on management of personal information conspicuously by utilizing size, color, etc. of fonts to ensure readability;
2. Posting or keeping the information at a place where such information is easily noticeable in a shop or office;
3. Publishing the information in periodicals, newsletters, leaflets, or bills regularly issued and distributed to users at least twice a year under an identical title.
(2) Pursuant to Article 27-2 (3) of the Act, reasons why a policy on management of personal information is revised and the details of such revision shall be publicly notified by at least one of the following methods: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016>
1. Posting public notice on a space for public notice in the front page of the website operated by the provider of information and communications services or on a separate page;
2. Giving notice to users by writing, facsimile, e-mail, or any similar means;
3. Posting or keeping public notice at a place where such notice is easily noticeable in a shop or office.
(3) Deleted. <by Presidential Decree No. 25789, Nov. 28, 2014>
 Article 14-2 (Notification and Reporting of Leakages of Personal Information)
(1) When a provider of information and communications services becomes aware of the loss, theft, or leakage of personal information, he/she shall notify the relevant users of all matters specified in Article 27-3 (1) of the Act without delay in writing, by e-mail, facsimile, telephone, or any other similar means and shall report to the Korea Communications Commission and the Korea Internet and Security Agency. <Amended by Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 27510, Sep. 22, 2016>
(2) If any fact relevant to a matter specified in Article 27-3 (1) 1 or 2 of the Act has not been verified in detail when a provider of information and communications services intends to give notice and make a report pursuant to paragraph (1), he/she shall give notice and make a report first with respect to the facts verified to date and the matters specified in subparagraphs 3 through 5 and then shall give further notice and make additional reports with regard to the facts additionally verified.
(3) If a provider of information and communications services has good cause referred to in the proviso to Article 27-3 (1), he/she may post the information about matters specified in Article 27-3 (1) of the Act on his/her website for at least 30 days, in lieu of notice under paragraph (1).
(4) If it is impracticable to post notice on the website in accordance with paragraph (3) due to a natural disaster or any other good cause, such notice may be substituted by a public announcement made at least once through two or more general daily newspapers with nationwide circulation under the Act on the Promotion of Newspapers, Etc.
(5) An information and communications service provider, etc. shall promptly explain his/her cause under the main sentence of and proviso to, excluding its subparagraphs, Article 27-3 (1) of the Act to the Korea Communications Commission in writing (including an electronic document). <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 15 (Protective Measures for Personal Information)
(1) Pursuant to Article 28 (1) 1 of the Act, a provider of information and communications services shall formulate and implement an internal control plan, covering the following matters, in order to ensure safety in managing personal information: <Amended by Presidential Decree No. 27510, Sep. 22, 2016>
1. Formation and operation of an organization protecting personal information, including the designation of a person responsible for the protection of personal information;
2. Matters concerning education on a person managing users’ personal information (hereinafter referred to as “personal information manager” in this Article) under the command and supervision of the provider of information and communications services;
3. Details necessary for taking protective measures under paragraphs (2) through (5).
(2) Each provider of information and communications services shall take the following measures to block illegal access to personal information pursuant to Article 28 (1) 2 of the Act: Provided, That a provider of information and communications services is obliged to take a measure under subparagraph 3, only if the number of users whose personal information has been stored and managed by the provider of information and communications services during three months immediately preceding the end of the previous year averages at least one million persons per day or the sales of information and communications services during the preceding year (referring to the preceding business year, if the service provider is a corporation) amount to at least ten billion won. <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
1. Formulation and enforcement of the criteria for the grant, alteration, or cancellation of the authority to access a database system systematically constructed to process personal information (hereinafter referred to as the “personal information processing system”);
2. Installation and operation of systems for blocking and detecting intrusions into the personal information processing system;
3. Blockade of external Internet networks to computers, etc. of persons accessing the personal information processing system while handling personal information;
4. Establishment and management of guidelines for the methods of creation of passwords, the interval of changing passwords, etc.;
5. Other measures necessary for controlling access to personal information.
(3) Pursuant to Article 28 (1) 3 of the Act, a provider of information and communications services shall take the following measures to prevent the fabrication and alteration of access records:
1. Storing records of the date and time of access, the details of data processed, etc. and inspection and supervision thereof, where a person handling personal information processes personal information by accessing the personal information processing system;
2. Preserving backup files of records of access to the personal information processing system in a separate storage device.
(4) Pursuant to Article 28 (1) 4 of the Act, a provider of information and communications services shall take the following security measures to ensure the safe storage and transmission of personal information: <Amended by Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 27951, Mar. 22, 2017>
1. Storage of one-way encrypted passwords;
2. Storage of encrypted information determined and publicly notified by the Korea Communications Commission, including resident registration numbers, information about bank accounts and biometric information;
3. Installation of security servers while taking other necessary measures, where users’ personal information and authentication information are transmitted and received through information and communications networks;
4. Other security measures to be taken by applying encryption technologies.
(5) Pursuant to Article 28 (1) 5 of the Act, a provider of information and communications services shall install anti-virus vaccine software in the personal information processing system and the information processing systems used by persons handling personal information so as to constantly monitor and block intrusions by malicious programs, such as computer viruses and spyware, and shall renew and inspect such anti-virus vaccine software periodically.
(6) The Korea Communications Commission shall formulate and provide a public notice of detailed guidelines for matters under paragraphs (1) through (5) and other protective measures necessary for ensuring the safety of personal information under Article 28 (1) 6 of the Act.
[This Article Wholly Amended by Presidential Decree No. 21278, Jan. 28, 2009]
 Article 16 (Destruction of Personal Information, etc.)
(1) Deleted. <by Presidential Decree No. 27188, May 31, 2016>
(2) If a user does not use information and communications services during a period specified in Article 29 (2) of the Act, the provider of information and communications services shall destroy the user’s personal information immediately after the lapse of the period or shall separate the user’s personal information from other users’ personal information for separate storage and management: Provided, That where the period referred to in the main sentence of Article 29 (2) of the Act (if the period is otherwise determined upon request of any user pursuant to the proviso to Article 29 (2) of the Act, referring to such otherwise determined period) has elapsed and the user’s personal information shall be required to be preserved pursuant to other statutes, the user’s personal information shall be stored and separately managed from other users’ personal information until the period referred to in the said statute elapses. <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 27510, Sep. 22, 2016>
(3) When a provider of information and communications services separately stores and manages personal information pursuant to paragraph (2), he/she shall not use or provide such personal information to any person, except otherwise expressly provided for in the Act or any other Act.
(4) The phrase “matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction” referred to in Article 29 (3) of the Act means the following matters: <Amended by Presidential Decree No. 27188, May 31, 2016>
1. In the case of destroying any personal information: the fact that the personal information will be destroyed, the expiration date of the period, and the items of the personal information subject to destruction;
2. In the case of storing and managing any personal information separately with other users’ personal information: the fact that the personal information will be separately stored and managed, the expiration date of the period, and the items of the personal information subject to separate storage and management.
(5) The phrase “manner prescribed by Presidential Decree such as by email” referred to in Article 29 (3) of the Act means a manner such as by email, writing, facsimile, telephone, or similar thereto. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 17 (Notification on Details of Use of Personal Information)
(1) “A provider of information and communications services or similar falling under the standards determined by Presidential Decree” in the main sentence of Article 30-2 (1) of the Act means a provider of information and communications services in whose case the number of users whose personal information has been stored and managed during three months immediately before the end of the preceding year is at least an average of one million persons per day or the sales of information and communications services during the preceding year (referring to the preceding business year, if the service provider is a corporation) amount to at least ten billion won.
(2) The types of information which shall be notified to a user pursuant to Article 30-2 (1) of the Act are as follows: <Amended by Presidential Decree No. 27510, Sep. 22, 2016>
1. The purposes of collection and use of personal information and the items of information collected;
2. Any person to whom personal information is provided, the purposes of providing the personal information, and the items of the personal information provided: Provided, That the information provided under Article 13, 13-2, or 13-4 of the Protection of Communications Secrets Act or Article 83-3 of the Telecommunications Business Act shall be excluded herefrom;
3. Any person to whom management of personal information is entrusted under Article 25 of the Act and the details of business affairs entrusted in managing personal information.
(3) A notice under Article 30-2 (1) of the Act shall be given at least once a year by e-mail, writing, facsimile, telephone, or any similar means.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 18 (Period for Filing Claim for Statutory Damages)
(1) A user shall file a claim for damages under Article 32-2 (1) of the Act within three years from the date he/she becomes aware of loss, theft, leakage, forgery, alteration, or damage of personal information. <Amended by Presidential Decree No. 27510, Sep. 22, 2016>
(2) No user shall file a claim for damages under Article 32-2 (1) if ten years has elapsed from the date loss, theft, leakage, forgery, alteration, or damage of personal information occurs. <Amended by Presidential Decree No. 27510, Sep. 22, 2016>
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
 Articles 19 through 22 Deleted. <by Presidential Decree No. 23169, Sep. 29, 2011>
CHAPTER V PROTECTION OF USERS IN INFORMATION AND COMMUNICATIONS NETWORKS
 Article 23 (Policy on Protection of Juveniles)
“Matters specified by Presidential Decree” in Article 41 (1) 4 of the Act mean the following measures: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23104, Aug. 29, 2011>
1. Promotion of the development and dissemination of information useful to juveniles;
2. Encouragement of and support for juveniles’ voluntary activities for protecting themselves from unwholesome information, such as information of obscenity or violence, circulated through information and communications networks;
3. Encouragement of and support for voluntary activities conducted by parents, teachers, or nongovernmental organizations for surveillance, counseling, and remedial measures for the protection of juveniles;
4. Assistance in the establishment of a system for the cooperation of providers of information and communications services for the protection of juveniles;
5. Other measures incidental to the implementation of policies under Article 41 (1) of the Act.
 Article 24 (Labeling of Media Unwholesome for Juveniles)
(1) A person who provides a medium unwholesome for juveniles, as defined under Article 42 of the Act, shall label it with an easily noticeable audio, text, or video warning stating that no person under 19 years shall use the medium.
