법령조회

뒤로가기 메인화면

CREDIT INFORMATION USE AND PROTECTION ACT

Wholly Amended by Act No. 9617, Apr. 1, 2009

Amended by Act No. 10228, Apr. 5, 2010

Act No. 10465, Mar. 29, 2011

Act No. 10690, May 19, 2011

Act No. 11690, Mar. 23, 2013

Act No. 11845, May 28, 2013

Act No. 12844, Nov. 19, 2014

Act No. 13216, Mar. 11, 2015

Act No. 13337, jun. 22, 2015

Act No. 14122, Mar. 29, 2016

Act No. 14823, Apr. 18, 2017

Act No. 14839, Jul. 26, 2017

Act No. 15146, Nov. 28, 2017

Act No. 15748, Aug. 14, 2018

Act No. 15933, Dec. 11, 2018

Act No. 16188, Dec. 31, 2018

Act No. 16957, Feb. 4, 2020

Act No. 16930, Feb. 4, 2020

Act No. 17354, jun. 9, 2020

Act No. 17799, Dec. 29, 2020

Act No. 18124, Apr. 20, 2021

Act No. 19234, Mar. 14, 2023

CHAPTER I GENERAL PROVISIONS
 Article 1 (Purpose)
The purpose of this Act is to soundly foster industries related to credit information, promoting an efficient utilization and systematic management of credit information, and protecting privacy, etc. from the misuse and abuse of credit information properly, thereby contributing to the establishment of sound practices in credit transaction and the development of the national economy. <Amended on Feb. 4, 2020>
 Article 2 (Definitions)
The terms used in this Act are defined as follows: <Amended on May 19, 2011; Mar. 11, 2015; Feb. 4, 2020>
1. The term "credit information" means the following information which is necessary to determine the creditworthiness of the counterparty in financial transactions and other commercial transactions:
(a) Information that can uniquely identify a credit data subject (it constitutes credit information only when such information is combined with information falling under any of items (b) through (e));
(b) Information by which the transaction details of a credit data subject can be determined;(b) Information by which the transaction details of an owner of credit information can be determined;
(c) Information by which the creditworthiness of a credit data subject can be determined;
(d) Information by which the credit transaction capacity of an owner of credit information can be determined;
(e) Information necessary to determine the creditworthiness of a credit data subject other than the information provided in items (a) through (d);
1-2. The term "information that can uniquely identify a credit data subject" in subparagraph 1 (a) means the following information:
(a) The following information on living individuals:
(i) Name, address, telephone number, and other similar information prescribed by Presidential Decree;
(ii) Information prescribed by Presidential Decree as those specifically assigned to uniquely identify an individual pursuant to statutes or regulations (hereinafter referred to as "personal identification number");
(iii) Information that can uniquely identify an individual, such as texts, numbers, symbols, or other similar information converted so that the characteristic of the individual's body part can be processed by a computer or any other information processing device;
(iv) Information similar to that referred to in (i) through (iii), which is prescribed by Presidential Decree;
(b) The following information on enterprises (referring to individuals and corporations running business, and organizations thereof; hereinafter the same shall apply) or corporations:
(i) The trade name and name;
(ii) Location of the headquarters, place of business, and the principal office;
(iii) The type and purpose of business;
(iv) A sole proprietor (referring to an individual who runs business; hereinafter the same shall apply), the name and personal identification number of the representative;
(v) Information prescribed by Presidential Decree, which is issued under statutes or regulations to uniquely identify an enterprise or corporation;
(vi) Information prescribed by Presidential Decree, which is similar to information referred to in (i) through (v);
1-3. "Information by which the transaction details of a credit data subject can be determined" in subparagraph 1 (b) means the following information:
(a) Information on the type, period, amount, interest rate, ceiling, etc. of the following transactions, which poses credit risk to a credit information provider or user:
(i) Credit granting defined in subparagraph 7 of Article 2 of the Banking Act;
(ii) Transactions of credit cards, facility leases, and installment financing under subparagraphs 3, 10, and 13 of Article 2 of the Specialized Credit Finance Business Act;
(iii) Credit granting under Articles 34 (2), 72, 77-3 (4), and 342 (1) of the Financial Investment Services and Capital Markets Act;
(iv) Transactions similar to those referred to in (i) through (iii) and prescribed by Presidential Decree;
(b) Information on the types, periods, amounts, interest rates, etc. of financial transactions defined in subparagraph 3 of Article 2 of the Act on Real Name Financial Transactions and Confidentiality;
(c) Information on insurance contracts, such as types, periods, insurance premiums, etc. of insurance products under subparagraph 1 of Article 2 of the Insurance Business Act, and information on claims and payment of insurance proceeds;
(d) Information on kinds, details of issuance and trading, fees, remunerations, etc. of financial investment instruments defined in Article 3 of the Financial Investment Services and Capital Markets Act;
(e) Information on the types, periods, details, terms, conditions, etc. of commercial transactions following commercial activities under Article 46 of the Commercial Act;
(f) Information similar to that referred to in items (a) through (e) and is prescribed by Presidential Decree;
1-4. The term "information by which the creditworthiness of a credit data subject can be determined" in subparagraph 1 (c) means the following information:
(a) Information related to non-performance, payment by subrogation, and the non-performance of obligations arising in connection with commercial transactions, including financial transactions;
(b) The following information related to the acts that disrupt credit order in connection with commercial transactions, including financial transactions:
(i) Information on the fact of stealing the names of other persons in commercial transactions, such as financial transactions;
(ii) Information on the fact of conducting commercial transactions, including financial transactions, by fraud or other improper means, including insurance fraud and telecommunications-based financial fraud;
(iii) Information on the fact that a person has submitted forged, altered, or false data to a counterparty in commercial transactions, such as financial transactions;
(iv) Information on the fact that borrowings, etc. have been misappropriated or that a loan contract or insurance contract has been concluded by improper means;
(v) Information similar to that referred to in subitems (i) through (iv) and is prescribed by Presidential Decree;
(c) Where a credit data subject regarding item (a) or (b) is a corporation, information on a person prescribed by Presidential Decree, who is actually involved in the management of the corporation and has de facto control;
(d) Information similar to those referred to in items (a) through (c) and is prescribed by Presidential Decree;
1-5. "Information by which the credit transaction capacity of a credit data subject can be determined" in subparagraph 1 (d) means the following information:
(a) The occupation, total amounts of properties, debts, and income of an individual and his or her tax payment record;
(b) Overall information of a company or corporation, including its history, purpose, business status, and current status of stocks or shareholding ratio; matters concerning its representative and executive officers, its business details including sales statements, orders received, or major contracts for management; matters concerning its finance including financial statements (including consolidated financial statements of a company that prepares consolidated financial statements); and the audit opinion of its auditor (referring to an auditor under subparagraph 7 of Article 2 of the Act on External Audit of Stock Companies), and tax payment records;
(c) Information similar to that referred to in items (a) and (b) and is prescribed by Presidential Decree;
1-6. The term "information necessary to determine the creditworthiness of a credit data subject other than the information provided in in items (a) through (d)" means the following information:
(a) Information prescribed by Presidential Decree on the court trial, administrative disposition, etc. that a credit data subject has been subjected to;
(b) Information prescribed by Presidential Decree on taxes, claims by the State, etc. of a credit data subject;
(c) Information prescribed by Presidential Decree on the debt restructuring of a credit data subject;
(d) Information newly generated by processing information to assess the credit standing of an individual, which is expressed in scores, ratings, etc. denoted by symbols, numbers, etc. (hereinafter referred to as "personal credit score");
(e) Information newly generated by processing information to determine the creditworthiness of an enterprise or a corporation (hereinafter referred to as "corporate credit rating"), which is expressed in scores, ratings, etc. denoted by symbols, numbers, etc.: Provided, That the credit rating under Article 9 (26) of the Financial Investment Services and Capital Markets Act shall be excluded;
(f) Information on technology (referring to technology defined in subparagraph 1 of Article 2 of the Technology Transfer and Commercialization Promotion Act);
(g) Information prescribed by Presidential Decree (hereinafter referred to as "technology credit information") newly created by processing information (including the results of assessing technicality, marketability, business feasibility, etc. related to the technology of an enterprise or corporation) to determine the creditworthiness of the enterprise or corporation: Provided, That the credit rating under Article 9 (26) of the Financial Investment Services and Capital Markets Act shall be excluded;.
(h) Other information similar to those specified in subparagraphs 1-2 through 1-5 and in items (a) through (g) and is prescribed by Presidential Decree;
2. The term "personal credit information" means any of the following credit information on a living individual except information on an enterprise or corporation;
(a) Information that that can uniquely identify an individual by his or her name, resident registration number, image, etc.;
(b) Information that may be easily combined with other information to uniquely identify an individual, even if the information alone cannot uniquely identify an individual;
3. The term "credit data subject" means a person identifiable by processed credit information, who is the subject of the credit information;
4. The term "credit information business" means any of the following businesses:
(a) A personal credit rating business;
(b) A sole proprietor credit rating business;
(c) A corporate credit inquiry business;
(d) A credit investigation business;
5. The term "credit information company" means any of the following persons who have obtained permission for a credit information business provided in the items of subparagraph 4 from the Financial Services Commission:
(a) A personal credit rating company: A person who obtains permission for a personal credit rating business;
(b) A sole proprietor credit rating company: A person who obtains permission for a sole proprietor credit rating business;
(c) A corporate credit inquiry company: A person who obtains permission for a corporate credit inquiry business;
(d) A credit investigation company: A person obtains permission for a credit investigation business;
6. The term "credit information collection agency" means a person permitted by the Financial Services Commission under the provisions of Article 25 (1), who centrally manages and utilizes credit information;
7. The term "credit information provider or user" means a person prescribed by Presidential Decree, who provides any third party with credit information obtained or produced in relation to his or her own business for purposes of commercial transactions, such as financial transactions with customers, or who has been continuously supplied with credit information from any third party to use such information for his or her own business, or other persons corresponding thereto;
8. The term "personal credit rating business" means collecting information necessary to determine the creditworthiness of an individual, assessing the credit standing of the individual (hereinafter referred to as "personal credit rating"), and providing the results (including the personal credit score) to a third party;
8-2. The term "sole proprietor credit rating business" means a business engaged in collecting information necessary to determine the creditworthiness of a sole proprietor and assessing his or her credit standing and thereby providing the results to a third party: Provided, That the credit rating business under Article 9 (26) of the Financial Investment Services and Capital Markets Act shall be excluded herefrom;
8-3. The term "corporate credit inquiry business" means a business providing any of the following services: Provided, That the credit rating business under Article 9 (26) of the Financial Investment Services and Capital Markets Act shall be excluded herefrom;
(a) Business affairs of corporate information inquiry: Collecting credit information, other than the information prescribed by Presidential Decree, and providing such information by consolidating and analyzing or processing it by means prescribed by Presidential Decree, to indicate the details of transactions, credit transaction capacity, etc. of a credit data subject who is an enterprise or a corporation;
(b) Business affairs of providing corporate credit ratings: Generating a corporate credit rating by assessing the credit standing of a credit data subject who is an enterprise or a corporation, and providing it to the relevant credit data subject, his or her counterparty, and other interested persons;
(c) Business affairs of providing technology credit ratings: Assessing the credit standing and the value of technology of a credit data subject who is an enterprise or a corporation to generate technology credit information and then providing such information to the relevant credit data subject, his or her counterparty, and other interested persons;
9. The term "credit investigation business" means a business investigating credit information and furnishing it for clients upon their request;
9-2. The term "MyData business" means a business of providing all or some of the following credit information to an individual credit data subject by integrating it by means prescribed by Presidential Decree to assist him or her with credit management:
(a) Information prescribed by Presidential Decree out of credit information under subparagraph 1-3 (a) (i), (ii) and (b);
(b) Information prescribed by Presidential Decree out of credit information under subparagraph 1-3 (c);
(c) Information prescribed by Presidential Decree out of credit information under subparagraph 1-3 (d);
(d) Information prescribed by Presidential Decree out of credit information under subparagraph 1-3 (e);
(e) Other information prescribed by Presidential Decree, which is necessary for a credit data subject to manage his or her credit;
9-3. The term "MyData company" means a person who obtains permission for a MyData business from the Financial Services Commission;
10. The term "claims collection business" means a business of exercising claims on behalf of the creditor by investigating properties of a person who fails to repay a debt by an agreed repayment date, urging repayment, or receiving the repaid money, by delegation of the creditor;
10-2. The term "claims collection agency" means a person who has obtained permission for the claims collection business from the Financial Services Commission;
11. The term "claims", which are the object of claims collection, means monetary claims that accrue from commercial practices under the Commercial Act; civil claims prescribed by Presidential Decree, the title of which has been acknowledged by judgments, etc.; monetary claims arising from loan and guarantee, and other credit facilities and insurance businesses for union members and members of cooperatives, mutual aid associations, savings and finance companies, and their national federations and associations established under special Acts; and any other claims, the collection of which is allowed to be entrusted to a credit information company pursuant to other statutes;
12. Deleted; <May 28, 2013>
13. The term "processing" means collecting, generating, connecting, linking, recording, storing, retaining, processing, editing, searching, printing out, correcting, restoring, using, combining disclosing, destroying credit information (including investigation; hereinafter the same shall apply), or any other similar acts;
14. The term "automated evaluation" means evaluating an individual credit data subject, by processing personal credit information and other information only with information processing devices, including computers, without involving therein the evaluation of an employee of a credit information company, etc. defined in Article 15 (1);
15. The term "pseudonymization" means the processing of personal credit information in such a manner that the personal credit information can no longer be attributed to a specific individual credit data subject without the use of additional information (including the processing of personal credit information by such means as separating and retaining the additional information provided in Article 40-2 (1) and (2), thereby de-identifying an individual credit data subject, in which the results of processing falls under any of the following):
(a) Where a certain credit data subject is differentiated from another credit data subject;
(b) Where two or more pieces of data on a credit data subject are connected or linked in a data set (referring to two or more data organized or arranged under specific rules for purposes of systematically managing or processing information) or two or more different data sets;
(c) Other cases similar to those set forth in items (a) and (b) and are prescribed by Presidential Decree;
16. The term "pseudonymized information" means a pseudonymized personal credit information;
17. The term "anonymization" means processing personal credit information in a manner that de-identifies an individual credit data subject;
11. The term "large shareholder" means any of the following shareholders:
(a) A person who holds the greatest number of outstanding voting shares (including equities; hereinafter the same shall apply) of a credit information company, MyData company, or claims collection agency, when all shares (including depository receipts related to the shares) held by the person and persons in a special relationship prescribed by Presidential Decree (hereafter referred to as "related persons") on the person's own account, irrespective of in whose name the shares are held, are aggregated (hereinafter referred to as "the largest shareholder");
(b) A person who falls within either of the following subitems:
(i) A person who holds not less than 10/100 of the total number of outstanding voting shares (including securities depository receipts for such shares) of a credit information company, MyData company, or claims collection agency, on his or her account, irrespective of in whose name such shares are held;
(ii) Persons prescribed by Presidential Decree, who exercise de facto control over important managerial matters of a credit information company, MyData company, or claims collection agency by means of appointing or dismissing executive officers [referring to directors, auditors, and executive directors (limited to cases where executive directors are appointed under Article 408-2 of the Commercial Act); hereinafter the same shall apply].
 Article 3 (Fostering Industries Related to Credit Information)
(1) The Financial Services Commission may, if deemed necessary to improve credit information companies' capability to provide credit information as well as to facilitate utilization of credit information, formulate plans for fostering industries related to credit information. <Amended on Feb. 4, 2020>
(2) The Financial Services Commission may, if deemed necessary to facilitate implementation of plans under paragraph (1), request cooperation of the head of a relevant administrative agency, who, in turn, shall comply with such request in the absence of good cause.
[Title Amended on Feb. 4, 2020]
 Article 3-2 (Relationship to other Statutes)
(1) This Act shall apply to the use and protection of credit information, except as otherwise provided in other statutes.
(2) The Personal Information Protection Act shall apply to the protection of personal information, except as otherwise provided in this Act.
[This Article Newly Inserted on Mar. 11, 2015]
CHAPTER II PERMISSION FOR CREDIT INFORMATION BUSINESS
 Article 4 (Permission for Credit Information Business)
(1) No person who fails to obtain permission for a credit information business, MyData business, or claims collection business shall engage in a credit information business, MyData business, or claims collection business: <Amended on Feb. 4, 2020>
(2) Any person who intends to engage in a credit information business, MyData business, or claims collection business shall obtain permission from the Financial Services Commission.
(3) Any person who intends to obtain permission under paragraph (2) shall file an application with the Financial Services Commission, as prescribed by Presidential Decree.
(4) The Financial Services Commission may attach conditions to the permission under paragraph (2).
(5) Any matter concerning an application for permission, including methods to fill out a permission application form in relation to permission pursuant to paragraph (2), and the procedure and standard for permission review, and any other necessary matters shall be prescribed by Ordinance of the Prime Minister.
[Title Amended on Feb. 4, 2020]
 Article 5 (Persons Eligible to Obtain Permission for Credit Information Business)
(1) A person eligible to obtain permission for a personal credit rating business, credit investigation business, or claims collection business shall be limited to the following persons: Provided, That this shall not apply to a personal credit rating business (hereinafter referred to as "specialized personal credit rating business") that processes information, other than personal credit information on financial transactions prescribed by Presidential Decree and personal credit information intensively managed and used by a centralized credit information collection agency: <Amended on Apr. 5, 2010; Mar. 29, 2016; Feb. 4, 2020>
1. A corporation, at least 50/100 of the capital of which is invested by financial institutions, etc. prescribed by Presidential Decree;
2. The Korea Credit Guarantee Fund established pursuant to the Credit Guarantee Fund Act;
3. The Korea Technology Finance Corporation established pursuant to the Korea Technology Finance Corporation Act;
4. A credit guarantee foundation established pursuant to the Regional Credit Guarantee Foundation Act;
5. The Korea Trade Insurance Corporation established pursuant the Trade Insurance Act;
6. A corporation, at least 50/100 of the capital of which is invested by a person who has obtained permission for all or some of a credit information business or claims collection business: Provided, That cases where an investor engages in the same kind of business as the corporation invested, shall be excluded.
(2) Any of the following persons shall be eligible to obtain permission for a sole proprietor credit rating business: <Newly Inserted on Feb. 4, 2020>
1. A personal credit rating company (excluding a specialized personal credit rating company);
2. A corporate credit inquiry company engaged in providing corporate credit ratings;
3. A credit card business operator under the Specialized Credit Finance Business Act;
4. A person provided in paragraph (1) 1;
5. A person provided in paragraph (1) 6.
(3) Any of the following persons shall be eligible for obtaining permission for a corporate credit inquiry business: Provided, That a person who intends to engage in the business affairs of providing corporate credit ratings or technology credit ratings shall be limited to a person falling under subparagraph 1, 2, or 4: <Newly Inserted on Feb. 4, 2020>
1. A person provided in paragraph (1) 1.
2. A person provided in paragraph (1) 2 through 6;
3. A stock company established under the Commercial Act;
4. Corporations prescribed by Presidential Decree in consideration of the characteristics of the business affairs of providing technology credit ratings, the purpose of incorporation, etc.
(4) Notwithstanding paragraph (3), none of the following persons shall be eligible to obtain permission for business affairs under subparagraph 8-3 (b) and (c) of Article 2: <Newly Inserted on Feb. 4, 2020; Dec. 29, 2020>
1. A corporation in which a member company of a business group subject to disclosure and business group subject to limitations on cross shareholding prescribed in Article 31 (1) of the Monopoly Regulation and Fair Trade Act has invested in excess of 10/100;
2. A corporation in which a person under Article 9 (17) 3-2 of the Financial Investment Services and Capital Markets Act (hereafter referred to as "credit rating company" in this Article) or a company engaged in a business similar to a credit rating company in a foreign country has invested in excess of 10/100;
3. A corporation, the largest shareholder of which is a company provided in subparagraph 1 or 2.
[Title Amended on Feb. 4, 2020]
 Article 6 (Requirements for Permission)
(1) Any person who intends to obtain permission for a credit information business, MyData business, or claims collection business shall meet the following requirements: <Amended on Feb. 4, 2020>
1. He or she shall have human resources and physical facilities, including computer equipment, sufficient to engage in a credit information business, MyData business, or claims collection business;
1-2. Where a person intends to engage in a sole proprietor credit rating business: At least five billion won;
1-3. Where a person intends to engage in a corporate credit inquiry business: At least the amount classified as follows for each business unit provided in the items of subparagraph 8-3 of Article 2:
(a) Business affairs of corporate information inquiry: 500 million won;
(b) Business affairs of providing corporate credit ratings: Two billion won;
(c) Business affairs of providing technology credit ratings: Two billion won;
1-4. Where a person intends to engage in a MyData business: At least 500 million won;
2. He or she shall have reasonable and sound business plans;
3. Large shareholders shall have sufficient investment capacity, sound financial standing, and social credibility;
3-2. His or her executive officers shall satisfy the requirements provided in Article 22 (1) and (2), 22-8 or 27 (1);
4. He or she shall have a sufficient level of expertise to perform a credit information business, MyData business, or claims collection business.
(2) Any person who intends to obtain permission to engage in a credit information business, MyData business, or claims collection business shall have capital or original properties in accordance with the following classifications: <Amended on May 28, 2013; Feb. 4, 2020>
1. He or she intends to engage in a personal credit rating business: At least five billion won: Provided, That, where he or she intends to engage only in a specialized personal credit rating business, his or her capital or original properties shall be at least the amounts assigned according to the following classifications;
(a) Where each of the following credit information providers or users intends to engage in a personal credit rating business which processes personal credit information on details of transactions collected or created in return for goods or service provided to a credit data subject: Two billion won:
(i) A telecommunications business operator defined in the Telecommunications Business Act;
(ii) The Korea Electric Power Corporation incorporated under the Korea Electric Power Corporation Act;
(iii) The Korea Water Resources Corporation under the Korea Water Resources Corporation Act;
(iv) A credit information provider or user similar to those provided in (i) through (iii) and is prescribed by Presidential Decree;
(b) Where the person intends to operate a personal credit rating business that processes information other than personal credit information provided in item (a): 500 million won;
2. Not more than five billion won, but not less than the amount prescribed by Presidential Decree, where he or she intends to engage in credit investigation business and claims collection business, separately or jointly.
(3) Matters necessary for detailed requirements for obtaining permission under paragraph (1) shall be prescribed by Presidential Decree.
(4) Credit information companies, MyData companies, and claims collection companies shall continue to satisfy the requirements set forth in paragraph (1) 1 while conducting the relevant business. <Amended on Feb. 4, 2020>
 Article 7 (Public Announcement on Permission)
In any of the following cases, the Financial Services Commission shall without delay make a public announcement of the details thereof in the Official Gazette and make it known to the public by means of the website, etc.:
1. Where it grants permission for a credit information business, MyData business, or claims collection business pursuant to Article 4 (2);
2. Where it authorizes transfer, acquisition, etc. pursuant to Article 10 (1);
3. Where it accepts a declaration on business closure under Article 10 (4);
4. Where it accepts a declaration on incidental business affairs under Article 11-2 (1);
5. Where it issues an order for restriction or correction with regard to incidental business affairs under Article 11-2 (8);
6. Where it revokes permission, transfer, acquisition, etc. of credit information business, MyData business, or claims collection business under Article 14 (1);
7. Where it designates a data agency under Article 26-4 (1).
[This Article Wholly Amended on Feb. 4, 2020]
 Article 8 (Matters to Declare and Report)
(1) Where a credit information company, MyData company, or claims collection agency intends to modify any matters prescribed by Presidential Decree out of those permitted under Article 4 (2), it shall file a prior report with the Financial Services Commission: Provided, That if it intends to modify minor matters prescribed by Presidential Decree, it shall file a report about the fact with the Financial Services Commission within seven days from the date when such reason occurs. <Amended on Dec. 31, 2018; Feb. 4, 2020>
(2) The Financial Services Commission shall review the details of the report in the main clause of paragraph (1) and accept it if it deems the report complies with this Act. <Newly inserted on Dec. 31, 2018>
 Article 9 (Approval for Change in Large Shareholders)
(1) A person, who intends to become a large shareholder (in cases of the largest shareholder, including shareholders in a special relationship with the largest shareholder; and where the largest shareholder is a corporation, including persons prescribed by Presidential Decree, who exercise de facto control over important managerial matters of the corporation; hereafter in this Article the same shall apply) in a credit information company, MyData company, or claims collection agency by acquiring or taking over (referring to acquiring de facto control over the relevant shares; hereinafter referred to as "acquisition, etc.") shares issued by the company, shall obtain approval from the Financial Services Commission after meeting requirements prescribed by Presidential Decree, such as not violating the Punishment of Tax Offenses Act or statutes prescribed by Presidential Decree in connection with finance, for purposes of sound management: Provided that this shall not apply to persons, such as the State and public institutions provided in Article 4 of the Act on the Management of Public Institutions, who are unlikely to disrupt a sound financial order.
(2) When the acquisition, etc. of shares under paragraph (1) is due to the death of an existing large shareholder or other reasons prescribed by Presidential Decree, he or she shall file an application for approval with the Financial Services Commission within a specified period prescribed by Presidential Decree not exceeding three months.
(3) The Financial Services Commission may order the disposal of shares obtained through acquisition, etc. without approval under paragraph (1) or those for which an application for approval has not been filed after acquisition, etc. thereof within a specified period not exceeding six months.
(4) A person who fails to obtain approval under paragraph (1) or a person who fails to apply for approval under paragraph (2) may not exercising voting rights on the shares obtained through acquisition, etc. without approval or those for which an application for approval after acquisition, etc. has not been filed.
(5) Details necessary for methods of and procedures for the matters under paragraphs (1) through (3) shall be prescribed by Presidential Decree.
[This Article Wholly Amended on Feb. 4, 2020]
 Article 9-2 (Examining Qualifications of Largest Shareholders)
(1) The Financial Services Commission shall examine whether the largest investor (referring to the largest investor among the largest shareholders of a corporation, if the largest investor is a corporation; and if the largest investor selected is also a corporation, one private individual shall be selected as the largest investor by applying the same method repeatedly until a private individual is selected: Provided, That the largest investor specified by Presidential Decree among the largest shareholders of a corporation shall be deemed the largest investor of the corporation, if the corporation is involved in circular share-holding among corporations; hereafter referred to as “person subject to examination on eligibility") from among the largest shareholders of a financial company (limited to a financial company subject to the application of Article 31 (1); the same shall apply hereafter in this Article) does not violate the Monopoly Regulation and Fair Trade Act, the Punishment of Tax Evaders Act, or any finance-related statute specified by Presidential Decree, and whether the largest investor meets the requirements prescribed by Presidential Decree (hereafter referred to as "requirements for maintaining eligibility"), from among requirements for approval of changes, at an interval prescribed by Presidential Decree.
(2) When a financial company becomes aware that an event has occurred to make the person subject to examination on eligibility cease to meet the requirements for maintaining eligibility in respect to the financial company, it shall report such fact to the Financial Services Commission, without delay.
(3) If the Financial Services Commission finds it necessary for the examination under paragraph (1), it may request a financial company or a person subject to examination on eligibility to provide necessary data or information.
(4) If the Financial Services Commission finds, as a result of the examination under paragraph (1), that a person subject to examination on eligibility fails to meet the requirements for maintaining eligibility, it may order the person to take all or some of the following measures to secure soundness in the management of the relevant financial company within a specified period not exceeding six months:
1. Measures to meet the requirements for maintaining eligibility;
2. Measures for preventing a conflict of interest, including restrictions on transactions with the person subject to examination on eligibility;
3. Other measures prescribed by Presidential Decree as measures deemed necessary for soundness in the management of a financial company.
(5) If the Financial Services Commission finds, as a result of the examination under paragraph (1), that a person subject to examination on eligibility falls under either of the following subparagraphs and that it is impracticable to maintain sound financial order and the soundness of the relevant financial company in view of the degree of the violation of a statute, it may order the person subject to examination on eligibility not to exercise his/her voting right for at least 10/100 of the total number of outstanding voting shares of the financial company (referring to shares held by a corporation, out of outstanding voting shares of the relevant financial company, if the largest investor is a corporation), during the period specified by Presidential Decree within the maximum of five years, out of shares held by the person subject to examination of qualifications:
1. Where a sentence of imprisonment without labor for at least one year or any heavier punishment imposed upon the person subject to examination of qualifications for a violation of any of the statutes specified in paragraph (1) has become final and conclusive;
2. Any other case prescribed by Presidential Decree for maintaining sound financial order.
(6) Notwithstanding Article 38 of the Criminal Act, a crime committed by a person in violation of any of the statutes specified in paragraph (1) and another crime concurrently committed by the person shall be separately examined, and sentences for such crimes shall be pronounced separately.