(2) If a person who shall put a label required by paragraph (1) provides information through the Internet, he/she shall also put an electronic label warning that it is a medium unwholesome for juveniles with symbols, marks, letters, or numbers.
(3) The Korea Communications Commission shall prescribe specific methods for labeling under paragraphs (1) and (2), taking into consideration the categories of information, etc., and shall publish notice of the methods in the Official Gazette.
 Article 25 (Scope of Persons Obliged to Designate Persons Responsible for Protection of Juveniles)
“A provider of information and communications services whose the average number of users per day, sales, and other factors fall under criteria prescribed by Presidential Decree” of Article 42-3 (1) of the Act means a person who meets all the following criteria: <Amended by Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24102, Sep. 14, 2012>
1. Either of the following items:
(a) A person in whose case the average number of users per day during three months immediately before the end of the immediately preceding year is at least 100,000 persons;
(b) A person whose sales of information and communications services during the immediately preceding year (or the preceding business year, if the service provider is a corporation) is at least one billion won;
2. A person who provides a medium unwholesome for juveniles, as defined under subparagraph 3 of Article 2 of the Juvenile Protection Act or who acts as a broker or agent for a transaction of such medium.
 Article 26 (Duties of Persons Responsible for Protection of Juveniles)
A person responsible for protection of juveniles under Article 42-3 (1) of the Act shall perform the following duties in order to protect juveniles from information unwholesome for juveniles on information and communications networks (hereinafter referred to as “unwholesome information”):
1. Formulation of a plan for protection of juveniles from unwholesome information;
2. Measures for restricting or controlling juveniles’ access to unwholesome information;
3. Education of persons engaged in information and communications services for the protection of juveniles from unwholesome information;
4. Counseling on harm inflicted by unwholesome information and the settlement of grievances;
5. Other matters necessary to protect juveniles from unwholesome information.
 Article 27 (Deadline for Designation of Persons Responsible for Protection of Juveniles)
A person responsible for protection of juveniles under Article 42-3 (1) of the Act shall be designated by no later than the end of April each year.
 Article 28 (Preservation, etc. of Video or Audio Information)
(1) “An information provider specified by Presidential Decree” in Article 43 (1) of the Act means a person who distributes information through telecommunications lines: Provided, That broadcasting business entities, CATV relay broadcasting business entities, and electronic signboard broadcasting business entities under subparagraphs 3, 6, and 12 of Article 2 of the Broadcasting Act, among persons who distribute information according to a certain program schedule, using the word “broadcasting”, “television” or “radio” in their names, shall be excluded herefrom. <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
(2) An information provider under Article 43 of the Act shall preserve relevant information for six months from the time when the information is provided for use.
 Articles 29 and 30 Deleted. <by Presidential Decree No. 25789, Nov. 28, 2014>
 Article 31 (Scope of User Information that May be Requested)
“The minimum information specified by Presidential Decree” in Article 44-6 (1) of the Act means the following information: <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
1. Name;
2. Address;
3. Other information that the defamation dispute conciliation division under Article 44-10 of the Act (hereinafter referred to as the “defamation dispute conciliation division”) deems necessary for filing a civil or criminal complaint, including the contact information of users involved.
 Article 32 (Procedures for Requesting Provision of Information)
(1) A person who intends to request the provision of the information of users involved pursuant to Article 44-6 (1) of the Act (hereinafter referred to as “claimant”) may file a claim with the defamation dispute conciliation division, stating the following matters therein, along with supporting materials:
1. The claimant’s name, address, and contact information (referring to telephone numbers, e-mail addresses, etc.);
2. The category of lawsuits to be filed and remedies sought by the lawsuit;
3. The type of violated rights and specific facts relevant to the violation of rights by users involved.
(2) When defamation dispute conciliation division finds it necessary to make a decision on whether to provide information under Article 44-6 (2) of the Act, it may permit the claimant to present his/her arguments.
 Article 33 (Procedures for Provision of Information)
(1) Upon receipt of a request from a claimant to provide information, the defamation dispute conciliation division shall make a decision on whether to provide the information of users involved and shall notify the claimant of its decision.
(2) When the defamation dispute conciliation division decides to provide information, it shall request the relevant provider of information and communications services to provide information under Article 31. In such cases, the provider of information and communications services shall comply with such request, except in extenuating circumstances. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
(3) A provider of information and communications services shall notify users involved that he/she provides information under paragraph (2). <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
(4) The defamation dispute conciliation division shall keep documents relating to the provision of user information for five years.
 Article 34 (Requests to Order Restrictions on Handling Unlawful Information)
(1) When the head of a related central administrative agency intends to request the Korea Communications Commission pursuant to Article 44-7 (3) of the Act to order a provider of information and communications services or the manager or operator of a message board to refuse, suspend, or restrict the management of the information specified in Article 44-7 (1) 7 through 9 of the Act, he/she shall submit a written request with the following matters described therein to the Korea Communications Commission, along with evidential materials: <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016>
1. The purpose of and reasons for a request;
2. Relevant statutes and the details of violations;
3. A list of relevant information and a person by whom the relevant information is provided;
4. The titles or names and contact information, such as addresses, telephone numbers, and e-mail addresses, of the provider of information and communications services or the manager or operator of the message board and users involved.
(2) If the Korea Communications Commission finds any defect in documents submitted pursuant to paragraph (1), it may request the head of a related central administrative agency to rectify the defect immediately. In such cases, at least five more days shall be given for rectification.
(3) If the head of a related central administrative agency fails to rectify a defect even until the end of a period given for the rectification requested under paragraph (2), the Korea Communications Commission may return the request and evidential materials submitted pursuant to paragraph (1) to the head of the related central administrative agency.
 Article 35 (Grounds for Exception from Submission of Opinions)
“A ground specified by Presidential Decree” in Article 44-7 (4) 2 of the Act means any of the following cases: <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
1. Where a user involved is not identifiable (limited to the submission of a user’s opinion);
2. Where the facts relevant to an order have already been proved objective by a final judgment of a court or by other decisions and thus issuing the order to hear an opinion is unnecessary.
 Article 36 (Establishment and Management of Defamation Dispute Conciliation Division, Conciliation of Disputes, etc.)
(1) A meeting of the defamation dispute conciliation division shall be convened by the head of the defamation dispute conciliation division.
(2) When the head of the defamation dispute conciliation division intends to hold a meeting of the division, he/she shall determine the date, time, and place of meeting and items on the agenda and shall notify the conciliators thereof by no later than seven days before the opening of the meeting, except in unavoidable circumstances.
(3) A majority of the conciliators of the defamation dispute conciliation division shall constitute a quorum, and any resolution thereof shall require the concurring votes of at least a majority of those present.
(4) The head of the defamation dispute conciliation division shall be appointed by the Chairman of the Korea Communications Standards Commission under Article 18 of the Act on the Establishment and Operation of Korea Communications Commission (hereinafter referred to as the “Korea Communications Standards Commission”), from among conciliators.
(5) No meeting of the defamation dispute conciliation division shall be open to the public: Provided, That, if it is deemed necessary, the defamation dispute conciliation division may resolve to permit parties to a dispute or interested parties to sit in on a meeting.
(6) Deleted. <by Presidential Decree No. 23169, Sep. 29, 2011>
(7) Except as otherwise provided for in this Decree, the establishment, organization, and management of the defamation dispute conciliation division and other matters necessary for the conciliation of disputes shall be determined by the resolution of the Korea Communications Standards Commission.
CHAPTER VI SECURING OF STABILITY OF INFORMATION AND COMMUNICATIONS NETWORKS
 Article 36-2 (Preliminary Examination Standards on Protection of Information)
Preliminary examination standards on the protection of information under Article 45-2 (2) of the Act shall be determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT), taking the following matters into consideration: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. The structure of the system for establishing an information and communications network or for providing information and communications services and the operating environment of such system;
2. Identification of assets to be protected, such as hardware, programs, and content for the operation of the system under subparagraph 1 and hazards in the protection of such assets;
3. Current status of the establishment and implementation of protective measures.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 36-3 (Businesses Subject to Recommendation of Preliminary Examination on Protection of Information)
(1) “The information and communications services or telecommunications businesses as determined by Presidential Decree” in Article 45-2 (2) 1 of the Act means the information and communications services or telecommunications businesses that require at least 500 million won (referring to an amount exclusive of costs incurred in merely purchasing hardware and software) for investment in information systems.
(2) “The information and communications services or telecommunications businesses as determined by Presidential Decree” in Article 45-2 (2) 2 of the Act means the information and communications services or the telecommunications businesses that the Minister of Science and Information and Communications Technology (ICT) fully or partially subsidizes projects for searching for and nurturing new information and communications services or the telecommunications businesses. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 36-4 (Methods, Procedures, etc. for Preliminary Examinations on Protection of Information)
(1) The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered by a written examination, on-site examination, or remote examination (referring to an examination administered on matters related to security by accessing the system under subparagraph 1 of Article 36-2 from outside through an information and communications network).