(7) Details necessary for methods of and procedures for the matters under paragraphs (1) through (3) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 10 (Authorization of Transfer or Acquisition by Transfer)
(1) Where a credit information company, MyData company, or a claims collection agency intends to wholly or partially transfer, take over, or divide its business, or merge with another corporation (including division and merger under Article 530-2 of the Commercial Act; hereinafter the same shall apply), it shall obtain authorization from the Financial Services Commission, as prescribed by Presidential Decree. <Amended on Feb. 4, 2020>
(2) Where a credit information company, MyData company, or claims collection agency transfers or divides its business or merges with another corporation under authorization in accordance with paragraph (1), a transferee or a surviving or resulting corporation following merger or consolidation (except for cases where a credit information company, MyData company, or claims collection agency, which is a corporation, merges with another corporation which is not a MyData company or claims collection agency) shall succeed to the status of the transferor or the corporation before merger or division, as a credit information company, MyData company, or claims collection agency. In such cases, permission granted to the credit information company, MyData company, or claims collection agency existed prior to such event shall become null and void (in cases of the partial transfer or division under paragraph (1), it applies only to the transferred or divided business). <Amended on Feb. 4, 2020>
(3) The provisions of Articles 5, 6, 22, 22-8, and 27 (1) through (7) shall apply mutatis mutandis to the transferee or a surviving or resulting corporation following merger or consolidation. <Amended on May 28, 2013; Feb. 4, 2020>
(4) Where a credit information company, MyData company, or claims collection agency intends to temporarily suspend or close all or some of its business, it shall file a prior report with the Financial Services Commission, as prescribed by Ordinance of the Prime Minister. <Amended on Feb. 4, 2020>
(5) The Financial Services Commission shall review the details of the prior report under paragraph (4) and accept it if the Commission deems the report complies with this Act. <Newly inserted on Dec. 31, 2018>
[Title Amended on Feb. 4, 2020]
 Article 11 (Concurrent Business Affairs)
(1) A credit information company, MyData company, or claims collection agency may concurrently perform business affairs (hereinafter referred to as "concurrent business affairs") which are unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order after filing a prior report with the Financial Services Commission, as prescribed by Ordinance of the Prime Minister. In such cases, any concurrent business affairs, which require authorization, permission, registration, approval, etc. of an administrative agency in accordance with any applicable individual statute, may be subject to prior authorization, permission, registration, approval, etc. in accordance with such individual statute: <Amended on May 28, 2013; Mar. 11, 2015; Feb. 4, 2020>
1. Deleted; <Feb. 4, 2020>
2. Deleted; <Feb. 4, 2020>
3. Deleted; <Feb. 4, 2020>
4. Deleted. <Feb. 4, 2020>
(2) Concurrent business affairs of a personal credit rating company shall be as follows: <Amended on Feb. 4, 2020>
1. Credit information business other than personal credit rating business;
2. Claims collection business;
3. Business affairs of an identification service agency under Article 23-3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection;
4. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) Concurrent business affairs of a sole proprietor credit rating company shall be as follows. <Newly inserted on Feb. 4, 2020>
1. Credit information business other than the sole proprietor credit rating business;
2. Claims collection business;
3. Business affairs of an identification service agency under Article 23-3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection;
4. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(4) Concurrent business affairs of a corporate credit inquiry company shall be as follows. <Newly inserted on Feb. 4, 2020>
1. Credit information business other than corporate credit inquiry business;
2. Claims collection business;
3. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(5) Concurrent business affairs of a corporate credit inquiry company shall be as follows. <Newly inserted on Feb. 4, 2020>
1. Credit information business other than credit investigation business:
2. Business affairs of managing securitization assets under Article 10 of the Asset-Backed Securitization Act;
3. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) Concurrent business affairs of a MyData company shall be as follows. <Newly inserted on Feb. 4, 2020>
1. Investment advisory business or discretionary investment business (limited to cases which are unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order and are prescribed by Presidential Decree) under Article 6 (1) 4 or 5 of the Financial Investment Services and Capital Markets Act;
2. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) Concurrent business affairs of a claims collection agency shall be as follows. <Newly inserted on Feb. 4, 2020>
1. Credit information business;
2. Business affairs of managing securitization assets under Article 10 of the Asset-Backed Securitization Act;
3. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(8) The Financial Services Commission shall review the details of the prior report filed under the former part, with the exception of the subparagraphs, of paragraph (1) and accept it if it deems the report complies with this Act. <Newly inserted on Dec. 31, 2018; Feb. 4, 2020>
[Title Amended on Feb. 4, 2020]
 Article 11-2 (Incidental Business Affairs)
(1) A credit information company, MyData company, or claims collection agency may perform business affairs incidental to the business affairs it has obtained the relevant permission (hereinafter referred to as "incidental business affairs"). In such cases, a credit information company, MyData company, or claims collection agency shall file a report with the Financial Services Commission no later than seven days before the date it intends to commence its incidental business affairs.
(2) Incidental business affairs of a personal credit rating company shall be as follows:
1. Providing a credit data subject with a newly generated personal credit score or other results of personal credit rating;
2. Providing personal credit information or the information processed therefrom to the credit data subject or a third party;
3. Using or providing pseudonymized or anonymized information;
4. Analyzing data and providing consultations based on personal credit information and other information;
5. Developing and selling computerized processing systems, solutions, and software (including a model for personal credit rating and risk management) related to personal credit information;
6. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) Incidental business affairs of a sole proprietor credit rating company shall be as follows:
1. Providing a sole proprietor with the newly-generated results of evaluating the credit standing of the sole proprietor;
2. Providing a sole proprietor or a third party with credit information about the sole proprietor or information processed therefrom;
3. Using or providing pseudonymized or anonymized information;
4. Analyzing data and providing consultations based on credit information and other information regarding sole proprietors;
5. Business affairs of developing and selling computerized processing systems, solutions, and software (including a model for assessing the credit standings, and managing risks, of sole proprietors) in connection with the credit information of sole proprietors.
(4) Incidental business affairs of a corporate credit inquiry company shall be as follows: Provided, That the incidental business affairs provided in subparagraph 1 shall be limited to corporate credit inquiry companies engaged in the business affairs of providing corporate credit ratings or providing technology credit ratings:
1. Providing the data subject or a third party with credit information on an enterprise or corporation or information processed therefrom;
2. Using or providing pseudonymized or anonymized information;
3. Analyzing data and providing consultations based on credit information and other information about enterprises and corporations;
4. Developing and selling computerized processing systems, solutions, and software (including a model for corporate credit ratings and risk management) related to credit information on enterprises and corporations;
5. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(5) Incidental affairs of a credit investigation company shall be as follows:
1. Business affairs of surveying the current status of lease of real estate and movable properties and values thereof;
2. Business affairs of surveying the current status of enterprises and places of business;
3. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(6) Incidental business affairs of a MyData company shall be as follows:
1. Analyzing data and providing consultations to the credit data subject based on his/her personal credit information provided to him/her;
2. Providing an account to the credit data subject to manage and use his/her personal credit information;
3. Exercising the rights set forth in the subparagraphs of Article 39-3 (1) on behalf of the credit data subject;
4. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(7) Incidental business affairs of a claims collection agency shall be as follows:
1. Business affairs of establishing and providing a claims management system for creditors, etc.;
2. Business affairs of issuing debt certificates defined in Article 5 of the Fair Debt Collection Practices Act under entrustment by persons prescribed by Presidential Decree;
3. Other business affairs prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(8) Where matters regarding incidental business affairs reported under paragraph (1) fall under any of the following, the Financial Services Commission may order the restriction of such incidental business affairs or the correction thereof:
1. Where they undermine the soundness of business management of a credit information company, MyData company, or claims collection agency;
2. Other cases prescribed by Presidential Decree as necessary for protecting credit data subjects and maintaining the sound credit order.
(9) An order for restriction or correction provided in paragraph (8) shall be issued in a document specifying the details and grounds thereof.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 12 (Prohibition of Use of Similar Title)
No person, other than a credit information company, MyData company, claims collection agency, or credit information collection agency permitted under this Act, shall use such titles as credit information, credit investigation, personal credit rating, credit management, MyData, claims collection, or any title similar thereto for his or her trade name or name: Provided, That cases where it is allowed under other statutes or regulations to perform business affairs similar to those of a credit information company, MyData company, claims collection agency, or credit information collection agency shall be excluded. <Amended on May 28, 2013; Feb. 4, 2020>
 Article 13 (Prohibition of Concurrent Offices by Executive officers)
No standing executive officers of a credit information company, MyData company, or claims collection agency shall engage in the ordinary course of business of a for-profit corporation without approval from the Financial Services Commission. <Amended on Feb. 4, 2020>
 Article 14 (Revocation of Permission and Suspension of Business)
(1) The Financial Services Commission may revoke permission or authorization of a credit information company, MyData company, or claims collection agency in any of the following cases: Provided, That if any ground prescribed by Presidential Decree exists, despite the fact that a credit information company, MyData company, or claims collection agency falls under any of the following subparagraphs, the Financial Services Commission may issue, prior to such revocation, an order for correction within a specified period not exceeding six months: <Amended on May 28, 2013; Mar. 11, 2015; Feb. 4, 2020; Apr. 20, 2021>
1. Where it has obtained permission under Article 4 (2) or authorization under Article 10 (1) by fraud or other improper means;
2. Where it has violated any investment requirement of financial institutions, etc. under Article 5 (1) 1, (2) 4, and (3) 1: Provided, That cases shall be excluded where the shares of a credit information company or claims collection agency are listed in the stock market in accordance with Article 8-2 (4) 1 of the Financial Investment Services and Capital Markets Act and the financial institutions, etc. referred to in Article 5 (1) 1 have invested at least 33/100 of the capital of which;
3. Deleted; <May 28, 2013>
4. Where the equity capital (referring to the sum of total assets less total liabilities on the statement of financial position as at the end of the latest business year; hereinafter the same shall apply) of a credit information company, MyData company, or claims collection agency [excluding cases where three business years (five years if a personal credit rating business, a sole proprietor credit rating business, and a corporate credit inquiry business are included) have not elapsed since the credit information company, MyData company, or claims collection agency obtained permission] falls short of the capital or original property requirements referred to in Article 6 (2);
5. Where it, which has violated an order to suspend business or committed a violation that constitutes grounds for business suspension, had been imposed a disposition to suspend practice within three years from the date when such grounds for business suspension occurred;
6. Where it provides a client with false information, in violation of Article 22-7 (1) 1;
6-2. Where it forces a request for investigation of credit information, in violation of Article 22-7 (1) 2;
6-3. Where it forces a person subject to investigation of credit information to provide investigation data and answers;
6-4. Where it investigates privacy or the like, other than commercial transaction relationships including financial transactions, in violation of Article 22-7 (1) 4;
7. Deleted; <May 28, 2013>
8. If it has performed claims collection service, in violation of any subparagraph of Article 9 of the Fair Debt Collection Practices Act (applicable only to claims collection business);
9. If it has violated any of the terms or conditions of permission or authorization;
10. If it has failed to perform the permitted operations for at least one year consecutively without good cause;
11. If it has performed claims collection service, in violation of Article 41 (1) (applicable only to claims collection business).
(2) The Financial Services Commission may issue an order to fully or partially suspend business within a specified period not exceeding six months, if a credit information company, MyData company, or claims collection agency falls under any of the following subparagraphs: <Amended on May 28, 2013; Mar. 11, 2015; Dec. 31, 2018; Feb. 4, 2020>
1. If it has violated Article 6 (4);
2. If it has violated Article 11 or 11-2;
3. Deleted; <Feb. 4, 2020>
4. If any credit information has been lost, stolen, disclosed, altered or compromised, in violation of Article 17 (4) or 19;
5. If it has violated Articles 22 (1) and (2), 22-8, and 27 (1);
5-2. Where it collects credit information in violation of Article 22-9 (3) or transmits any personal credit information in violation of paragraph (4) of that Article;
5-3. It violates Article 33 (2);
6. Deleted; <Feb. 4, 2020>
7. If it has violated subparagraph 5 of Article 40;
8. If it has violated Article 42 (1), (3), or (4);
9. If a case constitutes grounds for a disposition provided for in attached Table;
10. If it has performed claims collection service, in violation of subparagraphs 2 and 5 of Article 12 of the Fair Debt Collection Practices Act (applicable only to claims collection business);
11. Any other case where it has violated any other statute or the articles of incorporation, or its management is unsound so that it will or is likely to severely harm public interests.
CHAPTER III COLLECTION, INVESTIGATION AND PROCESSING OF CREDIT INFORMATION
 Article 15 (Principles of Collection and Processing)
(1) A credit information company, MyData company, claims collection agency, credit information collection agency, and credit information provider or user (hereinafter referred to as "credit information company, etc.") may collect and process credit information. In such cases, the credit information company, etc. shall clarify the purposes of such collection and processing within the scope of business affairs prescribed by this Act or the articles of incorporation, and shall collect and process credit information by reasonable and fair means to the least extent necessary to serve such purposes pursuant to this Act and Article 3 (1) and (2) of the Personal Information Protection Act. <Amended on Feb. 4, 2020>
(2) In collecting personal credit information, a credit information company, etc. shall obtain consent from the relevant credit data subject: Provided, That this shall not apply in any of the following cases: <Amended on Feb. 4, 2020; Mar. 14, 2023>
1. In cases falling under any of Article 15 (1) 2 through 7 of the Personal Information Protection Act;
2. In cases of collecting any of the following information;
(a) Information publicly announced or disclosed under statutes or regulations;
(b) Information publicly announced or disclosed through publications, broadcasting media, or media on the website, etc. of public institutions defined in subparagraph 3 of Article 2 of the Official Information Disclosure Act;
(c) Information disclosed by a credit data subject, directly or through a third party, on social network services, etc. In such cases, this shall be limited within the objectively recognized scope where the consent of the credit data subject reached, as prescribed by Presidential Decree;
3. Other cases prescribed by Presidential Decree as equivalent to those provided in subparagraphs 1 and 2;
4. Deleted. <Feb. 4, 2020>
[This Article Wholly Amended on Mar. 11, 2015]
[Title Amended on Feb. 4, 2020]
 Article 16 Deleted. <Feb. 4, 2020>
 Article 17 (Entrustment of Processing)