(2) The preliminary examination on the protection of information under Article 45-2 (2) of the Act shall be administered according to the following order:
1. Preparation for the preliminary examination;
2. Review on designs;
3. Application of protective measures;
4. Inspection on the current status of implementation of protective measures;
5. Arrangement of results of the preliminary examination.
(3) Upon recommendation from the Minister of Science and Information and Communications Technology (ICT) under Article 45-2 (2) of the Act, a person may administer the preliminary examination on the protection of information by him/herself or request the Korea Internet and Security Agency under Article 52 of the Act (hereinafter referred to as the “Korea Internet and Security Agency”) or a specialized external agency to administer the preliminary examination on his/her behalf. In such cases, only persons who meet standards for the qualification as technicians for the protection of information under Table 2 attached hereto may administer the preliminary examination on the protection of information. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(4) Except as otherwise provided for in paragraphs (1) through (3), detailed matters concerning methods and procedures for the preliminary examination on the protection of information shall be determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 36-5 (Fees for Preliminary Examinations on Protection of Information)
(1) When a person requests the Korea Internet and Security Agency or a external professional agency to administer the preliminary examination on the protection of information on his/her behalf, as recommended by the Minister of Science and Information and Communications Technology (ICT) under Article 45-2 (2) of the Act, the person shall pay fees therefor to the Korea Internet and Security Agency or the specialized external agency. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(2) The Minister of Science and Information and Communications Technology (ICT) shall determine and provide a public notice of guidelines for the determination of fees for the preliminary examination on the protection of information, taking the following factors into consideration: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. The scale of information and communications services or telecommunications businesses subject to the preliminary examination on the protection of information;
2. Expertise of persons participating in the preliminary examination on the protection of information;
3. The period required for the preliminary examination on the protection of information.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 36-6 (Scope of Information and Communications Service Providers Subject to Reporting of Designation of Chief Information Protection Officers)
"Any provider of information and communications services whose the number of employees, number of users, etc. meet standards prescribed by Presidential
Decree" in the proviso to Article 45-3 (1) of the Act means any of the following persons, who is an information and communications service provider:
1. A business entity who develops and supplies content-screening software under Article 41 (1) 1 of the Act;
2. A person who should obtain certification of an Information Security Management System pursuant to Article 47 (2) of the Act;
3. A person who employs at least five full-time employees or whose average daily users for the immediately preceding three months as of the end of the preceding year are at least 1,000 persons, and who is a special type of online service provider under Article 104 (1) of the Copyright Act;
4. A person who employs at least five full-time employees, who is an online sales business operator (including an online sales broker) under subparagraph 3 of Article 2 of the Act on Consumer Protection in Electronic Commerce, Etc.;
5. A business entity who provides a program for blocking obscene material and speculative gaming products publicly notified pursuant to subparagraph 6 of Article 28 of the Game Industry Promotion Act to a person who conducts business of providing Internet computer game facilities under subparagraph 7 of Article 2 of the aforesaid Act;
6. A person who employs at least 1,000 full-time employees.
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
 Article 36-7 (Methods and Procedures for Reporting on Chief Information Protection Officers)
Any information and communications service provider who intends to designate a chief information protection officer and report thereon pursuant to the proviso to Article 45-3 (1) of the Act shall submit a report on the designation of the chief information protection officer prescribed by Ordinance of the Ministry of Science and Information and Communications Technology (ICT) within 90 days from the date he/she falls under any of the subparagraphs of Article 36-6 to the Minister of Science and Information and Communications Technology (ICT). <Amended by Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014]
 Article 36-8 (Scope of Programs of Association of Chief Information Protection Officers)
“Joint programs prescribed by Presidential Decree” in Article 45-3 (4) of the Act means the following activities: <Amended by Presidential Decree No. 25789, Nov. 28, 2014>
1. Assistance in policy research, studies, and formulation to enable information and communications service providers to strengthen the protection of information;
2. Analysis of computer security incidents and the study of measures following the use of information and communications services;
3. Improvement of information and communications service providers' ability and expertise of the protection of information, including education of chief information protection officers;
4. International exchange and cooperation in relation to information and communications services security;
5. Other programs necessary for the security of information and communications systems and the safe management of information.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 37 (Protective Measures of Business Entities of Clustered Information and Communications Facilities)
(1) Pursuant to Article 46 (1) of the Act, a business entity who operates and manages clustered information and communications facilities to render information and communications services on behalf of other persons (hereinafter referred to as "business entity of clustered information and communications facilities") shall take the following protective measures to ensure the stable operation of information and communications facilities: <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
1. Technical and administrative measures for controlling and monitoring access by persons who have no authority to access information and communications facilities;
2. Physical and technical measures for uninterrupted and stable operation of information and communications facilities and for protecting information and communications facilities from various disasters and threats, such as fire, earthquake, flood, and terrorism;
3. Measures for selecting and placing personnel for the stable management of information and communications facilities;
4. Formulation and implementation of an internal control plan for the stable operation of information and communications facilities (including an emergency plan);
5. Preparation and implementation of technical and administrative measures for interrupting the expansion of intrusions.
(2) The Minister of Science and Information and Communications Technology (ICT) shall collect opinions from related business entities and determine and publicly notify detailed guidelines for protective measures under paragraph (1). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(3) If any duty carried out by another agency is involved in the course of inspecting implementation of protective measures under paragraph (1), the Minister of Science and Information and Communications Technology (ICT) shall consult with the relevant agency thereon in advance. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
 Article 38 (Insurance)
(1) Pursuant to Article 46 (2) of the Act, a business entities of clustered information and communications facilities shall buy a liability insurance policy simultaneously when he/she commences his/her business operation.
(2) The minimum insurance coverage of the liability insurance policy that a business entity shall purchase under paragraph (1) is as specified in Table 1-2 attached hereto. <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
 Articles 39 through 46 Deleted. <by Presidential Decree No. 24047, Aug. 17, 2012>
 Article 47 (Methods, Procedures, Scope, etc. of Certification of Information Security Management System)
(1) A person who intends to have his/her information security management system certified under Article 47 (1) or (2) shall file an application for the certification of the information security management system (or an application in an electronic form) with the Korea Internet and Security Agency, an institution designated pursuant to Article 47 (6) of the Act (hereinafter referred to as a “certification body of information security management system”), or an institution designated pursuant to Article 47 (7) of the Act (hereinafter referred to as an “examination institution for information security systems”), along with a statement of the information security management system (or a statement in an electronic format) containing explanations about the following matters: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016>
1. The scope of the information security management system;
2. A list of major information and communications facilities included in the information security management system and the system diagram;
3. The method and procedure for the establishment and operation of the information security management system;
4. A list of major documents related to the information security management system;
5. Details of domestic and foreign certifications obtained for the quality management system in connection with the information security management system.
(2) Where the Korea Internet and Security Agency, a certification body of information security systems, or an examination institution for information security systems in receipt of an application referred to in paragraph (1) conducts an certification examination referred to in Article 47 (6) 1 of the Act (hereinafter referred to as an “certification examination”), it shall consult with the applicant about the scope, time schedule, etc. of certification on the basis of standards for certification, etc. determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT) for the certification of information security systems referred to in paragraph (4) of that Article (hereinafter referred to as the “public notice of certification of security systems”), including countermeasures for managerial, technical and physical protection. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
(3) The Korea Internet and Security Agency, a certification institution for information protection and management systems, or an examination institution for information protection and management systems shall, in the case of conducting an certification examination, examine whether the information protection and management system established by the applicant for certification meets requirements for public notice of certification of management systems. In this case, an certification examination shall be conducted by means of a written examination or on-site examination. <Amended by Presidential Decree No. 27188, May 31, 2016>
(4) An certification examination may be administered only by a certification examiner under Article 53 (1) 1. <Amended by Presidential Decree No. 27188, May 31, 2016>
(5) An examination institution for information protection and management systems shall submit the result of an certification examination to a certification institution for information protection and management systems. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016>
(6) The Korea Internet and Security Agency or a certification institution for information protection and management systems shall establish and operate a certificate committee composed of members having abundant knowledge and experience in the information protection field to deliberate on the results of examinations of certification. <Amended by Presidential Decree No. 27188, May 31, 2016>
(7) Where an information protection and management system is found to meet the requirements for public notification of certification of management systems as a result of the deliberation by the certificate committee, the Korea Internet and Security Agency or a certification institution for information protection and management systems shall issue a certificate of the information protection and management system. <Amended by Presidential Decree No. 27188, May 31, 2016>
(8) In addition to matters provided for in paragraphs (1) through (7), detailed matters necessary for the application for certification, deliberation on certification, the establishment and operation of a certification committee, and the issuance of certificates shall be determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 48 (Fees for Certification of Information Security Management Systems)
(1) A person who intends to apply for certification pursuant to Article 47 (1) shall pay fees to the Korea Internet and Security Agency, a certification institution of information protection and management systems, or an examination institution for information protection and management systems. <Amended by Presidential Decree No. 27188, May 31, 2016>
(2) The Minister of Science and Information and Communications Technology (ICT) shall determine and give a public notice of detailed guidelines for the determination of fees for the certification of information security management systems, taking into consideration the number of certification examiners assigned to an certification examination, the number of days required for the certification examination, etc. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 49 (Scope of Persons subject to Certification of Information Security Management System)
(1) “A person who renders information and communications services, as prescribed by Presidential Decree” in Article 47 (2) 1 of the Act means a person who provides information and communications network services in Seoul Special Metropolitan City or any Metropolitan City.
(2) “A person falling under the standards determined by Presidential Decree” in Article 47 (2) 3 of the Act means either of the following persons: <Amended by Presidential Decree No. 27188, May 31, 2016>
1. A person falling under any of the following items whose annual sales or revenues are at least 150 billion won:
(a) A superior general hospital under Article 3-4 of the Medical Service Act;
(b) A school pursuant to Article 2 of the Higher School Act, the number of the enrolled students of which is at least 1000 as of December 31, of the immediately preceding year;
2. A person whose sales of information and communication services during the preceding year (referring to the preceding business year, in the case of a corporation) are least ten billion won: excluding, however, a financial company under subparagraph 3 of Article 2 of the Electronic Financial Transactions Act;
3. A person whose average daily number of users during three months immediately before the end of the preceding year is at least one million: Provided, That a financial company under subparagraph 3 of Article 2 of the Electronic Financial Transactions Act.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 50 Moved to Article 47.
 Article 51 (Follow-up Management of Certification)
(1) Follow-up management under Article 47 (8) of the Act shall be conducted by means of written examination or on-site examination. <Amended by Presidential Decree No. 27188, May 31, 2016>
(2) Where as a result of conducting follow-up management pursuant to Article 47 (8) of the Act, an examination institution for information protection and management systems finds there is a ground referred to in any subparagraph of paragraph (10) of the same Article, it shall immediately submit the result of the follow-up management so conducted to the Korea Internet and Security Agency or a certification institution for information protection and management systems. <Newly Inserted by Presidential Decree No. 27188, May 31, 2016>
(3) In cases falling under any of the following subparagraphs, the Korea Internet and Security Agency or a certification institution for information protection and management systems shall, after undergoing a deliberation by the certification committee referred to Article 47 (6), notify the results thereof to the Minister of Science and Information and Communications Technology (ICT): <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
1. Where follow-up management conducted pursuant to Article 47 (8) of the Act finds grounds referred to in any subparagraph of paragraph (10) of the same Article;
2. Where the Korea Internet and Security Agency or a certification institution for information protection and management systems receives the result of follow-up management from an examination institution for information protection and management systems pursuant to paragraph (2).
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 52 (Indication and Public Relation of Certification)
A person who obtains certification of his/her information security management system pursuant to Article 47 (1) or (2) of the Act may use a certification mark determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT) for the information security management system, when he/she indicates or promotes the certification in a document, invoice, or advertisement in accordance with Article 47 (9) of the Act. In such cases, the scope of certification and the effective period shall be indicated together with the mark. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 53 (Criteria for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) The criteria for the designation of a certification institution for information protection and management systems and an examination institution for information protection and management systems shall be as follows: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
1. A certification institution shall have at least five persons who meet the requirements for the qualification determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT) (hereinafter referred to as “certification examiners”);
2. A certification institution shall be approved as competent in an examination administered by the Minister of Science and Information and Communications Technology (ICT) on the requirements and competence for the performance of the duties.
(2) The Minister of Science and Information and Communications Technology (ICT) shall determine and publicly notify detailed guidelines for the education of certification examiners, the management of qualification of certification examiners, and the examination on the requirements and competence for the performance of the duties under paragraph (1) 2. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Wholly Amended by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 53-2 (Procedures for Designation of Certification Institution for Information Security Management Systems and Examination Institution for Information Protection and Management Systems, and Other Related Matters)
(1) A person who intends to have his/her business designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems pursuant to Article 47 (6) or (7) of the Act shall file an application (including an application in the form of an electronic document) for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems with the Minister of Science and Information and Communications Technology (ICT), along with the following documents (or electronic documents): <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
1. Articles of incorporation, or bylaws of an association;
2. A statement of the current status of certification examiners employed and a document certifying the current status;
3. Documents determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT) as those necessary for the examination on the requirements and competence for the performance of duties, including work experience in performing duties for the protection of information and the level of expertise.
(2) Upon receipt of an application for the designation under paragraph (1), the Minister of Science and Information and Communications Technology (ICT) shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act, if the applicant is a corporation. <Amended by Presidential Decree No. 22151, May 4, 2010; Presidential Decree No. 22467, Nov. 2, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(3) Upon receipt of an application for the designation under paragraph (1), the Minister of Science and Information and Communications Technology (ICT) shall examine whether the application meets the criteria for the designation under Article 53 (1), notify the applicant of the results thereof within three months from the date when the application is filed, and issue a certificate of designation of a certification institution for information protection and management systems or a certificate of designation of an examination institution for information protection and management systems to the applicant, if the applicant is designated as a certification institution for information protection and management systems or an examination institution for information protection and management systems. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
(4) When the Minister of Science and Information and Communications Technology (ICT) examines whether an application meets the criteria for the designation under paragraph (3), he/she may require the applicant to submit data or may conduct an on-site inspection. In such cases, a person who conducts an on-site inspection shall produce an identification badge certifying his/her authority to the applicant. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(5) Deleted. <by Presidential Decree No. 23876, Jun. 25, 2012>
 Article 53-3 (Effective Period for Designation of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) The effective period for the designation of a certification institution for information protection and management systems or an examination institution for information protection and management systems under Article 53-2 shall be three years. <Amended by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 27188, May 31, 2016>
(2) A certification institution may file an application for re-designation during the period from six months before the end of the effective period until the expiry date. In such cases, the designation shall be deemed effective until the applicant for re-designation is notified of a decision on the application.
(3) Articles 53 and 53-2, and paragraph (1) shall apply mutatis mutandis to the re-designation under paragraph (2). <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
 Article 53-4 (Follow-up Management of Certification Institution for Information Protection and Management Systems and Examination Institution for Information Protection and Management Systems)
(1) A certification institution for information protection and management systems and an examination institution for information protection and management systems shall submit a report according to the following classification for the preceding year to the Minister of Science and Information and Communications Technology (ICT) by no later than January 31 each year: <Amended by Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
1. A certification institution for information protection and management systems: a report on the performances of certification for the preceding year;
2. An examination institution for information protection and management systems: a report on the performances of certification examination for the preceding year.
(2) If the Minister of Science and Information and Communications Technology (ICT) deems it necessary to ascertain whether a certification institution for information protection and management systems or an examination institution for information protection and management systems falls under any subparagraph of Article 47-2 (1) of the Act, he/she may require the certification institution or the examination institution to submit data or may conduct an on-site inspection. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 27188, May 31, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 54 (Guidelines for Revocation of Designation)
Guidelines for administrative dispositions rendered for the revocation of designation or the suspension of business under Article 47-2 of the Act are as prescribed in Table 4 attached hereto.
 Article 54-2 (Certification of Personal Information Management System)
Articles 47, 48, 51 through 53, 53-2 through 53-4 and 54 shall apply mutatis mutandis to methods, procedures, scope, fee and follow-up management to certify personal information management system, and criteria, procedures, effective period and revocation of designation of a certification body under Article 47-3 of the Act.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 55 (Standard Agreements on Requests to Users for Protective Measures)
Matters that shall be stipulated in standard user agreements with respect to a request to users for protective measures are as follows: <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
1. Grounds for requesting users to take protective measures and a method of making such request;
2. Details of protective measures that users shall take;
3. The period during which access to an information and communications network is restricted, if a user fails to take protective measures;
4. Procedures for filing a user’s objection and for compensation therefor, if a user’ access is unreasonably restricted on the grounds of the user’s failure to take protective measures.
 Article 55-2 (Criteria for Examination for Rating Management of Information Protection)
(1) The criteria for management rating of information protection under Article 47-5 (1) of the Act shall be as follows:
1. The scope of the system established for the management of information protection and the period of operation;
2. An organization exclusively dedicated to information protection and the budget therefor;
3. Activities for the management of information protection and the level of protective measures.
(2) Matters necessary for the detailed criteria and methods for the evaluation according to the criteria for examination under paragraph (1) shall be determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 55-3 (Methods and Procedures for Rating Management of Information Protection)
(1) A person who intends to be rated as qualified for the protection and management of information under Article 47-5 (1) of the Act shall file an application (or an application in the form of an electronic document) for rating the protection and management of information with the Korea Internet and Security Agency, along with a copy of the letter of certification of the information security management system.
(2) A written examination or an on-site examination shall be administered for the examination for rating the protection and management of information.
(3) Only certification examiners shall be able to conduct the examination under paragraph (2).
(4) If the results of an examination administered under paragraph (2) meet the criteria for examination under Article 55-2, the Korea Internet and Security Agency shall issue a certificate of the rating for the protection and management of information to the applicant for the rating qualified for management.
(5) Except as otherwise provided for in paragraphs (1) through (4), further details necessary for the application and examination for rating the management of information protection and the issuance of certificates of the rating for the management of information protection shall be determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT). <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 55-4 (Fees for Rating Management of Information Protection, etc.)
Articles 46 and 52 shall apply mutatis mutandis to fees for rating for the management of information protection and indication and publicity thereof.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 55-5 (Effective Period of Rating for Management of Information Protection)
The effective period of the rating for the management of information protection under Article 55-3 shall be one year.
[This Article Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012]
 Article 56 (Countermeasures against Intrusion)
“Other countermeasures against intrusion prescribed by Presidential Decree” in Article 48-2 (1) 4 of the Act means the following measures: <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
1. Requesting a major provider of information and telecommunications services or a business entity who operates and manages clustered information and telecommunications facilities for other persons to provide information and telecommunications services under Article 46 (1) of the Act to cut off access channels (limited to access channels that have been used, or are likely to be used for, expanding intrusions);
2. Requesting a software business entity, defined under subparagraph 4 of Article 2 of the Software Industry Promotion Act, who produced or distributed the software involved in an intrusion, to produce and distribute a program by which the vulnerability in security of the software is cured and corrected (hereinafter referred to as “program for curing the vulnerability in security”) or requesting the provider of information and communications services to release the program for curing the vulnerability in security through information and communications networks;
3. Spreading forecasts and warnings of intrusions under Article 48-2 (1) 2 of the Act to mass media and providers of information and communications services;
4. Providing information about intrusions to the heads of related agencies, if necessary for the security of national information and communications networks.