(1) A credit information company, etc. may entrust a third party with the business affairs of processing credit information. In such cases, Article 26 (1) through (3) of the Personal Information Protection Act shall apply mutatis mutandis to the entrusted processing of personal credit information. <Amended on Feb. 4, 2020>
(2) A credit information company, etc. may entrust the processing of credit information; and Articles 19 through 21, 22-4 through 22-7, 22-9, 40, 43, 43-2, 45, 45-2, and 45-3 (including penalty provisions and provisions regarding administrative fines in relation to such Articles) shall apply mutatis mutandis to the processing of entrusted business affairs by the entrusted person (hereinafter referred to as "trustee"). <Amended on Mar. 11, 2015; Feb. 4, 2020>
(3) A credit information company, etc. prescribed by Presidential Decree, which intends to entrust the processing of credit information under paragraph (2), shall notify the Financial Services Commission of the scope of the credit information provided, etc., as prescribed by Presidential Decree.
(4) In providing any personal credit information to an agent in order to entrust the processing of credit information under paragraph (2), a credit information company, etc. shall take measures to protect information that can uniquely identify an individual, such as encryption, as prescribed by Presidential Decree. <Newly Inserted on Mar. 11, 2015>
(5) Where a credit information company, etc. has provided any credit information to a trustee, it shall educate the trustee as prescribed by Presidential Decree to prevent the credit information from being lost, stolen, disclosed, altered, or compromised and reflect matters for the safe processing of credit information by the trustee in the entrustment contract. <Newly Inserted on Mar. 11, 2015; Feb. 4, 2020>
(6) Where the trustee uses personal credit information or provides it to a third party, Article 26 (5) of the Personal Information Protection Act shall apply. <Amended on Feb. 4, 2020>
(7) No agent shall further outsource any of the duties under paragraph (2) to any third party: Provided, That this shall not apply where the Financial Services Commission acknowledges within the scope not compromising the protection and safe processing of credit information. <Newly Inserted on Mar. 11, 2015>
[Title Amended on Feb. 4, 2020]
 Article 17-2 (Combination of Data Sets)
(1) Where a credit information company, etc. (excluding persons prescribed by Presidential Decree; hereafter in this Article and Article 40-2, the same shall apply) intends to combine data sets it owns with data sets owned by a third party, it shall do so through a data agency designated under Article 26-4.
(2) Where a data agency designated pursuant to Article 26-4 transfers data sets combined pursuant to paragraph (1) to the relevant credit information company, etc. or a third party, it shall transfer them in a pseudonymized or anonymized state.
(3) Except as provided in paragraphs (1) and (2), procedures and methods for combining, providing, and retaining data sets shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
CHAPTER IV DISTRIBUTION, USE AND MANAGEMENT OF CREDIT INFORMATION
 Article 18 (Keeping Credit Information Accurate and Up-to-Date)
(1) A credit information company, etc. shall register, modify, and manage credit information, as prescribed by Presidential Decree, so as to keep credit information accurate and up-to-date.
(2) A credit information company, etc. shall erase any credit information that can disadvantage a credit data subject, from the list of information to be registered and managed, within five years at latest after the cause of such disadvantage is resolved: Provided, That this shall not apply in any of the following cases. <Amended on May 19, 2011; Feb. 4, 2020>
1. Where necessary to perform duties provided in subparagraph 1-3 of Article 25-2;
2. Other cases prescribed by Presidential Decree as being unlikely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) Specific types of the credit information under paragraph (2), the period of preservation and use of the relevant records, etc. shall be prescribed by Presidential Decree. <Newly Inserted on May 19, 2011>
 Article 19 (Security Protection of Credit Information Computer System)
(1) A credit information company, etc. shall formulate and implement technological, physical, and administrative security measures, as prescribed by Presidential Decree, with respect to the unlawful access by a third party to the credit information computer system (including the common computer network for credit information under Article 25 (6); hereinafter the same shall apply) and alteration, compromise and destruction or any other danger in relation to the information entered. <Amended on Mar. 11, 2015>
(2) Where a credit information provider or user exchanges credit information with another credit information provider or user or any personal credit rating company, sole proprietor credit rating company, or corporate credit inquiry company, such credit information provider or user shall enter into an agreement containing measures concerning the management of credit information security, as determined and publicly notified by the Financial Services Commission. <Amended on Feb. 4, 2020>
 Article 20 (Clarification of Accountability of Credit Information Management and Archiving of Business Processing Records)
(1) A credit information company, etc. shall comply with the standards for management of credit information determined by the Financial Services Commission with regard to collection, processing, use, protection, etc. of credit information. <Amended on Mar. 11, 2015>
(2) A credit information company, etc. shall retain the records concerning the following matters for three years according to the following classifications: <Amended on Feb. 4, 2020>
1. Where it collects or uses personal credit information:
(a) The date of collection and use;
(b) Items of information collected and used;
(c) Reasons and grounds for collection and use;
2. Where it provides or is provided with personal credit information:
(a) The date of provision or receipt;
(b) Items of information it provides or is provided with;
(c) Reasons and grounds for provision and receipt;
3. Where it destroys personal credit information:
(a) The date of destruction;
(b) Items of information destroyed;
(c) Reasons and grounds for destruction;
4. Other matters prescribed by Presidential Decree.
(3) A credit information company, a MyData company, a claims collection agency, a credit information collection agency, and a credit information provider or user prescribed by Presidential Decree shall appoint at least one credit information administrator or guardian to perform the tasks prescribed in paragraph (4): Provided, That a person prescribed by Presidential Decree in consideration of total assets, the number of employees, etc. shall appoint a credit information administrator or guardian as his or her executive officer (including persons who hold a position that has general supervision and control of the management and protection of credit information, as prescribed by Presidential Decree). <Amended on Mar. 11, 2015; Feb. 4, 2020>
(4) A credit information administrator or guardian under paragraph (3) shall perform the following duties: <Newly Inserted on Mar. 11, 2015; Feb. 4, 2020; Mar. 14, 2023>
1. The following duties in cases of personal credit information:
(a) Duties referred to in Article 31 (3) 1 through 5 of the Personal Information Protection Act;
(b) Inspection for compliance with the statutes and regulations related to the protection of credit information by its executive officers and employees, exclusive solicitors, etc.;
(c) Other duties prescribed by Presidential Decree to manage and protect credit information;
2. Regular inspection and improvement of the status and practice of the management of credit information, such as the collection, keeping, provision, and deletion thereof;
(a) Formulation and implementation of plans for the management and protection of credit information, such as the collection, keeping, provision, and deletion thereof;
(b) Regular inspection and improvement of the status and practice of the management of credit information, such as the collection, keeping, provision, and deletion thereof;
(c) Exercise of rights of owners of credit information, such as the access to and the request for correction of credit information, and damage relief;
(d) Establishment and operation of internal control system to prevent disclosure, etc. of credit information;
(e) Formulation and execution of a plan to protect credit information for its executive officers and employees, exclusive solicitors, etc.;
(f) Inspection for compliance with the statutes and regulations related to the protection of credit information by its executive officers and employees, exclusive solicitors, etc.;
(g) Other duties prescribed by Presidential Decree to manage and protect credit information.
3. Deleted; <Feb. 4, 2020>
4. Deleted; <Feb. 4, 2020>
5. Deleted; <Feb. 4, 2020>
6. Deleted; <Feb. 4, 2020>
7. Deleted. <Feb. 4, 2020>
(5) Article 31 (4) and (6) of the Personal Information Protection Act shall apply mutatis mutandis to the performance of the duties of a credit information administrator or guardian. <Amended on Feb. 4, 2020; Mar. 14, 2023>
(6) A credit information administrator or guardian of a credit information company, etc. shall regularly inspect the status of the management and protection of personal credit information processed by the credit information company, etc. in accordance with the procedures and methods prescribed by Presidential Decree and shall report the inspection results to the Financial Services Commission. <Newly Inserted on Feb. 4, 2020>
(7) Qualifications for credit information administrators or guardians and other matters necessary for designation under paragraph (3) and methods of submission under paragraph (6) shall be prescribed by Presidential Decree. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(8) Where a customer information officer appointed in accordance with Article 48-2 (6) of the Financial Holding Companies Act, meets the qualifications set forth in paragraph (6), he/she shall be deemed a credit information administrator or guardian designated under paragraph (3). <Amended on Mar. 11, 2015; Feb. 4, 2020>
 Article 20-2 (Retention Period for Personal Credit Information)
(1) A credit information provider or user shall manage personal credit information of a credit data subject as prescribed by Presidential Decree, including ensuring the right to access thereto, in such a manner that the personal credit information of the relevant credit data subject can be safely protected from the date a commercial transaction relationship including financial transactions (excluding employment relationship; hereinafter the same shall apply) is terminated until the time limit determined and publicly notified by the Financial Services Commission.
(2) Notwithstanding Article 21 (1) of the Personal Information Protection Act, a credit information provider or user shall delete personal credit information of the relevant credit data subject from the management list within a maximum five year period from the date a commercial transaction relationship including financial transactions is terminated (where the purpose of the collection, provision, etc. of information is achieved before the lapse of the relevant period, within three months from the date such purpose is achieved): Provided, That this shall not apply in any of the following cases: <Amended on Feb. 4, 2020>
1. Where it is essential for performing any obligation under this Act or any other statute;
2. Where deemed necessary for the exigent interests of an individual's life, body, or property;
2-2. When a pseudonymized information is used and retained for a period prescribed by Presidential Decree in consideration of the purpose of use, technical features of pseudonymization, the attributes of information, etc.;
3. Any of the following cases, as prescribed by Presidential Decree:
(a) For the payment of deposits and insurance proceeds:
(b) For preventing insurance fraudsters from repurchasing insurance;
(c) Where it is necessary to retain personal credit information due to the characteristics of the technology used to process personal credit information;
(d) Cases similar to those provided in items (a) through (c) where it is necessary to retain personal credit information.
(3) Where a credit information provider or user keeps personal credit information without deletion under the proviso of paragraph (2), he/she shall manage it as prescribed by Presidential Decree, such as separating it from the personal credit information of owners of credit information with whom he/she currently deals.
(4) When a credit information provider or user utilizes any personal credit information he/she keeps separately under paragraph (3), he/she shall notify such fact to the credit data subject.
(5) Types of personal credit information, period of management, methods and procedures for deletion, the criterion of the date a commercial transaction relationship including financial transactions is terminated, etc. under paragraphs (1) and (2) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 21 (Disposition of Archived Information upon Closure of Business)
Where a credit information company, etc. (excluding credit information providers and users) intends to close its business, it shall dispose of or destroy information under its custody, as determined and publicly notified by the Financial Services Commission. <Amended on Feb. 4, 2020>
CHAPTER V INDUSTRIES RELATED TO CREDIT INFORMATION
SECTION 1 Credit Information Business
 Article 22 (Qualifications of Executive Officers of Credit Information Companies)
(1) Article 5 of the Act on Corporate Governance of Financial Companies shall apply mutatis mutandis to the executive officers of personal credit rating companies, sole proprietor credit rating companies, and corporate credit inquiry companies.
(2) No credit inquiry company shall appoint or hire any of the following persons as its executive officers or employees:
1. A minor: Provided, That cases where he/she is appointed or hired for operations determined and publicly notified by the Financial Services Commission shall be excluded;
2. A person under adult guardianship or person under limited guardianship;
3. A person who has yet to be reinstated after having been declared bankrupt;
4. A person in whose case three years have not elapsed since the completion of, or exemption from, a sentence of imprisonment without labor, or heavier punishment, as so declared by a court (including cases where such execution is deemed to have been completed);
5. A person who is under a suspended sentence of imprisonment without labor or a heavier punishment as declared by a court;
6. A person who has been dismissed or discharged from office under this Act or other statutes or regulations, and for whom five years have not since passed;
7. A person who had worked as an executive officer or employee of a corporation or company, the business permission, authorization, etc. of which was revoked under this Act or other statutes or regulations, and for whom five years have not passed after such revocation (applicable only to a person prescribed by Presidential Decree, who is directly responsible for the grounds for such revocation or who is in the position equivalent thereto);
8. A person who is a retired executive officer or employee and is notified that he/she would have received a measure of recommendation of dismissal (including demand for dismissal) or demand for removal from office pursuant to this Act or other statutes if he/she held his/her official position or were under employment, and for whom five years (seven years from the date of his/her retirement where the date on which five years has passed from the date of notification is later than the date on which seven years have passed from the date of his/her retirement) have not yet passed from the date of such notification.
[This Article Wholly Amended on Feb. 4, 2020]
 Article 22-2 (Reporting on Credit Information)
A personal credit rating company, sole proprietor credit rating company, corporate inquiry company, or MyData company shall submit to the Financial Services Commission a report on the scope and period of use of credit information, and persons to whom such information is to be provided, etc., as prescribed by Presidential Decree. <Amended on Feb. 4, 2020>
[This Article Newly Inserted on May 19, 2011]
 Article 22-3 (Principles regarding Personal Credit Rating)
(1) In conducting personal credit rating services, a private credit rating company and its executive officers and employees shall take the following matters into account:
1. Whether the personal credit rating results are accurate and the rating system is fair;
2. Whether the personal credit rating process is open and transparent.
(2) A corporate credit inquiry company and its executive officers and employees engaged in the business affairs of providing corporate credit ratings or technology credit ratings shall perform their duties fairly and conscientiously from an independent point of view in performing the business affairs of providing corporate credit ratings or technology credit ratings.
(3) Paragraphs (1) and (2) shall apply mutatis mutandis sole proprietor credit rating companies and its executive officers and employees.
[This Article Wholly Amended on Feb. 4, 2020]
 Article 22-4 (Business Conduct Standards for Personal Credit Rating Companies)
(1) In assessing the credit standing of an individual credit data subject, a personal credit rating company shall consider information that can advantage the credit data subject in personal credit rating, as well as information that can disadvantage the credit data subject.
(2) A personal credit rating company shall not engage in the following conducts when performing a personal credit rating:
1. Discriminating without reasonable grounds on grounds of gender, place of birth, nationality, etc.;
2. Favorably or unfavorably reflecting certain assessment items without any reasonable grounds in rendering the personal credit rating model;
3. Other activities prescribed by Presidential Decree, which are likely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(3) A private credit rating company conducting a specialized personal credit rating business shall not engage in unfair practices prescribed by Presidential Decree, such as raising the personal credit score of an individual credit data subject provided with goods or services by its affiliate (referring to an affiliate defined in subparagraph 12 of Article 2 of the Monopoly Regulation and Fair Trade Act). <Amended on Dec. 29, 2020>
[This Article Newly Inserted on Feb. 4, 2020]
 Article 22-5 (Code of Conduct of Sole Proprietor Credit Rating Companies)
(1) In assessing the credit standing of a sole proprietor, a sole proprietor credit rating company shall comply with the following:
1. It shall also consider information that can advantage the sole proprietor in the assessment, in addition to information that can disadvantage the sole proprietor in the assessment;
2. It shall not discriminate between persons who have a commercial transaction relationship, including financial transactions, with a sole proprietor credit rating company and persons without such relationship;
(2) No sole proprietor credit rating company shall engage in any of the following acts:
1. Forcing to purchase or use goods or services of the sole proprietor credit rating company or its affiliates in the course of assessing the credit standing of a sole proprietor;
2. Other activities prescribed by Presidential Decree, which are likely to undermine the protection of credit data subjects or sound credit order.
(3) A sole proprietor credit rating company shall establish internal control standards, which are standards and procedures to be complied with by its executive officers and employees in performing their duties, including the following: Provided, That a sole proprietor credit rating company that conducts a sole proprietor credit rating business pursuant to Article 11 (2) need not include subparagraph 1 in its internal control standards if it assesses the credit standing of a sole proprietor by means of automated evaluation:
1. Matters regarding the separation of an assessment organization and a sales organization;
2. Matters regarding the prevention of conflicts of interests;
3. Matters regarding the prevention of unfair practices;
4. Matters regarding the standards for assessing the credit standing, which are suitable for the characteristics of sole proprietors;
5. Other matters necessary for internal control standards, as prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 22-6 (Business Conduct Standards for Corporate Credit Rating Inquiry Companies)
(1) Where a corporate credit rating inquiry company (excluding corporate credit inquiry companies engaged only in the business affairs of corporate information inquiry; hereafter in paragraphs (2) and (3) the same shall apply) assesses the credit standing of an enterprise or corporation, it shall take into consideration information that can advantage the relevant enterprise or corporation in assessment as well as information that can disadvantage it.
(2) No corporate credit inquiry company shall engage in any of the following acts:
1. Generating corporate credit ratings and technology credit information related to persons prescribed by Presidential Decree, who are in a special relationship with the corporate credit inquiry company, such as an investment relationship of at least a certain ratio;
2. Compelling to purchase or use goods or services of the corporate credit inquiry company or its affiliates in the course of generating corporate credit ratings and technology credit information;
3. Other activities prescribed by Presidential Decree, which are likely to undermine the protection of credit data subjects or to disrupt the sound credit order.
(2) A corporate credit inquiry company shall establish internal control standards which are appropriate standards and procedures to be complied with by its executive officers or employees in performing their duties (hereinafter referred to as "internal control standards"), including the following:
1. Matters regarding the separation of an assessment organization and a sales organization;
2. Matters regarding the prevention of conflicts of interests;
3. Matters concerning prevention on unfair practices;
4. Matters regarding the criteria for the creation of corporate credit ratings or the criteria for technical credit ratings suitable for the characteristics of enterprises and corporations;
5. Other matters necessary for internal control standards, as prescribed by Presidential Decree.
(4) A corporate credit inquiry company engaged in the business affairs of corporate credit inquiry shall formulate regulations on the management of users, as prescribed by Presidential Decree, for the management of users of credit information.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 22-7 (Code of Conduct for Credit Inquiry Companies)
(1) No credit inquiry company shall engage in any of the following conducts:
1. Providing a client with false information;
2. Forcing a request for investigation of credit information;
3. Forcing an investigation subject into providing investigative data and answering questions;
4. Investigating privacy, etc. other than commercial transactions, such as financial transactions.
(2) Where executive officers or employees who engage in a credit inquiry business intend to collect credit information, they shall carry identification verifying their engagement in credit inquiry business and present it to relevant persons.
[This Article Newly Inserted on Feb. 4, 2020]
SECTION 2 MyData Business
 Article 22-8 (Qualifications for Executive Officers of MyData Companies)
Article 5 of the Act on Corporate Governance of Financial Companies shall apply mutatis mutandis to the executive officers of MyData companies.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 22-9 (Code of Conduct for MyData Companies)
(1) No MyData company shall engage in any of the following conducts:
1. Forcing an individual credit data subject to transmit his or her personal credit information or improperly inducing him or her to transmit such information;
2. Other activities prescribed by Presidential Decree, which are likely to undermine the protection of credit data subjects or sound credit order.
(2) A MyData company shall prepare internal control standards to prevent conflicts of interest that may arise between an individual credit data subject and a MyData company in the course of performing the business affairs provided in Articles 11 (6) and 11-2 (6) 3.
(3) No MyData company shall collect credit information to be provided to a credit data subject by using or retaining any of the following means in a manner prescribed by Presidential Decree:
1. A means of access defined in subparagraph 10 of Article 2 of the Electronic Financial Transactions Act, which is a means regarding a credit data subject, selected and used or managed by a credit information provider or user prescribed by Presidential Decree, a public institution prescribed by Presidential Decree under the Personal Information Protection Act (hereafter in this Article and Article 33-2 referred to as "credit information provider or user, etc."), or a MyData company;
2. Means prescribed by Presidential Decree, including the presentation of identification verifying the person in question or the use of a telephone or website as a means to verify the identity of the person in question.
(4) Where an individual credit data subject requests the transmission of his or her personal credit information to a MyData company, the credit information provider or user, etc. shall transmit the personal credit information of the individual credit data subject directly to such company by any method prescribed by Presidential Decree, which can ensure the safety and reliability of the provision of information.
(5) Notwithstanding paragraph (4), a credit information provider or user, etc. may transmit personal credit information to a MyData company through an intermediary agency prescribed by Presidential Decree, in cases prescribed by Presidential Decree in consideration of the size of the credit information provider or user, the frequency of commercial transactions, including financial transactions, etc.
(6) Where a credit information provider or user, etc. regularly transmits personal credit information pursuant to Article 33-2 (4), he or she may have the MyData company bear the minimum necessary expenses.
(7) The procedures and methods for transmission under paragraphs (4) and (5) and the standards for the calculation of expenses under paragraph (6) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
SECTION 3 Use and Provision of Public Information
 Article 23 (Requests for Provision of Credit Information of Public Institutions)
(1) Deleted. <Mar. 11, 2015>
(2) Where a credit information collection agency requests the head of the State, a local government, or a public organization prescribed by Presidential Decree (hereinafter referred to as "public institution") to provide credit information prescribed by Presidential Decree, which is necessary to determine creditworthiness, credit transaction capacity, etc. of the credit data subject, the head of a public institution requested thereof may, notwithstanding the Acts set forth in the following subparagraphs, provide credit information for the requesting credit information collection agency. In such cases, the standards, procedures, etc. for the head of public institutions to provide information shall be prescribed by Presidential Decree: <Amended on Mar. 29, 2011; Mar. 11, 2015>
1. The Official Information Disclosure Act;
2. The Personal Information Protection Act;
3. The National Health Insurance Act;
4. The National Pension Act;
5. The Korea Electric Power Corporation Act;
6. The Resident Registration Act.
(3) A credit information collection agency may supply credit information provided by public institutions in accordance with paragraph (2) to any credit information user prescribed by Presidential Decree. <Amended on Mar. 11, 2015>
(4) Where a credit information collection agency or a credit information user referred to in paragraph (3) provides any personal credit information obtained from a public institution under paragraphs (2) and (3), the person who intends to be provided with the information shall verify whether the credit information provider or user has obtained consent from the relevant individual in relation to the provision and use of credit information thereof in accordance with Article 32 (3): Provided, That this shall not apply to cases falling under any of the subparagraphs of Article 32 (6). <Amended on Mar. 11, 2015; Feb. 4, 2020>
(5) A person provided with personal credit information in accordance with paragraph (4) shall provide it to any other person. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(6) Any person who requests provision of credit information in accordance with paragraph (2) shall pay fees or commissions for access in accordance with relevant statutes or regulations. <Amended on Mar. 11, 2015>
(7) Where the head of a public institution requests, in writing, the provision of credit information to use it for official duties prescribed by related statutes, the credit information company, etc., upon request, may provide such credit information.
[Title Amended on Mar. 11, 2015]
 Article 24 (Use of Computer Data of Resident Registration)
(1) In any of the following cases, a credit information collection agency and credit information provider or user prescribed by Presidential Decree may request the Ministry of the Interior and Safety to provide resident registration data in the computer system under Article 30 (1) of the Resident Registration Act. In such cases, the Ministry of the Interior and Safety shall comply with such request unless there is a compelling reason not to do so: <Amended on Mar. 23, 2013; Nov. 19, 2014; Jul. 26, 2017>
1. Where the payment of deposits, insurance benefits, etc., the extinction prescription of which is completed in accordance with other Acts, including Article 64 of the Commercial Act, shall be notified to the original right holder thereof;
2. Where matters that affect the rights and obligations of the other party to a transaction, including the occurrence of events resulting in a change to contracts, such as maturity, lapse, termination, etc. of financial transaction contracts, shall be notified.
(2) Any request for resident registration data in the computer system pursuant to paragraph (1) shall be reviewed by the Chairman of the Financial Services Commission.
(3) Where a request has been reviewed by the Chairman of the Financial Services Commission under paragraph (2), it shall be deemed to have been reviewed by the heads of relevant central administrative institutions under Article 30 (1) of the Resident Registration Act. Any matter pertaining to processing procedures, usage fees, commissions, etc. shall be prescribed by the Resident Registration Act.
SECTION 4 Credit Information Collection Agencies and Data Agencies
 Article 25 (Credit Information Collection Agency)
(1) A person who intends to centrally collect and store credit information to manage it in a systematic and comprehensive manner and exchange and utilize credit information between credit information companies, etc. (hereinafter referred to as "central management and utilization") shall obtain permission for an information collection agency from the Financial Services Commission. <Amended on Mar. 11, 2015>
(2) A credit information collection agency under paragraph (1) shall obtain permission according to the following classifications: <Amended on Mar. 11, 2015>
1. A centralized credit information collection agency: A credit information collection agency that centrally manages and utilizes the credit information obtained from all financial institutions prescribed by Presidential Decree;
2. An individual credit information collection agency: A credit information collection agency that centrally manages and utilizes the credit information in accordance with agreements, etc. made by associations, etc. established by the same type of business owners other than financial institutions referred to in subparagraph 1.
(3) A person who intends to obtain permission for a credit information collection agency pursuant to paragraph (1), shall satisfy the following requirements: <Amended on Mar. 11, 2015>
1. It shall be a non-profit corporation incorporated under article 32 of the Civil Act;
2. It shall maintain the character of public nature and neutrality, as prescribed by Presidential Decree, in centrally managing and utilizing the credit information;
3. The facility, equipment, and human resources prescribed by Presidential Decree shall be furnished.
(4) Matters necessary to obtain permission under paragraphs (1) and (2) and the revocation thereof, the details and scope of credit information subject to central management and utilization, and the persons with whom credit information is to be exchanged shall be prescribed by Presidential Decree: Provided, That the exchange and use of credit information between a credit information collection agency and a personal credit rating company, sole proprietor credit rating agency, or corporate credit inquiry company (excluding corporate credit inquiry companies engaged only in the business affairs of corporate information inquiry) shall be conducted in such a manner that the credit information collection agency provides the personal credit rating company, sole proprietor credit rating agency, or corporate credit inquiry company (excluding corporate credit inquiry companies engaged only in the business affairs of corporate information inquiry) with credit information at the request of the latter. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(5) The centralized credit information collection agency subject to paragraph (2) 1 (hereinafter referred to as "centralized credit information collection agency"), for the purpose of ensuring the accuracy and timeliness of credit information centrally collected, may investigate as to whether a financial institution duly performs its obligations to provide credit information, as prescribed by the Committee for Intensive Management of Credit information under Article 26. <Amended on Mar. 11, 2015>
(6) A credit information collection agency may establish a common computer network for credit information (hereinafter referred to as "Common Computer Network"), as prescribed by Presidential Decree, and any person who participates in the Common Computer Network shall provide cooperation to maintain and manage it. In such cases, a credit information collection agency shall be a telecommunication business owner under Article 2 (1) 1 of the Telecommunications Business Act.
 Article 25-2 (Duties of Centralized Credit Information Collection Agency)
A centralized credit information collection agency shall perform the following duties: <Amended on Feb. 4, 2020>
1. Centralized management and use of credit information;
1-2. Central management and utilization of credit information collected from public institutions pursuant to Article 23 (2);
1-3. Providing a credit data subject with information on changes in creditors, and allowing a credit data subject to access such information;
2. Investigations and analysis for public purposes;
3. Affairs prescribed by Presidential Decree in connection with the processing, analysis, provision, etc. of credit information;
3-2. Establishment and operation of a personal credit rating system verification committee under Article 26-3;
4. Deleted. <Feb. 4, 2020>
5. Business affairs prescribed by this Act and other statutes that may be performed by the centralized credit information collection agency;
6. Other affairs prescribed by Presidential Decree, equivalent to those prescribed in subparagraphs 1 through 5.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 26 (Committee for Intensive Management of Credit Information)
(1) The Committee for Intensive Management of Credit Information (hereinafter referred to as the "Committee") shall be established under the centralized credit information collection agency to discuss and determine any of the following affairs: <Amended on Mar. 11, 2015; Feb. 4, 2020>
1. Deliberation on important issues related to such duties provided in subparagraphs of Article 25-2 as prescribed by Presidential Decree;
2. Matters concerning the allocation of ordinary expenditure for central management and utilization of credit information, investment funds for new projects, etc.;
3. Matters concerning investigation on a financial institution's performance of its obligations for the provision of credit information under Article 25 (2) 1 and imposition of sanctions in connection therewith, as prescribed by Presidential Decree;
4. Matters concerning preventive measures against the disclosure or use of credit information for a non-business purpose;
5. Other matters necessary for the central management and utilization of credit information.
(2) Deleted. <Mar. 11, 2015>
(3) Where the Committee determines any matter referred to in subparagraphs of paragraph (1), it shall report such fact to the Financial Services Commission, as determined by the Financial Services Commission. <Amended on Mar. 11, 2015>
[Title Amended on Mar. 11, 2015]
 Article 26-2 (Composition and Operation of Committee for Intensive Management of Credit Information)
(1) The Committee shall be composed of 15 members, including one chairperson.