 Article 57 (Persons Providing Information about Intrusions)
“Persons specified by Presidential Decree among those who operate an information and communications network” in Article 48-2 (2) 3 of the Act means any of the following persons among those who operate an information and communications network: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. An institution subject to a protection plan and protection guidelines on critical information and communications infrastructure, formulated and established by the Minister of Science and Information and Communications Technology (ICT) pursuant to Articles 6 and 10 of the Act on the Protection of Information and Communications Infrastructure;
2. A person who observes the current status of operation of information and communications networks by providers of information and communications services and provides information on intrusions;
3. A person specified and publicly notified by the Minister of Science and Information and Communications Technology (ICT) among private business entities who operate information and communications networks independently with Internet protocol addresses allocated by the Korea Internet and Security Agency under subparagraph 1 (a) of Article 2 of the Internet Address Resources Act;
4. A producer of antivirus software against computer viruses among persons who engage in the information protection industry.
 Article 58 (Provision of Information on Intrusions)
A person who provides information on intrusions under Article 48-2 (2) of the Act shall comply with the following subparagraphs in providing information on intrusions: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. A method which a person applies to providing such information shall conform to a method determined by the Minister of Science and Information and Communications Technology (ICT), taking into consideration characteristics of information and communications networks, trends in intrusions, etc.;
2. The person shall take measures to prevent the destruction, obliteration, and alteration of information on intrusions;
3. The person shall adopt encryption techniques determined by the Minister of Science and Information and Communications Technology (ICT);
4. The person shall comply with other methods and procedures determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT).
 Article 59 (Organization, etc. of Private-Public Joint Investigation Team)
(1) The Minister of Science and Information and Communications Technology (ICT) shall organize an investigation team with the following persons when he/she organizes a private-public joint investigation team pursuant to Article 48-4 (2) (hereinafter referred to as “investigation team”): <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. Public officials in charge of investigation of intrusions;
2. Persons who have expertise and experience in investigating intrusions;
3. Employees of the Korea Internet and Security Agency;
4. Other persons deemed necessary for the analysis of causes of intrusions.
(2) The organization of an investigation team under paragraph (1) may be adjusted according to the scale and type of each intrusion case.
 Article 60 (Entry into Places of Business by Investigation Team)
(1) When an investigation team enters a place of business of a person involved under Article 48-4 (4) of the Act, the team members shall present identification badges indicating their authority to a person involved.
(2) The identification badges under paragraph (1) are as prescribed in Table 5 attached hereto.
 Article 61 (Guidelines for Transmission of Advertising Information for Profit)
(1) “Period prescribed by Presidential Decree” in Article 50 (1) 1 of the Act means six months from the date the trade of the relevant goods, etc. is concluded. <Amended by Presidential Decree No. 25789, Nov. 28, 2014>
(2) “Media prescribed by Presidential Decree” in the proviso to Article 50 (3) of the Act means electronic mail. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014>
(3) Matters that a person who transmits advertising information for profit, using an electronic transmission medium pursuant to Article 50 (4) of the Act should clearly state in the relevant information, and methods therefor shall be as specified in attached Table 6. <Amended by Presidential Decree No. 25789, Nov. 28, 2014>
 Article 62 (Provision of Free Telephone Services, etc. for Refusal of Reception or Withdrawal of Consent to Reception)
A person who transmits advertising information for profit, using an electronic transmission medium shall clearly state information about free telephone services, etc. for the refusal of reception or for the withdrawal of consent to reception, as prescribed in Table 6 attached hereto, and shall provide such services to addressees in accordance with Article 50 (6) of the Act. <Amended by Presidential Decree No. 22773, Mar. 29, 2011; Presidential Decree No. 25789, Nov. 28, 2014>
 Article 62-2 (Notification of Results of Handling of Consent to Receive Messages, etc.)
A person who intends to transmit advertising information for profit, using an electronic transmission medium pursuant to Article 50 (7) of the Act shall notify an addressee of the following matters within 14 days from the date the relevant addressee expresses his/her consent to receipt of messages, refusal to receive messages or withdrawal of his/her consent to receive messages:
1. Name of a sender;
2. Fact that the addressee has consented to receive messages, refused to receive messages, or withdrawn his/her consent to receive messages, and the date he/she expresses the relevant intent;
3. Results of the handling thereof.
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28,
2014]
 Article 62-3 (Verification of Addressees' Consents to Receive Messages)
(1) A person who has obtained prior consent from an addressee pursuant to Article 50 (1) or (3) of the Act shall verify whether the relevant addressee gives consent to receive messages every two years from the date he/she obtains consent to receive messages from the addressee (referring to the day before every second year from the date he/she obtains consent to receive messages) pursuant to paragraph (8) of the aforesaid Article.
(2) A person who intends to verify whether an addressee gives his/her consent to receive messages pursuant to paragraph (1) shall advise the addressee of the following matters:
1. Name of a sender;
2. Fact that the addressee gives consent to receive messages, and the date he/she gives consent to receive messages;
3. Methods for expressing his/her intention to maintain or withdraw his/her consent to receive messages.
[This Article Newly Inserted by Presidential Decree No. 25789, Nov. 28,
2014]
 Article 63 (Devices for Restricting Installation of Advertising Programs, etc. for Profits)
“The information processing device specified by Presidential Decree” in the former part of Article 50-5 of the Act means an information processing device with which information can be transmitted and received by connecting it to an information and communications network, such as mobile Internet and mobile telephones. <Amended by Presidential Decree No. 23104, Aug. 29, 2011>
 Article 64 (Subsidization for Development of Software Designed to Cut Off Transmission of Advertising Information for Profits)
(1) Pursuant to Article 50-6 of the Act, the Korea Communications Commission may fully or partially subsidize a project of a public institution, corporation, or organization that develops and distributes a piece of software or a computer program for conveniently cutting off or reporting advertising information transmitted for profits in violation of Article 50 of the Act (hereinafter referred to as “software for cutting off or reporting advertisements”), within budgetary limits.
(2) The Korea Communications Commission may recommend providers of information and communications services and users to use the software developed in accordance with paragraph (1) for cutting off or reporting advertisements. <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
 Article 65 (Operation, etc. of Korea Internet and Security Agency)
(1) The Minister of Science and Information and Communications Technology (ICT), the Minister of the Interior and Safety or the Korea Communications Commission may request the head of a related agency to dispatch public officials engaged in the business of the Korea Internet and Security Agency under Article 52 (3) of the Act to the relevant work. <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28210, Jul. 26, 2017>
(2) When the head of a related agency who dispatched a public official under paragraph (1) needs to have the public official returned during the period of dispatch service, he/she shall consult with the head of the agency that requested for such dispatch.
(3) The head of the Korea Internet and Security Agency may authorize a research institute related to information and communications to conduct part of the business affairs specified in Article 52 (3) 4 of the Act, with approval therefor from the Minister of Science and Information and Communications Technology (ICT), the Minister of the Interior and Safety or the Korea Communications Commission. <Amended by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017>
(4) If a business affair that the head of the Korea Internet and Security Agency conducts in accordance with Article 52 (3) of the Act is related to the protection of a public institution’s information, he/she shall obtain approval therefor from the head of the related institution. <Amended by Presidential Decree No. 22423, Oct. 1, 2010>
 Article 66 (Operation of Personal Information Protection Center)
(1) The personal information protection center under Article 52 (3) 9 of the Act (hereinafter referred to as the “personal information protection center”) shall conduct the following duties: <Amended by Presidential Decree No. 21278, Jan. 28, 2009>
1. Provision of technical advice under Article 64 (10) of the Act on the prevention of intrusion on personal information, the protection of personal information and other necessary assistance;
2. Settlement of grievances relating to the intrusion on personal information and the transmission of advertising information and counseling thereon;
3. Research on countermeasures against the intrusion on personal information;
4. Education and public relations activities for the prevention of personal information;
5. Programs related to the duties under subparagraphs 1 through 4.
(2) If the Korea Communications Commission deems it necessary for requiring providers of information and communications services, etc. to submit relevant goods, documents, etc. or for efficiently conducting inspections under Article 64 (1) or (3) of the Act, it may dispatch its public officials to the Korea Internet and Security Agency pursuant to Article 32-4 of the State Public Officials Act. <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23169, Sep. 29, 2011>
CHAPTER VI-2 TELECOMMUNICATIONS BILLING SERVICES
 Article 66-2 (Requirements for Registration)
(1) A person who intends to be registered as a provider of telecommunications billing services shall meet all the following requirements: <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. The ratio of the total liabilities to the equity capital, total contributions, or endowment shall not exceed a ratio determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT), which shall not exceed 200%. If the majority stockholder is a company that belongs to a conglomerate, defined under subparagraph 2 of Article 2 of the Monopoly Regulation and Fair Trade Act, (excluding conglomerates defined under Article 17 (1) 1 and 2 of the Enforcement Decree of the aforesaid Act) in such cases, the calculation of such ratio shall be based on the conglomerate, but companies that engage in financial business or insurance business, from among companies that belong to the conglomerate, shall be excluded from the calculation;
2. The person shall be fully equipped with the following human resources and physical facilities with which the person can conduct the business:
(a) At least five executive officers and employees who have work experience of at least two years in operating electronic computer systems;
(b) Electronic computer systems and various computer programs necessary for smoothly providing telecommunications billing services;
(c) An information protection system under Article 57 (2) of the Act;
3. The equity capital, total contributions, or endowment shall be at least an amount specified in paragraph (2).
(2) “The amount specified by Presidential Decree” in Article 53 (2) of the Act means one billion won.