(2) The head of the centralized credit information collection agency shall be the chairperson of the Committee, and the members shall be appointed taking into consideration the public interests, neutrality, representativeness of the relevant business categories, expertise in credit information, etc.
(3) Other matters necessary for the composition, operation, etc. of the Committee shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 26-3 (Personal Credit Rating System Verification Committee)
(1) A personal credit rating system verification committee shall be established under a centralized credit information collection agency to perform the following duties:
1. Deliberation on underlying information used for the evaluation of a personal credit rating company and a sole proprietor credit rating company (hereafter in this Article, referred to as "personal credit rating company, etc.");
2. Deliberation on the prediction ability, stability, etc. of the assessment model of a personal credit rating company, etc.;
3. Other matters prescribed by Presidential Decree, which are similar to those provided in subparagraphs 1 and 2.
(2) The Personal Credit Rating System Verification Committee shall be composed of up to seven members, including one chairperson.
(3) The Personal Credit Rating System Verification Committee shall deliberate on the matters referred to in the subparagraphs of paragraph (1), report its results to the Financial Services Commission, as determined and publicly notified by the Financial Services Commission, and inform the relevant personal credit rating company, etc. of the results.
(4) The Financial Services Commission shall disclose the deliberation results reported pursuant to paragraph (3) to the public through its website, etc., as determined and publicly notified by the Financial Services Commission.
(5) The composition and operation of the Personal Credit Rating System Verification Committee under paragraph (1), and the methods, timing, procedures, etc. for the submission of the deliberation results under paragraphs (2) through (4) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 26-4 (Data Agencies)
(1) The Financial Services Commission may designate a corporation or institution specialized in combining data sets pursuant to Article 17-2 and reviewing the appropriateness of anonymization pursuant to Article 40-2 (hereinafter referred to as "data agency").
(2) A data agency shall perform the following duties:
1. Combining data sets held by a credit information company, etc. and those held by a third party and transferring them;
2. Evaluating the appropriateness of anonymization by a credit information company, etc.;
3. Other duties prescribed by Presidential Decree, which are similar to those provided in subparagraphs 1 and 2.
(3) A data agency may establish an appropriateness assessment committee if necessary to conduct the duties specified in paragraph (2) 1 and 2 in a specialized manner, as prescribed by Presidential Decree.
(4) A data agency shall formulate a risk management system in any of the following cases:
1. Where it performs duties referred to in paragraph (2) 1 and 2, concurrently;
2. Where it performs duties prescribed in the subparagraphs of paragraph (2) as well as duties prescribed in this Act or other statutes or regulations.
(5) Criteria for and revocation of designation under paragraph (1) and matters necessary for the composition and operation of an appropriateness assessment committee shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
SECTION 5 Claims Collection Business
 Article 27 (Persons Engaged in Claims Collection Business and Delegated Claims Collectors)
(1) A claims collection agency shall not appoint or hire any of the following persons, as its executive officers or employees, and nor shall it delegate, or conduct in a manner equivalent to delegation, the claims collection service to such person: <Amended on Apr. 18, 2017; Feb. 4, 2020>
1. A minor: Provided, That cases where he/she is appointed or hired for operations determined and publicly notified by the Financial Services Commission shall be excluded;
2. A person under adult guardianship or person under limited guardianship;
3. A person who has yet to be reinstated after having been declared bankrupt;
4. A person in whose case three years have not elapsed since the completion of, or exemption from, a sentence of imprisonment without labor, or heavier punishment, as so declared by a court (including cases where such execution is deemed to have been completed);
5. A person who is under a suspended sentence of imprisonment without labor or a heavier punishment as declared by a court;
6. A person who has been dismissed or discharged from office under this Act or other statutes, and for whom five years have not passed after such incident;
7. A person who had worked as an executive officer or employee of a corporation or company, permission, authorization, etc. of which was revoked under this Act or other statutes, and for whom five years have not passed after such revocation (applicable only to a person prescribed by Presidential Decree, who is directly responsible for the grounds for such revocation, or any person in the position equivalent thereto);
8. A person whose registration as a delegated claims collector under paragraph (2) 2 has been revoked, and for whom five years have not passed after such revocation;
9. A person who is a retired executive officer or employee notified that he/she would receive a measure of recommendation of dismissal (including demand for dismissal) or demand for removal from office pursuant to this Act or other statutes if he/she held his/her official position or were under employment, and for whom five years (seven years from the date of his/her retirement where the date on which five years has passed from the date of notification is later than the date on which seven years have passed from the date of his/her retirement) have not yet passed from the date of such notification.
(2) A claims collection agency shall perform its claims collection service through any of the following persons:
1. Any executive officer or employee of a claims collection agency;
2. A person who has been delegated, or allowed in such a manner equivalent to delegation, to render claims collection service by a claims collection agency (hereinafter referred to as "delegated claims collector").
(3) A claims collection agency shall register a person who intends to serve as its delegated claims collector, with the Financial Services Commission.
(4) No delegated claims collector shall render any claims collection service for a claims collection agency where he/she is not employed.
(5) A claims collection agency shall neither collect claims that are not subject to collection, nor render claims collection service through a delegated claims collector falling under any of the following subparagraphs:
1. A delegated claims collector who is not registered under paragraph (3);
2. A delegated claims collector who has been registered with another claims collection agency;
3. A delegated claims collector who is suspended from his/her business under paragraph (7).
(6) The Financial Services Commission may cancel the registration of delegated claims collectors, if they:
1. Have been registered under paragraph (3) in a fraudulent or any other unlawful means;
2. Have violated an order for practice suspension or committed a violation subject to practice suspension under paragraph (7), after having received a disposition of practice suspension within one year from the date such violation occurred;
3. Deleted; <Feb. 4, 2020>
4. Have performed claims collection activities, in violation of any subparagraph of Article 9 of the Fair Debt Collection Practices Act;
5. Have violated any term or condition of registration;
6. Have failed to perform the registered business continuously for at least one year without good cause.
(7) The Financial Services Commission may order to fully or partially suspend the business within a specified period not exceeding six months, if delegated claims collectors: <Amended on Feb. 4, 2020>
1. Have violated paragraph (4);
2. Deleted; <Feb. 4, 2020>
3. Have violated Article 40 (1) 5;
4. Have violated subparagraphs 2 and 5 of Article 12 of the Fair Debt Collection Practices Act;
5. Have violated other statutes or regulations or the articles of association of their claims collection agency to severely harm or be likely to harm public interests.
(8) Where executive officers and employees who engage in claims collection business or delegated claims collectors intend to render claims collection service, they shall carry identification verifying their engagement in claims collection business and present it to debtors or the relevant persons defined in the Fair Debt Collection Practices Act. <Amended on Feb. 4, 2020>
(9) A claims collection agency shall faithfully manage its delegated claims collectors, so that they may observe the statutes and may not impair the sound transaction order in performing the claims collection service. In such case, it shall ensure that they do not commit a violation as classified in the following: <Newly Inserted on Nov. 28, 2017>
1. Act of violating Article 8-3 (1), 9, or 10 (1) or subparagraph 1 or 2 of Article 11 of the Fair Debt Collection Practices Act;
2. Act of violating Article 8-3 (2), subparagraph 3 through 5 of Article 11, Article 12, 13, or 13-2 (2) of the Fair Debt Collection Practices Act.
(10) The qualification requirements and registration procedures for delegated claims collectors shall be prescribed by Presidential Decree. <Amended on Nov. 28, 2017>
(11) A person intending to be a delegated claims collector shall, when applying for registration as such, pay the fee, as prescribed by Ordinance of the Prime Minister. <Amended on Nov. 28, 2017>
[Title Amended on Feb. 4, 2020]
 Article 27-2 (Prohibition of Entrustment of Services to Unlicensed Claims Collection Business Entity)
A credit information provider or user prescribed by Presidential Decree, such as a credit finance company and a credit business entity, shall not entrust claims collection service to any person other than a claims collection agency.
[This Article Newly Inserted on Nov. 28, 2017]
 Article 28 Deleted. <May 28, 2013>
 Article 29 Deleted. <May 28, 2013>
 Article 30 Deleted. <May 28, 2013>
CHAPTER VI PROTECTION OF CREDIT DATA SUBJECT
 Article 31 (Public Notification of Credit Information Utilization Status)
(1) A personal credit rating company, a sole proprietor credit rating agency, a personal credit rating company, a credit information collection agency, and a credit information provider or user prescribed by Presidential Decree shall publicly notify the following, as prescribed by Presidential Decree:
1. A master plan for the protection and management of personal credit information (limited to persons prescribed by Presidential Decree in consideration of total assets, number of employees, etc.);
2. The type and purpose of use of credit information under its management;
3. Persons provided with credit information;
4. Types of the rights of credit data subjects and the methods of exercising such rights;
5. Types, percentages, and periods of credit information to be reflected in credit rating (limited to a personal credit rating company, a sole proprietor credit rating company, and a corporate credit inquiry company engaged in the business affairs of providing corporate credit ratings and technology credit ratings);
6. Matters provided in Article 30 (1) 6 and 7 of the Personal Information Protection Act;
7. Other matters prescribed by Presidential Decree in relation to the processing of credit information.
(2) Where any matters publicly notified under the subparagraphs of paragraph (1) are changed, the methods referred to in Article 30 (2) of the Personal Information Protection Act shall apply mutatis mutandis thereto.
[This Article Wholly Amended on Feb. 4, 2020]
 Article 32 (Consent to Provision and Use of Personal Credit Information)
(1) If a credit information provider or user intends to provide any personal credit information to any other person, he or she shall obtain individual consent in advance from the relevant credit data subject each time he or she intends to provide personal credit information by using the following methods, as prescribed by Presidential Decree: Provided, That this shall not apply where such information is provided to maintain the accuracy and currency of personal credit information within the agreed scope of the purpose or use: <Amended on Mar. 11, 2015; Dec. 11, 2018; Jun. 9, 2020>
1. In writing;
2. Electronic documents bearing an electronic signature (referring to the one by which the real name of a signer can be authenticated) defined in subparagraph 3 of Article 2 of the Digital Signature Act (referring to electronic documents defined in subparagraph 1 of Article 2 of the Framework Act on Electronic Documents and Transactions);
3. Entering the personal identification number by wire or wireless communication that ensures stability and reliability of the consent to provide such information, in consideration of the details and purpose of the personal credit information to be provided;
4. Obtaining consent from an individual after notifying him or her of the consent by wire and wireless communication. In such cases, evidential material shall be obtained and maintained by, for instance, recording a verbal dialogue concerning identification of the individual, questions as to whether the individual consent and his/her answers thereto, etc., and post-notification procedures shall be conducted, as prescribed by Presidential Decree;
5. Other means prescribed by Presidential Decree.
(2) A person, who intends to obtain any personal credit information from a personal credit rating company, sole proprietor credit rating company, corporate credit inquiry company, or credit information collection agency, shall obtain individual consent from the relevant credit data subject whenever he/she intends to provide personal credit information (excluding where it is provided to maintain the accuracy and currency of personal credit information within the scope of the purpose or use already agreed) by any means set forth in subparagraph of paragraph (1), as prescribed by Presidential Decree. In such cases, the person who intends to obtain personal credit information shall notify the relevant credit data subject when his/her personal credit score may be degraded at the time of such inquiry. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(3) Where a personal credit rating company, sole proprietor credit rating company, corporate credit inquiry company, or credit information collection agency provides personal credit information under paragraph (2), it shall verify whether the person who intends to obtain such personal credit information has obtained consent under paragraph (2), as prescribed by Presidential Decree. <Amended on Feb. 4, 2020>
(4) When a credit information company, etc. obtains consent to the provision and utilization of personal credit information, it shall explain the information subject to mandatory consent and information subject to optional consent to provide services by distinguishing them, and obtain consent thereto respectively, as prescribed by Presidential Decree. In such cases, as to the information subject to mandatory consent, explanation of their relationship with the provision of services shall be explained, and as to the information subject to optional consent, it shall be notified that the other party need not consent to the provision of information. <Newly Inserted on Mar. 11, 2015>
(5) No credit information company, etc. may refuse to provide services to a credit data subject on the ground that he/she does not consent to information subject to optional consent. <Newly Inserted on Mar. 11, 2015>
(6) Where any credit information company, etc. (including data agencies for purposes of applying subparagraph 9-3) provides personal credit information in any of the following cases, paragraphs (1) through (5) shall not apply: <Amended on Mar. 11, 2015; Feb. 4, 2020>
1. Where a credit information company or a claims collection agency provides such information for the purpose of performing centralized management and utilization thereof with another credit information company, claims collection agency, or credit information collection agency;
2. Where such information is required to entrust the processing of credit information under Article 17 (2);
3. Where the relevant personal credit information is provided as the rights and obligations are fully or partially transferred by business transfer, division, merger, etc.;
4. Where personal credit information is provided to a person who uses the information for purposes prescribed by Presidential Decree, including claims collection (applicable only to the credit which is an object of collection), purpose of authorization or permission, determination of a company's creditworthiness, and transfer of securities;
5. Where personal credit information is provided in accordance with a court order for submission thereof or a warrant issued by a judicial officer;
6. Where such information is provided upon request by a prosecutor or judicial police officer, in an emergency where a victim's life is in danger or he/she is expected to suffer bodily injury, etc., so that no time is available to issue a judicial warrant under subparagraph 5. In such cases, the prosecutor provided with personal credit information shall, without delay, seek a warrant from a judicial officer, and the judicial police officer shall apply to the prosecutor for a warrant, who, in turn, seeks it from a judicial officer. Where the warrant is not issued within 36 hours from receipt of the personal credit information, such personal credit information shall be scrapped without delay;
7. Where such information is provided upon written request by the head of a competent tax office for inquiry and examination in accordance with tax-related Acts, or upon request for the taxation data subject to mandatory submission in accordance with tax-related Acts;
8. Where personal credit information held by a financial institution is provided to a foreign financial supervisory body in accordance with international conventions, etc.;
9. Where information referred to in subparagraph 1-4 (b) of Article 2 is provided to or from a personal credit rating company, a sole proprietor credit rating company, a corporate credit inquiry company engaged in business affairs of providing corporate credit ratings or technology credit ratings, or a centralized credit information collection agency;
9-2. Where pseudonymized information is provided for the purpose of producing statistics, conducting research, and retaining records for the public interest; In such cases, the production of statistics shall include the production of statistics for commercial purposes, including market research, and research shall include industrial research;