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-3 (Procedures for Registration)
(1) A person who intends to be registered as a provider of telecommunications billing services shall file an application for registration, describing the following matters, with the Minister of Science and Information and Communications Technology (ICT): <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. Trade name and the principal place of business;
2. The representative’s name;
3. Equity capital, total contributions, or endowment;
4. The names or titles of contributors (excluding small contributors specified and publicly notified by the Minister of Science and Information and Communications Technology (ICT)) and their shares.
(2) An application for registration under paragraph (1) shall be accompanied by the following documents:
1. Articles of incorporation;
2. Documents proving that an applicant meets the requirements for registration under Article 66-2;
3. A business plan for three years after the commencement of business (including estimated financial statements and a statement of estimated revenues and expenditures);
4. A plan for the protection of users of telecommunications billing services (including matters under Articles 66-7 through 66-9).
(3) Upon receipt of an application for registration under paragraph (1), the Minister of Science and Information and Communications Technology (ICT) shall verify the relevant corporate registration by sharing administrative information under Article 36 (1) of the Electronic Government Act. <Amended by Presidential Decree No. 22151, May 4, 2010; Presidential Decree No. 22467, Nov. 2, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(4) If the Minister of Science and Information and Communications Technology (ICT) finds any defect in a document submitted pursuant to paragraph (1) or (2), he/she may request the applicant to supplement and submit the document within ten days from the date when such document is submitted. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(5) When the Minister of Science and Information and Communications Technology (ICT) registers a provider of telecommunications billing services, he/she shall publish the details of the registration through in the Official Gazette and shall inform the general public thereof through the Internet, etc. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-4 (Grounds for Disqualification from Registration)
“An investor specified by Presidential Decree” in subparagraph 1 of Article 54 of the Act means any of the following persons: <Amended by Presidential Decree No. 20947, Jul. 29, 2008; Presidential Decree No. 28283, Sep. 5, 2017>
1. The principal who holds the largest number of outstanding voting stocks of, or shares in contributions to, the relevant corporation (hereafter referred to as “stocks or the like” in this Article), when the stocks held by the principal and those held by persons related to the principal, as defined under any subparagraph of Article 3 (1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies, on their own accounts respectively in whosever name are aggregated;
2. A person who holds at least 10% of stocks or the like of the relevant corporation on his/her account in whosever name or a stockholder who exercises the de facto control over important matters relating to the management of the corporation through appointment and dismissal of executive officers or by other means, who is a related person defined under any subparagraph of Article 3 (1) of the Enforcement Decree of the Act on Corporate Governance of Financial Companies.
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-5 (Administrative Dispositions)
(1) Deleted. <by Presidential Decree No. 26757, Dec. 22, 2015>
(2) When the Minister of Science and Information and Communications Technology (ICT) intends to revoke the registration of a provider of telecommunications billing services under Article 55 of the Act, he/she shall hold a hearing. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
(3) When the Minister of Science and Information and Communications Technology (ICT) revokes the registration of a provider of telecommunications billing services under Article 55 of the Act, he/she shall publish an announcement of details thereof in the Official Gazette and shall notify the general public thereof through the Internet and by other means. <Amended by Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-6 (Measures Necessary for Securing Stability and Reliability of Telecommunications Billing Services)
Administrative and technical measures that a provider of telecommunications billing services shall take in accordance with Article 57 (2) of the Act in order to secure the stability and reliability of transactions through telecommunications billing services are as prescribed in Table 7 attached hereto.
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-7 Deleted. <by Presidential Decree No. 23104, Aug. 29, 2011>
 Article 66-8 (Period for Preservation of Transaction Records and Methods for Changing Contractual Terms)
(1) Pursuant to Article 58 (4) and (7) of the Act, a provider of telecommunications billing services shall preserve records of the following matters for one year from the date on which each transaction is conducted: Provided, That the records of a transaction, the amount of which exceeds 10,000 won, shall be preserved for five years: <Amended by Presidential Decree No. 23104, Aug. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017>
1. The type of a transaction conducted through telecommunications billing services;
2. The amount of a transaction;
3. The other party to a transaction of purchase or use through telecommunications billing services (referring to a person who sells goods or provides services in return for a price therefor through telecommunications billing services);
4. The date and time of a transaction;
5. The subscriber number of telecommunications services for which charges are billed and collected;
6. Matters regarding access to telecommunications services in connection with the relevant transaction;
7. Matters regarding an application for a transaction and amendment to terms and conditions;
8. Matters regarding approval for a transaction;
9. Other matters determined and publicly notified by the Minister of Science and Information and Communications Technology (ICT).
(2) Transaction records under paragraph (1) shall be preserved in paper, microfilms, discs, magnetic tapes, or other electronic information processing systems: Provided, That where such records are preserved in discs, magnetic tapes, or other electronic information processing systems, the requirements under Article 5 (1) of the Framework Act on Electronic Documents and Transactions shall be fully met. <Amended by Presidential Decree No. 24076, Aug. 31, 2012>
(3) When a provider of telecommunications billing services (limited to a person who provides services under Article (2) (1) 10 (a)) changes contractual terms pursuant to Article 58 (6) of the Act, he/she shall notify users of telecommunications billing services by any means of e-mail, writing, facsimile, telephone or other means similar thereto. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014>
(4) A user of telecommunications billing services may raise an objection to the changed contractual terms from the date he/she receives notification under paragraph (3) until the business day before the effective date of the changed contractual terms. <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014>
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
 Article 66-9 (Procedures for Filing Objections and Redressing Violations of Rights)
(1) A provider of telecommunications billing services shall designate a manager and an officer in charge of the protection of users of telecommunications billing services for filing objections and redressing violations of rights under Article 59 (2) of the Act and shall notify the contact information of such manager and officer (referring to telephone numbers, facsimile numbers, e-mail addresses, etc.) to users of telecommunications billing services through the Internet and by other means.
(2) A user of telecommunications billing services may file an objection with regard to telecommunications billing services to the relevant provider of telecommunications billing services by writing (or by an electronic document), telephone, facsimile, or other similar means.
(3) Upon receipt of an objection under paragraph (2), the provider of telecommunications billing services shall notify the user of the results of the relevant investigation or decision within two weeks from the date when such objection is filed.
[This Article Newly Inserted by Presidential Decree No. 20756, Mar. 28, 2008]
CHAPTER VI-3 INTERNATIONAL COOPERATION
 Article 67 (Protective Measures in Transferring Personal Information Abroad)
(1) The phrase “means prescribed by Presidential Decree such as e-mail” referred to the proviso to Article 63 (2) of the Act means any of e-mail, writing, facsimile, telephone, or any similar means. <Newly Inserted by Presidential Decree No. 27510, Sep. 22, 2016>
(2) Protective measures to be taken in accordance with Article 63 (4) of the Act in the case of transferring personal information to overseas shall be as follows: <Amended by Presidential Decree No. 20756, Mar. 28, 2008>
1. Technical and administrative measures for protecting personal information under Article 15;
2. Measures for settling grievances and resolving disputes on the infringement of personal information;
3. Other measures necessary for protecting users’ personal information.
(3) A provider, etc. of information and communications services shall, in advance, reach an agreement on measures specified in each subparagraph of paragraph (2) with a person to whom personal information is transferred overseas and shall reflect such agreement in the relevant contract. <Amended by Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 27510, Sep. 22, 2016>
CHAPTER VII SUPPLEMENTARY PROVISIONS
 Article 68 (Submission of Data, etc.)
“Any other ground specified by Presidential Decree to believe that it is necessary for the protection of users” in Article 64 (1) 3 of the Act means either of the following cases: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 23104, Aug. 29, 2011>
1. Where it is necessary to prepare measures for the protection of juveniles under Article 41 (1) of the Act;
2. Where it is necessary to ascertain whether a person responsible for the protection of juveniles under Article 42-3 (3) of the Act performs the duty of protecting juveniles;
3. Deleted. <by Presidential Decree No. 24047, Aug. 17, 2012>
 Article 68-2 (Methods for Publication of Order of Corrective Measures)
(1) When the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission orders a provider of information and communications services under Article 64 (4) of the Act to make a public publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission shall prescribe the details, number of times, and media of publication, the size of pages, etc. in issuing such order, taking the following factors into consideration: <Amended by Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. Details and severity of relevant violations;
2. The duration and number of times of relevant violations.
(2) When the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission orders a provider of information and communications services under paragraph (1) to make a publication of the fact that the service provider is ordered to take corrective measures, the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission may consult on the text of the publication with the provider of information and communications services. <Amended by Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
 Article 69 (Disclosure of Order to Take Corrective Measures)
(1) In either of the following cases, the fact that a provider of information and communications services is ordered to take corrective measures under Article 64 of the Act may be disclosed. In such cases, the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission shall notify the relevant provider of information and communications services of the disclosure in advance. <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 21278, Jan. 28, 2009; Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017>
1. Where a provider of information and communications services is ordered to take corrective measures for an act specified in any provision of Articles 71 through 74 of the Act;
2. Where a provider of information and communications services has been ordered to take corrective measures at least twice a year.
(2) The disclosure of an order to take corrective measures under paragraph (1) shall be made by publishing it in Internet websites or general daily newspapers circulated nationwide under the Act on the Promotion of Newspapers, Etc. <Amended by Presidential Decree No. 22003, Jan. 27, 2010>
 Article 69-2 (Guidelines, etc. for Computation of Penalty Surcharges)
(1) “Sales related to a violation” in the main sentence of Article 64-3 (1) of the Act means the average annual sales of information and communications services, related to a violation of the relevant service provider, of the three immediately preceding business years: Provided, That such sales mean an amount computed by converting sales from the commencement date of business until the end of the immediately preceding business year into average annual sales, if three years have not passed since the business commenced as of the beginning of the pertinent business year, or an amount computed by converting sales from the commencement date of business until the date of violation into annual sales, if the business commenced during the pertinent business year. <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
(2) “Grounds specified by Presidential Decree” in the proviso to Article 64-3 (2) of the Act means either of the following cases:
1. Where a provider of information and communications services has not commenced business or discontinued business and so has no record of business performance;
2. Where data for the computation of sales has been obliterated or destroyed, making it impracticable to compute sales objectively.
(3) If the Korea Communications Commission needs financial statements or other data for the computation of sales under paragraph (1), it may request the relevant provider of information and communications services to submit relevant data within a specified period of up to 20 days. <Amended by Presidential Decree No. 24047, Aug. 17, 2012>
(4) Guidelines and procedures for calculating penalty surcharges under Article 64-3 (4) of the Act are as specified in attached Table 8. <Newly Inserted by Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 25789, Nov. 28, 2014>
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
 Article 69-3 (Imposition and Payment of Penalty Surcharges)
(1) When the Korea Communications Commission intends to impose a penalty surcharge upon a person under Article 64-3 of the Act, it shall investigate and ascertain the relevant violation and shall give a notice to a person subject to the imposition of the penalty surcharge to pay it, clearly stating the facts relevant to the violation, the amount imposed, the method for filing an objection, the period given for filing an objection, etc. in writing.
(2) Upon receipt of a notice under paragraph (1), a person shall pay the penalty surcharge within 20 days from the date on which he/she receives the notice to a financial institution designated by the Korea Communications Commission: Provided, That if it is impossible to pay a penalty surcharge within a specified period due to a natural disaster or any other event beyond control, the penalty surcharge shall be paid within seven days from the date on which the event terminates.
(3) A financial institution that receives a penalty surcharge under paragraph (2) shall issue a receipt to a person who pays the penalty surcharge.
[This Article Newly Inserted by Presidential Decree No. 21278, Jan. 28, 2009]
 Article 70 (Delegation or Entrustment of Authority)
(1) Pursuant to Article 65 (1) of the Act, the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission shall delegate or entrust the authority to impose administrative fines under Article 76 of the Act upon the following persons and to collect administrative fines to the Director General of the Central Radio Management Service. <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 20896, Jul. 3, 2008; Presidential Decree No. 22424, Oct. 1, 2010; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014; Presidential Decree No. 28210, Jul. 26, 2017>
1. A person who has registered special category telecommunications business (hereinafter referred to as "special category telecommunications business entity") under Article 21 (1) of the Telecommunications Business Act;
2. A person required to designate and a chief information protection officer, and report thereon pursuant to the proviso to Article 45-3 (1) of the Act;
3. A person who has registered as a provider of telecommunications billing services pursuant to Article 53 (1) of the Act.
(2) Pursuant to Article 65 (1) of the Act, the Korea Communications Commission shall entrust the Director General of the Central Radio Management Center with the authority to request the submission of data and to conduct inspections under Article 64 (1) and (3) (limited to cases filed with the Director General of the Central Radio Management Center in regard to intrusion on personal information) in order to ascertain a violation of any provision of Articles 22 through 32 of the Act. <Newly Inserted by Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013>
(3) Pursuant to Article 65 (1) of the Act, the Korea Communications Commission shall entrust the Director General of the Central Radio Management Center with the following authority (limited to matters concerning Articles 50, 50-3 through 50-5, and 50-7 of the Act) over persons (in cases falling under subparagraph 2, persons other than those under the subparagraphs of paragraph (1)) other than special telecommunications business entities. <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 20896, Jul. 3, 2008; Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 24047, Aug. 17, 2012; Presidential Decree No. 24445, Mar. 23, 2013; Presidential Decree No. 25789, Nov. 28, 2014>
1. An order to take corrective measures under Article 64 (4) of the Act;
2. Imposition and collection of administrative fines under Article 76 of the Act.
(4) Pursuant to Article 65 (3) of the Act, the Korea Communications Commission shall entrust the following duties to the head of the Korea Internet and Security Agency: <Amended by Presidential Decree No. 20756, Mar. 28, 2008; Presidential Decree No. 22423, Oct. 1, 2010; Presidential Decree No. 23169, Sep. 29, 2011; Presidential Decree No. 25789, Nov. 28, 2014>
1. Duties relating to a request for the submission of data and inspections under Article 64 (1) and (3) of the Act for ascertaining a violation of any provision of Articles 22 through 32 of the Act (limited to grievances filed with the Korea Internet and Security Agency for settlement or counseling in connection with the intrusion on personal information);
2. Duties relating to a request for the submission of data and inspections under Article 64 (1) through (3) of the Act for ascertaining a violation of any provision of Articles 50, 50-3 through 50-5, 50-7, and 50-8 of the Act (limited to grievances filed with the Korea Internet and Security Agency for settlement or counseling in connection with the transmission of advertising information).
(5) The Minister of Science and Information and Communications Technology (ICT) shall delegate the following authority to the Director General of the Central Radio Management Center pursuant to Article 65 (1) of the Act: <Newly Inserted by Presidential Decree No. 25789, Nov. 28, 2014; Amended by Presidential Decree No. 26757, Dec. 22, 2015; Presidential Decree No. 28210, Jul. 26, 2017>
1. Reporting on the designation of a chief information protection officer under Article 45-3 of the Act;
2. Registration of providers of telecommunications billing services under Article 53 (1) of the Act;
3. Registration of changes in providers of telecommunications billing services, the transfer or acquisition of business, or the merger or inheritance of business, succession to business and reporting on the suspension, closure or dissolution of business under Article 53 (4) of the Act;
4. Revocation of the registration of a provider of telecommunications billing services under Article 55 (1) of the Act;
5. Reporting on contractual terms (including reporting on changes in contractual terms) on telecommunications billing services under Article 56 (1) of the Act;
6. Recommending a provider of telecommunications billing services to change contractual terms under Article 56 (2) of the Act;
7. Issuing orders to refuse, suspend, or restrict the provision of telecommunications billing services under Article 61 of the Act;
8. Requesting the submission of data and inspection under Article 64 (1) and (3) of the Act to verify facts of violations of the provisions of Articles 53 through 61 of the Act;
9. Issuing an order to a person who has obtained registration as a provider of telecommunications billing services pursuant to Article 53 (1) of the Act to take corrective measures under Article 64 (4) of the Act.
 Article 70-2 (Processing of Personally Identifiable Information)
Where it is inevitable to conduct the following duties, the Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission (including a person entrusted with the authority of the Korea Communications Commission pursuant to Article 70) may process resident registration numbers under subparagraph 1 of Article 19 of the Enforcement Decree of the Personal Information Protection Act, or foreigner registration numbers under subparagraph 4 of the aforesaid Article: <Amended by Presidential Decree No. 28210, Jul. 26, 2017>
1. Duties concerning requests for submission, reading, inspection, etc. of data, etc. under Article 64 (1) through (3) of the Act;
2. Duties concerning the imposition and collection of penalty surcharge Article 64-3 of the Act.
[This Article Newly Inserted by Presidential Decree No. 25532, Aug. 6, 2014]
 Article 71 (Re-Examination of Regulation)
(1) The Minister of Science and Information and Communications Technology (ICT) or the Korea Communications Commission shall examine the appropriateness of administrative fines every three years (referring to the period ending on the date immediately before every third anniversary from the base date), counting from the base date, January 1, 2017, and take measures, such as making improvements: <Amended by Presidential Decree No. 27751, Dec. 30, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
(2) The Minister of Science and Information and Communications Technology (ICT) shall examine the appropriateness of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended by Presidential Decree No. 27751, Dec. 30, 2016; Presidential Decree No. 28210, Jul. 26, 2017>
1. Protective measures taken by business entities operating and managing clustered information and telecommunications facilities under Article 37: January 1, 2017;
2. Obligations to precure insurance and the minimum amount of insurance cover under Article 38: January 1, 2017;
3. Scope of persons subject to the certification of information protection and management systems under Article 49: January 1, 2014;
4. Follow-up management and notification on the certification of information protection and management systems under Article 51: January 1, 2017;
5. Guidelines for designating a certification institution for information protection and management systems under Article 53: January 1, 2017;
6. Procedures for designating a certification institution for information protection and management systems under Article 53-2: January 1, 2017;
7. Requirements for the registration of a provider of telecommunications billing services under Article 66-2: January 1, 2014;
8. Period and methods for preservation of transaction records under Article 66-8: January 1, 2014.
(3) Deleted. <by Presidential Decree No. 27751, Dec. 30, 2016>
(4) The Korea Communications Commission shall review the suitability of the following matters every three years (referring to the period ending on the date preceding every third anniversary from the base date), counting from each base date specified in the following, and take measures, such as making improvements: <Amended by Presidential Decree No. 25789, Nov. 28, 2014>
1. Methods for obtaining consent under Article 12: January 1, 2015;
2. Scope of persons required to give notice of the details of the use of personal information, types of information of which a person should give notice, and a frequency of and methods for giving notice under Article 17: January 1, 2015;
3. Scope of persons liable to designate a person responsible for the protection of juveniles under Article 25: January 1, 2015;
4. Deadline for designation of a person responsible for the protection of juveniles under Article 27: January 1, 2015;
5. Deleted. <by Presidential Decree No. 27751, Dec. 30, 2016>
[This Article Newly Inserted by Presidential Decree No. 25050, Dec. 30, 2013]
 Article 72 Deleted. <by Presidential Decree No. 22550, Dec. 27, 2010>
 Article 73 Deleted. <by Presidential Decree No. 21692, Aug. 18, 2009>
 Article 74 (Guidelines for Imposition of Administrative Fine)
Guidelines for the imposition of administrative fines under the provisions of Article 76 (1) through (3) of the Act are as prescribed in Table 9 attached hereto.