9-3. Where personal credit information is provided to a data agency for the purpose of combining data sets under Article 17-2 (1);
9-4. Where any personal credit information is provided for a purpose that does not conflict with the purpose for which the personal credit information was initially collected in consideration of the following factors:
(a) Relevance between the purposes;
(b) Reasons and events leading to the collection of personal credit information from the credit data subject by the credit information company, etc.;
(c) Impact of provision of the relevant personal credit information on the credit data subject;
(d) Whether measures to protect personal credit information, such as pseudonymization, have been appropriately implemented;
10. When such information is provided in accordance with this Act and other statutes;
11. Other cases prescribed by Presidential Decree as equivalent to those stipulated in subparagraphs 1 through 10.
(7) Any person who intends to provide personal credit information to any other person or who obtains such information under any subparagraph of paragraph (6) shall notify, in advance, the relevant credit data subject of the fact of and reason for such provision, as prescribed by Presidential Decree: Provided, That, where in extenuating circumstances prescribed by Presidential Decree, such circumstances may be notified or publicly announced later by posting them on his/her website or by similar means. <Amended on May 19, 2011; Mar. 11, 2015>
(8) Any credit information provider or user prescribed by Presidential Decree, who provides personal credit information to any other person subject to paragraph (6) 3, shall obtain approval from the Financial Services Commission with regard to any of the matters prescribed by Presidential Decree, including the scope of credit information provided. <Amended on Mar. 11, 2015>
(9) A person who has obtained personal credit information after obtaining approval under paragraph (8) shall manage it separately from the personal credit information of owners of credit information with whom he/she currently deals, as determined by the Financial Services Commission. <Newly Inserted on Mar. 11, 2015>
(10) Where a credit information company, etc. provides personal credit information, it shall verify the identity of the person who obtains the personal credit information and purpose of use thereof, as determined and publicly notified by the Financial Services Commission. <Amended on Mar. 11, 2015>
(11) Where there is any dispute over whether individual prior consent has been obtained under paragraph (1), the credit information provider or user who has provided the personal credit information, shall prove such fact. <Amended on Mar. 11, 2015>
 Article 33 (Use of Personal Credit Information)
(1) Personal credit information shall be used only for any of the following purposes:
1. Where the personal credit information is used for purposes of determining whether to establish and maintain commercial transaction relationship, such as financial transactions, which the relevant credit data subject applies for;
2. Where the credit data subject consents to the use of personal credit information for purposes other than those provided in subparagraph 1;
3. Where the personal credit information directly provided by an individual (including credit information generated from commercial transactions with the individual) is used for the purpose it is provided (excluding cases where such information is used for introducing goods or services or soliciting sales);
4. Other cases provided in the subparagraphs of Article 32 (6);
5. Such other cases equivalent to those provided in subparagraphs 1 through 4 as prescribed by Presidential Decree.
(2) A credit information company, etc. which intends to collect and investigate the information pertaining to an individual's disease, injury, or other information similar thereto or provide it to a third party, shall obtain prior approval from such individual under Article 32 (1), and such information shall be used only for purposes prescribed by Presidential Decree.
[This Article Wholly Amended on Feb. 4, 2020]
 Article 33-2 (Request for Transmission of Personal Credit Information)
(1) A credit data subject may request a credit information provide or user, etc. to transmit personal credit information on him or herself in its possession to any of the following persons:
1. The credit data subject himself or herself
2. A MyData company;
3. A credit information provider or user prescribed by Presidential Decree;
4. A personal credit rating company;
5. Such other persons similar to those provided in subparagraphs 1 through 4 as prescribed by Presidential Decree.
(2) The scope of personal credit information to be transmitted by an individual credit data subject pursuant to paragraph (1) shall be prescribed by Presidential Decree, in consideration of all the following factors:
1. It shall be credit information processed between the relevant credit data subject (including persons who process credit information on the credit data subject under statutes or regulations, etc.; hereafter in this subparagraph the same shall apply) and a credit information provider or user, etc., and shall fall under any of the following items:
(a) Information collected by a credit information provider or user from a credit data subject;
(b) Information provided by a credit data subject to a credit information provider or user, etc.;
(c) Information generated from the relationship of rights and obligations between a credit data subject and a credit information provider or user, etc.;
2. It shall be credit information processed by a computer or other information processing device;
3. It shall not be credit information separately generated or processed by a credit information provider or user based on personal credit information.
(3) A credit information provider or user, etc. in receipt of a request to transmit personal credit information from the credit data subject in accordance with paragraph (1), shall without delay transmit the personal credit information about the credit data subject in a form that makes it possible for him or her to process it with a computer or any other information processing device, notwithstanding Article 32 and the related provisions of any of the following Acts:
1. Article 4 of the Act on Real Name Financial Transactions and Confidentiality;
2. Article 81-13 of the Framework Act on National Taxes;
3. Article 86 of the Framework Act on Local Taxes;
4. Article 18 of the Personal Information Protection Act;
5. Other provisions prescribed by Presidential Decree which are similar to those referred to in subparagraphs 1 through 4.
(4) Where a credit data subject requests the transmission of his or her personal credit information pursuant to paragraph (1), he or she may request a credit information provider or user, etc. to regularly transmit his or her personal credit information in the same details so as to ensure the accuracy and currency of the relevant personal credit information.
(5) Where an individual credit data subject makes a request for transmission under paragraph (1) to a person falling under any subparagraph of paragraph (1), he or she shall do so in the form of an electronic document or any other method ensuring safety and reliability by specifying all the following matters:
1. A credit information provider or user, etc. who receives a request for transmission;
2. Personal credit information requested to be transmitted;
3. A person who receives personal credit information upon a request for transmission;
4. Whether such information is requested on a regular basis, and the frequency of such transmission;
5. Matters similar to those prescribed in subparagraphs 1 through 4, which are prescribed by Presidential Decree.
(6) A credit information provider or user, etc. who has provided personal credit information under paragraph (3) need not notify the relevant credit data subject of the fact that personal credit information has been transmitted, notwithstanding Article 32 (7) and provisions of the following statutes:
1. Article 4-2 of the Act on Real Name Financial Transactions and Confidentiality;
2. Other provisions of statutes prescribed by Presidential Decree regarding the processing of personal credit information.
(7) An individual credit data subject may withdraw a request for transmission made under paragraph (1).
(8) A credit information provider or user, etc. in receipt of a request to transmit personal credit information from a credit data subject under paragraph (1) may refuse to comply with the request for transmission or may cease or suspend the transmission in cases prescribed by Presidential Decree, including where the identity of the credit data subject is not authenticated.
(9) The methods of requesting transmission under paragraphs (1) and (4), the deadline and methods of transmission under paragraph (3), the methods of withdrawing request for transmission under paragraph (7), and the methods of refusal, cessation, and suspension under paragraph (8) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 34 (Collection, Use, and Provision of Personal Identification Information)
Articles 15, 32, and 33 shall apply mutatis mutandis to where a credit information company, etc. collects, provides, or uses any information prescribed by Presidential Decree which is necessary for identifying an individual. <Amended on Feb. 4, 2020>
[This Article Wholly Amended on Mar. 11, 2015]
[Title Amended on Feb. 4, 2020]
 Article 34-2 (Principle of Consent to Use of Personal Credit Information)
(1) Where a credit information company, etc. obtains consent from a credit data subject (hereinafter referred to as "consent to the use of information"; the same shall apply in this Article and Article 34-3) under Articles 15 (2), 32 (1) and (2), 33 (1) 2, and 34, it shall notify the credit data subject of the matters prescribed in the relevant provisions in accordance with Articles 15 (2), 17 (2), and 18 (3) of the Personal Information Protection Act (hereafter in this Article referred to as "matters requiring notification") and obtain consent to the use of information: Provided, That this shall not apply to cases prescribed by Presidential Decree in consideration of the method for consent or the characteristics of personal credit information.
(2) A credit information provider or user prescribed by Presidential Decree shall obtain consent from the individual credit data subject, in consideration of the following:
1. He or she shall use more easy terms or simple and audiovisual means of communication, etc. so that a credit data subject can understand the matters requiring consent to the use of information;
2. Matters requiring consent to the use of information and the establishment, maintenance, etc. of commercial transaction relationship, including financial transactions, shall be clearly separated;
3. He or she shall enable a credit data subject to give a respective consent by categorizing the matters requiring consent to the use of information by a credit information company, etc. or by the purpose of information use (limited to the matters subject to optional consent under Article 32 (4)). ;
(3) Notwithstanding paragraph (1), a credit information provider or user prescribed by Presidential Decree may notify a credit data subject of matters omitting part of the matters requiring notification or the extract of the important matters and obtain consent to the use of information: Provided, That this shall not apply where an individual credit data subject requests to be informed of all matters requiring notification.
(4) Where the consent to the use of information is obtained after omitting part of the matters requiring notification or by extracting only important matters pursuant to the main clause of paragraph (3), the credit data subject shall be notified of the fact that he or she may separately request the notification of all of the matters requiring notification.
(5) Matters regarding the omission or extract under the main clause of paragraph (3), methods for requests under the proviso of that paragraph and notification under paragraph (4) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 34-3 (Consent Rating for Use of Information)
(1) A credit information provider or user prescribed by Presidential Decree shall notify a credit data subject of the rating assessed by the Financial Services Commission (hereafter referred to as "consent rating for the use of information" in this Article) with respect to matters requiring consent to the use of information and obtain consent thereto. The same shall apply to cases where important matters prescribed by Presidential Decree have been changed among matters requiring consent to the use of information.
(2) The Financial Services Commission shall consider the following matters when granting the consent rating for the use of information pursuant to paragraph (1):
1. Matters regarding the risk of infringing on privacy and freedom following the use of information (including whether the personal credit information to be used is sensitive information referred to in Article 23 of the Personal Information Protection Act);
2. Advantages or benefits to the use of information for the credit data subject;
3. Matters prescribed in Article 34-2 (2) 1 and 2;
4. Other matters similar to those provided in subparagraphs 1 through 3, which are prescribed by Presidential Decree.
(3) If a credit information provider or user under paragraph (1) is given a consent rating for the use of information by fraud or other improper means or in other cases prescribed by Presidential Decree, the Financial Services Commission may revoke or change the consent rating for the use of information.
(4) The methods and procedures for the consent rating for the use of information pursuant to paragraphs (1) and (2) and the revocation and change pursuant to paragraph (3) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 35 (Fact-finding Inquiries into Use and Provision of Credit Information)
Where a credit information company, etc. has used or provided any personal credit information, it shall allow the credit data subject to inquire into the matters classified as follows: Provided, That this shall not apply in cases prescribed by Presidential Decree, such as where it has been used for internal business management or provided for repeated entrustment of business affairs:
1. Where any personal credit information is used: Person who has used the credit information, purpose of use, date of use, details of the credit information used, and other matters prescribed by Presidential Decree;
2. Where any personal credit is provided: Person who has provided and person who has obtained the credit information, purpose of provision, date of provision, details of the credit information provided, and other matters prescribed by Presidential Decree.
(2) If requested by a credit data subject who has inquired under paragraph (1), the relevant credit information company, etc. shall notify the matters classified in subparagraphs of paragraph (1), to the credit data subject as prescribed by Presidential Decree, when it uses or provides any of his/her personal credit information.
(3) A credit information company, etc. shall notify each credit data subject that he/she can request notifications under paragraph (2).
[This Article Wholly Amended on Mar. 11, 2015]
 Article 35-2 (Duty to Provide Explanation about Possible Decline in Personal Credit Scores)
Where a credit information provider or user prescribed by Presidential Decree conducts such financial transactions which pose credit risk to an individual credit data subject as prescribed by Presidential Decree, he or she shall explain the following matters to the relevant credit data subject:
1. The fact that the relevant financial transaction may cause the relevant credit data subject to suffer disadvantage when a personal credit rating company produces a personal credit score;
2. Such other matters affected by the relevant financial transaction in relation to the credit data subject as prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 35-3 (Advance Notice by Credit Information Providers and Users)
(1) Where a credit information provider or user prescribed by Presidential Decree provides personal credit information, among the information referred to in subparagraph 1 (c) of Article 2, to a personal credit rating company, a sole proprietor credit rating company, a corporate credit inquiry company, or a credit information collection agency to use such information for business affairs, the credit data subject shall be notified of the following:
1. The creditor;
2. The following information on the fact of the failure to perform obligations by the agreed due date:
(a) The amount and the first day to be counted when a period of time begins;
(b) The date the relevant information is expected to be registered;
3. The fact that a credit data subject may suffer disadvantage, such as a decline in a personal credit score or corporate credit rating and an increase in interest rates, upon the registration of information (where a credit information collection agency registers such information, the fact that a credit data subject may suffer disadvantage due to the provision of information to a third party by the credit information collection agency);
4. Other matters similar to those provided in subparagraphs 1 through 3, which are prescribed by Presidential Decree.
(2) Matters necessary for the timing of and methods for notification, etc. under paragraph (1) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 36 (Notification of Credit Information Giving Rise to Refusal of Commercial Transaction)
(1) Where a credit information provider or user refuses or cancels a commercial transaction relationship with his or her counterparty on the basis of personal credit information prescribed by Presidential Decree, which has been provided by a personal credit rating company, sole proprietor credit rating company, corporate credit inquiry company (excluding corporate credit inquiry companies engaged only in the business affairs of corporate information inquiry), or a credit information collection agency, the credit information provider or user shall, upon the request of the relevant credit data subject, notify the relevant credit data subject of the matters prescribed by Presidential Decree, including the credit information that gave rise to the refusal or cancellation thereof. <Amended on Feb. 4, 2020>