[This Article Wholly Amended by Presidential Decree No. 22423, Oct. 1, 2010]
ADDENDA
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Relationship to Other Statutes)
A citation of the former Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc., the Enforcement Rule of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc., or a provision of either of them by any other statutes in force as at the time this Decree enters into force shall be deemed a citation of this Decree or the relevant provision of this Decree in lieu of the former provision, if this Decree prescribes such relevant provision.
ADDENDUM <Presidential Decree No. 20756, Mar. 28, 2008>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 20896, Jul. 3, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 Omitted.
ADDENDA <Presidential Decree No. 20947, Jul. 29, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 4, 2009. (Proviso Omitted.)
Articles 2 through 28 Omitted.
ADDENDA <Presidential Decree No. 21278, Jan. 28, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That the amendments to Article 15 (4) 2 and 4 shall enter into force one year after the date of its promulgation.
Article 2 (Preparation for Public Notice)
Notwithstanding the proviso to Article 1 of the Addenda, the public notice under the amended provisions of Article 15 (6) may include the public notice of guidelines under the amended provisions of Article 15 (4) 2 and 4.
ADDENDA <Presidential Decree No. 21692, Aug. 18, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 23, 2009.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 21719, Sep. 9, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 10, 2009.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 22003, Jan. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on February 1, 2010.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 22151, May 4, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on May 5, 2010.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 22423, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Transitional Measures concerning Guidelines for Administrative Dispositions)
(1) Notwithstanding the amended provisions of Tables 4 and 8 attached hereto, former provisions shall apply to the application of guidelines for administrative dispositions (including guidelines for the imposition of penalty surcharges) against violations committed before this Decree enters into force.
(2) Administrative dispositions imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of Table 4 attached hereto.
Article 3 (Transitional Measures concerning Administrative Fine)
(1) Notwithstanding the amended provisions of Table 9 attached hereto, former practices shall apply to the imposition of administrative fines for violations committed before this Decree enters into force.
(2) Administrative fines imposed for violations committed before this Decree enters into force shall be included in the computation of the number of violations under the amended provisions of Table 9 attached hereto.
ADDENDA <Presidential Decree No. 22424, Oct. 1, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 10 Omitted.
ADDENDUM <Presidential Decree No. 22467, Nov. 2, 2010>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 22550, Dec. 27, 2010>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 6 Omitted.
ADDENDUM <Presidential Decree No. 22773, Mar. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDUM <Presidential Decree No. 23104, Aug. 29, 2011>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 23169, Sep. 29, 2011>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 30, 2011. (Proviso Omitted.)
Articles 2 through 8 Omitted.
ADDENDUM <Presidential Decree No. 23876, Jun. 25, 2012>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 24047, Aug. 17, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 18, 2012: Provided, That the amended provisions of Articles 15 (2), 36-2 through 36-6, 39 through 49, 51 through 53, 53-2 through 53-4, 54-2, 55-2 through 55-5, attached Table 2, attached Table 3, paragraph 2 (v) and (w) of attached Table 9, and Article 3 of Addenda shall enter into force on February 18, 2013.
Article 2 (Applicability to Counting of Unused Period)
Counting a period under the amended provisions of Article 16 (1) shall begin where information and communications services are not used on and after August 18, 2012.
Article 3 Omitted.
ADDENDA <Presidential Decree No. 24076, Aug. 31, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 2, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24102, Sep. 14, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 16, 2012. (Proviso Omitted.)
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 24445, Mar. 23, 2013>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 4 Omitted.
ADDENDUM <Presidential Decree No. 25050, Dec. 30, 2013>
This Decree shall enter into force on January 1, 2014. (Proviso Omitted.)
ADDENDUM <Presidential Decree No. 25532, Aug. 6, 2014>
This Decree shall enter into force on August 7, 2014.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25789, Nov. 28, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on November 29, 2014: Provided, That the
amended provision of the main sentence of Article 16 (1) shall enter into force on August 18, 2015.
Article 2 (Applicability to Destruction of Personal Information, etc.)
The amended provision of the main sentence of Article 16 (1) shall also apply to personal information collected or provided before August 18, 2015.
Article 3 (Applicability to Notification of Results of Handling of Consent to Receive Messages, etc.)
The amended provisions of Article 62-2 shall apply, beginning with cases where an addressee expresses his/her consent to receive messages, refuse to receive messages or withdraw his/her consent to receive messages after this Decree enters into force.
Article 4 (Special Cases concerning Reporting on Chief Information Protection Officers)
Notwithstanding the amended provisions of Article 36-7, an information and telecommunications service provider falling under any of the subparagraphs of the amended provisions of Article 36-6 as at the time this Decree enters into force shall submit a report on the designation of a chief information protection officer to the Minister of Science, ICT and Future Planning within 90 days from the date this Decree enters into force.
Article 5 (Special Cases on Guidelines for Transmitting Advertising Information for Purposes of Generating Profits)
Where the amended provision of Article 61 (1) applies to cases where the sale of goods, etc. is concluded before this Decree enters into force, the enforcement date of this Decree shall be deemed the date the sale of the relevant goods, etc. is concluded.
Article 6 (Special Cases on Verification as to Whether Addressee Has Consented to Receive Messages)
Where the amended provision of Article 62-3 (1) applies to cases where a person has obtained consent to receive messages from an addressee before this Decree enters into force, he/she shall be deemed to have obtained the relevant consent to receive messages on the date this Decree enters into force.
Article 7 (Transitional Measures concerning Measures to Protect Personal Information)
Where an information and telecommunications service provider has taken security measures under the former Article 15 (4) 1 and 2 before this Decree
enters into force, the former provisions shall apply, notwithstanding the amended provisions of Article 15 (4) 1 and 2.
Article 8 (Transitional Measures concerning Guidelines for Calculating Penalty Surcharges)
When a penalty surcharge is imposed on any offense committed before this Decree enters into force, notwithstanding the amended provisions of attached Table 8, the former provisions thereof shall apply.
Article 9 (Transitional Measures concerning Administrative Fines)
(1) When guidelines for imposing administrative fines apply to offenses committed before this Decree enters into force, notwithstanding the amended provisions of attached Table 9, the former provisions thereof shall apply.
(2) A disposition of the imposition of an administrative fine due to an offense committed before this Act enters into force shall be included in the calculation of the number of times of offenses under the amended provisions of attached Table 9.
ADDENDA <Presidential Decree No. 26757, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Article 2 (Transitional Measures concerning Administrative Fine)
Administrative fines, imposed pursuant to the former subparagraph 2 (n) of attached Table 9, for violations committed before this Decree enters into force, shall not be included in the count of violations under the amended subparagraph 2 (f) of attached Table 9.
ADDENDUM <Presidential Decree No. 27188, May 31, 2016>
This Decree shall enter into force on June 2, 2016: Provided, That the amended provisions of Article 16 shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 27510, Sep. 22, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on September 23, 2016: Provided, That the amended provisions of the proviso to Article 16 (2) shall enter into force one year after this Decree enters into force.
Article 2 (Applicability concerning Separate Storage and Management of Personal Information)
The amended provisions of the proviso to Article 16 (2) shall apply to the personal information collected or provided before the enforcement date referred to in the proviso to Article 1 of Addenda.
ADDENDA <Presidential Decree No. 27751, Dec. 30, 2016>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2017. (Proviso Omitted.)
Articles 2 through 12 Omitted.
ADDENDA <Presidential Decree No. 27951, Mar. 22, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on March 23, 2017.
Article 2 (Applicability to Consent to Access Authority)
The amended provisions of Article 9-2 (1) through (3) shall apply beginning with the first case where a provider of information and communications services needs access authority to provide the relevant services through such softwares (including softwares which have been manufactured before this Decree enters into force, but are provided thereafter, and softwares which have been provided before this Decree enters into force, but are supplied thereafter) of mobile devices as are supplied after this Decree enters into force.
Article 3 (Applicability to Measures Necessary for Protecting Information on Users)
The amended provisions of Article 9-2 (4) shall apply beginning with the first case of providing the operating system or softwares of mobile devices after this Decree enters into force (including a case of having manufactured the operating system or software before this Decree enters, but providing it thereafter and a case of having provided the operating system or softwares before this Decree enters into force, but upgrading either thereafter) and the first case of manufacturing mobile devices after this Decree enters into force (excluding a case where mobile devices are being manufactured as at the time this Decree enters into force, but the operating system has been installed in them therebefore).
ADDENDA <Presidential Decree No. 28210, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 28283, Sep. 5, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force three months after the date of its promulgation: Provided, That ...... <Omitted.> ...... Article 6 of Addenda shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.