(2) Where a credit data subject has any objection to the details of his/her own information notified under paragraph (1), he/she may request, within 60 days from the receipt of such notification under paragraph (1), the personal credit rating company, sole proprietor credit rating company, corporate credit inquiry company (excluding corporate credit inquiry companies engaged only in the business affairs of corporate information inquiry), and the credit information collection agency, which have collected and provided such information, to verify the accuracy of such information. <Amended on Feb. 4, 2020>
(3) With regard to the procedures for verification under paragraph (2), Article 38 shall apply mutatis mutandis.
 Article 36-2 (Explanation of Results of Automated Evaluation and Raising Objections thereto)
(1) A credit data subject may request a personal credit rating company and a credit information provider or user prescribed by Presidential Decree (hereafter in this Article, referred to as "personal credit rating company, etc.") to explain the following:
1. Whether the following act is done by automated evaluation:
(a) Personal credit rating;
(b) Determination on whether to create and maintain financial transactions prescribed by Presidential Decree (limited to credit information providers and users prescribed by Presidential Decree);
(c) Other acts prescribed by Presidential Decree, which are likely to undermine the protection of personal credit information if handled only with a computer or other information processing device;
2. The following matters in cases of automated evaluation:
(a) Results of automation evaluation;
(b) Major criteria for automated evaluation;
(c) Outline of the underlying information used in automated evaluation (hereafter in this Article referred to as "underlying information");
(d) Other matters prescribed by Presidential Decree, which are similar to those referred to in items (a) through (c);
(2) An individual credit data subject may perform the following acts with respect to a private credit rating company, etc.:
1. Submission of information that is deemed advantageous to the relevant credit data subject in automated evaluation;
2. Any of the following activities, where the details of underlying information used in the automated evaluation are deemed incorrect or not up-to-date:
(a) Requesting correction or deletion of underlying information;
(b) Requesting for re-calculation of the results of automation evaluation;
(3) In any of the following cases, a personal credit rating company, etc. may reject a request from a credit data subject under paragraphs (1) and (2):
1. Where special provisions exist in this Act or other statues or it is unavoidable for performing any obligation under statutes or regulations;
2. Where complying with a request by the relevant credit data subject makes it impracticable to establish, maintain, etc. a commercial transaction relationship, including financial transactions;
3. Other cases prescribed by Presidential Decree, which are similar to those provided in subparagraphs 1 and 2.
(4) The procedures and methods for requests under paragraphs (1) and (2) and notice of rejection and other necessary matters shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 37 (Rights to Withdraw Consent to Provision of Personal Credit Information)
(1) An individual credit data subject may withdraw, as prescribed by Presidential Decree, the consent which has been provided to a credit information provider or user in ways prescribed in the subparagraphs of Article 32 (1) to provide his/her personal credit information for purposes other than assessing the individual's creditworthiness, etc. by forwarding such information to a personal credit rating company, sole proprietor credit rating company, or credit information collection agency: Provided, That where it becomes difficult to perform a contract or serve the purposes provided in Article 33 (1) 1, including failure to perform certain services agreed with the credit data subject, unless the relevant personal credit information is provided to another credit information provider or user that has not obtained his/her consent, if the customer intends to revoke consent, he/she shall clarify his/her intention not to be provided with the relevant services. <Amended on Feb. 4, 2020>
(2) An individual credit data subject may, as prescribed by Presidential Decree, request a credit information provider or user to stop contacting him/her for the purpose of introducing or soliciting goods or services.
(3) A credit information provider or user shall notify the individual who is a counterparty, of the details of the rights and means to exercise such rights under paragraphs (1) and (2), in writing, via electronic documents, or orally, and, if he/she makes a demand under paragraphs (1) and (2), it shall immediately comply with such demand. In such cases, if such notification has been made orally, the additional post-notification procedures prescribed by Presidential Decree shall be followed.
(4) A credit information provider or user shall have a procedure in place to perform the obligations under paragraph (3), as prescribed by Presidential Decree.
(5) A credit information provider or user shall take necessary measures, as prescribed by Presidential Decree, to prevent an individual credit data subject from bearing the monetary costs arising from such demand under paragraph (2), including telephone bills.
[Title Amended on Feb. 4, 2020]
 Article 38 (Demand for Access to and Correction of Credit Information)
(1) A credit data subject may request a credit information company, etc. to provide him/her with such information regarding the credit data subject himself/herself as prescribed by Presidential Decree, which is retained by the credit information company, etc., or allow him/her to access the information by presenting a certificate identifying them or having their identity checked in ways prescribed by Presidential Decree, including telephone, the website, etc. <Amended on Feb. 4, 2020>
(2) A credit data subject who accesses his/her own credit information may request correction thereof if the credit information is incorrect, as determined and publicly notified by the Financial Services Commission. <Newly Inserted on Feb. 4, 2020>
(3) Upon receiving a request for correction under paragraph (2), a credit information company, etc. shall, if it deems that there are good cause for such request, without delay cease the provision or use of the relevant credit information and shall erase or delete incorrect or unverifiable information after conducting a fact-finding investigation. <Amended on Feb. 4, 2020>
(4) A credit information company, etc. which corrects or erases credit information under paragraph (3), shall notify any person who has obtained such information within the last six months and any person who the credit data subject requests to be advised of the details of the erased or corrected credit information. <Amended on Feb. 4, 2020>
(5) A credit information company, etc. shall inform the relevant credit data subject of the results of processing under paragraphs (3) and (4) within seven days; and if the credit data subject is dissatisfied with the processing results, he/she may file a request for correction with the Financial Services Commission, as prescribed by Presidential Decree: Provided, That if a credit data subject is dissatisfied with the processing of personal credit information by an enterprise or corporation involved in commercial transactions defined in Article 45-3 (1), he/she shall file a request for correction with the Personal Information Protection Commission (hereinafter referred to as "Protection Commission") defined in the Personal Information Protection Act. <Amended on Feb. 4, 2020>
(6) Upon the receipt of a request for correction under paragraph (5), the Financial Services Commission shall have the Governor of the Financial Supervisory Services established under Article 24 of the Act on the Establishment of Financial Services Commission (hereinafter referred to as the "Governor of the Financial Supervisory Service") conduct a fact-finding investigation and, according to its findings, may order the credit information company, etc. to make a correction or take other necessary measures: Provided, That if necessary, the Protection Commission may conduct the relevant duties on its own.. <Amended on Feb. 4, 2020>
(7) A person who examines factuality under paragraph (5) shall carry identification verifying his/her authority and present it to relevant persons. <Amended on Feb. 4, 2020>
(8) Where a credit information company, etc. has implemented corrective measures in accordance with a corrective order by the Financial Services Commission or the Protection Commission under paragraph (6), it shall report the results to the Financial Services Commission or the Protection Commission. <Amended on Feb. 4, 2020>
 Article 38-2 (Requests for Notification of Credit Inquiry)
(1) An credit data subject may request a personal credit rating company or a sole proprietor credit rating company to notify him/her of an inquiry being made into his/her personal credit information. In such cases, the identity of the credit data subject shall be verified in a manner determined by the Financial Services Commission. <Amended on Feb. 4, 2020>
(2) When an inquiry of personal credit information, which constitutes grounds prescribed by Presidential Decree including a possible illegal use of other's name, is made, a personal credit rating company or sole proprietor credit rating company in receipt of request provided in paragraph (1) shall suspend the provision of information for the relevant inquiry and notify such fact to the relevant credit data subject without delay. <Amended on Feb. 4, 2020>
(3) Matters necessary for the methods to suspend the provision of information and notification thereof under paragraph (2), bearing of expenses incurring from notification, etc. shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 38-3 (Request for Deletion of Personal Credit Information)
(1) Where his/her commercial transaction relationship, including financial transactions, is terminated and the period prescribed by Presidential Decree has passed, a credit data subject may request the credit information provider or user to delete his/her personal credit information: Provided, That this shall not apply in any of the cases falling under subparagraph of Article 20-2 (2).
(2) Upon receipt of request made under paragraph (1), the credit information provider or user shall delete the relevant personal credit information without delay and notify the result thereof to the credit data subject, without delay.
(3) Where a request by a credit data subject falls under the proviso of paragraph (1), the credit information provider or user shall manage the personal credit information as prescribed by Presidential Decree, such as managing it by separating it from other private credit information, and notify the result thereof to the credit data subject.
(4) Methods of notification to be made under paragraphs (2) and (3) shall be determined and publicly notified by the Financial Services Commission.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 39 (Right of Access Free of Charge)
An individual credit data subject may be provided with the following credit information from a personal credit rating company (excluding personal credit rating companies prescribed by Presidential Decree) or access such information on a free-of-charge basis, once or more, at regular intervals prescribed by Presidential Decree, not exceeding one year. <Amended on Feb. 4, 2020>
1. Personal credit scores;
2. Personal credit information used for the calculation of individual credit scores;
3. Such other credit information similar to information provided in subparagraphs 1 and 2 as prescribed by Presidential Decree.
 Article 39-2 (Access to Information on Changes in Creditors)
(1) Where a credit information provider or user prescribed by Presidential Decree acquires claims arising from a financial transaction prescribed by Presidential Decree or transfers such claims to a third party in relation to a financial transaction with an individual credit data subject, he or she shall provide a centralized credit information collection agency with the information on the acquisition or transfer of the relevant claims, and other information necessary for the protection of the credit data subject (hereafter in this Article, referred to as "information on changes in creditors").
(2) An individual credit data subject may be issued with, or access, information on changes in creditors regarding him or her, which is provided to and held by a centralized credit information collection agency under paragraph (1).
(3) A centralized credit information collection agency shall retain the information on changes in creditors provided pursuant to paragraph (1) separately from the information to be centrally managed and used pursuant to Article 25 (1) and other information prescribed by Presidential Decree, as prescribed by Presidential Decree.
(4) Expenses, etc. incurred in providing information on changes in creditors and exercising the right of access under paragraphs (1) and (2) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Feb. 4, 2020]
[Previous Article 39-2 moved to Article 39-4 <Feb. 4, 2020>]
 Article 39-3 (Methods and Procedures for Credit Data Subjects to Exercise Rights)
(1) A credit data subject may have his/her agent exercise the following rights (hereinafter referred to as "request for access, etc.") in writing or by other methods and procedures prescribed by Presidential Decree:
1. A request for transmission under Article 33-2 (1);
2. A request for notice under Article 36 (1);
3. A request for explanation under Article 36-2 (1) and an act falling under any subparagraph of paragraph (2);
4. Withdrawal of consent under Article 37 (1) and a request for suspension of communications under paragraph (2);
5. A request for access or correction under Article 38 (1) and (2);
6. A request for notice under Article 38-2 (1);
7. A free-of-charge access under Article 39;
8. Delivery or access under Article 39-2 (2).
(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal credit information of the child with a credit information company, etc.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 39-2 (Notification of Divulgence of Personal Credit Information)
(1) Where a credit information company, etc. becomes aware that any personal credit information has been divulged for any purpose other than for its business, it shall notify the relevant credit data subject thereof without delay. In such cases, the matters provided in the subparagraphs of Article 34 (1) of the Personal Information Protection Act shall apply mutatis mutandis to the matters to be notified. <Amended on Feb. 4, 2020>
1. Deleted; <Feb. 4, 2020>
2. Deleted; <Feb. 4, 2020>
3. Deleted; <Feb. 4, 2020>
4. Deleted; <Feb. 4, 2020>
5. Deleted; <Feb. 4, 2020>
(2) If any personal credit information is divulged, the credit information company, etc. shall formulate measures to minimize the damage and take necessary measures. <Amended on Feb. 4, 2020>
(3) If any personal credit information is disclosed to the extent exceeding the scale prescribed by Presidential Decree, the credit information company, etc. shall report without delay, the results of notification under paragraph (1) and measures taken under paragraph (2), to the Financial Services Commission or an institution prescribed by Presidential Decree (hereafter referred to as the "Financial Services Commission, etc." in this Article). In such cases, the Financial Services Commission, etc. may provide support for technology to mitigate damage, rectify the damage, etc. <Amended on Feb. 4, 2020>
(4) Notwithstanding paragraph (3), an enterprise and corporation involved in commercial transactions defined in Article 45-3 (1) shall file a report with the Protection Commission or an institution prescribed by Presidential Decree (hereafter referred to as the "Protection Commission, etc." in this Article). <Newly Inserted on Feb. 4, 2020>
(5) Upon receipt of report made under paragraph (3), the Financial Services Commission, etc. shall notify the Protection Commission thereof. <Amended Jul. 26, 2017; Feb. 4, 2020>
(6) The Financial Services Commission, etc. or the Protection Commission, etc. may investigate the measures taken by a credit information company, etc. under paragraph (2), and may request it to rectify such where such measures are deemed insufficient. <Amended on Feb. 4, 2020>
(7) Matters necessary for the timing, methods, procedures, etc. for notifications to be made under paragraph (1), shall be prescribed by Presidential Decree. <Amended on Feb. 4, 2020>
[This Article Newly Inserted on Mar. 11, 2015]
[Title Amended on Feb. 4, 2020]
[Moved from Article 39-2 <Feb. 4, 2020>]
 Article 40 (Prohibited Matters for Credit Information Company, etc.)
(1) No credit information company, etc. shall engage in any of the following acts: <Amended on Mar. 11, 2015; Feb. 4, 2020>
1. Deleted; <Feb. 4, 2020>
2. Deleted; <Feb. 4, 2020>
3. Deleted; <Feb. 4, 2020>
4. Finding out a certain person's whereabouts and contacts (hereinafter referred to as "whereabouts, etc.") or investigating his/her private life, other than commercial transaction relationships, including financial transactions: Provided, That where a credit information company permitted to engage in claims collection business finds out a certain person's whereabouts, etc. to conduct its business or it is allowed to find out a certain person's whereabouts, etc. pursuant to other statutes or regulations, this shall apply;
5. Using titles, including "intelligence service agent", "detective", or other titles similar thereto;
6. Deleted; <May 28, 2013>
7. Deleted; <Feb. 4, 2020>
(2) Where a credit information company, etc. transmits advertising information for profit-making purposes by using personal credit information or information necessary to identify an individual, Article 50 of the Act on Promotion of Information and Communications Network Utilization and Information Protection shall apply mutatis mutandis. <Newly Inserted on Feb. 4, 2020>
 Article 40-2 (Rules of Conduct regarding Pseudonymization and Anonymization)
(1) A credit information company, etc. shall retain or erase additional information used for pseudonymization after separating it by means prescribed by Presidential Decree.
(2) A credit information company, etc. shall formulate and implement technical, physical, and managerial security measures, such as formulating an internal management plan and retaining access records, to protect pseudonymized personal credit information to protect such information from illegal access by a third party, change, damage, or destruction of entered data, and other risks, as prescribed by Presidential Decree.
(3) A credit information company, etc. may request the Financial Services Commission to examine whether the personal credit information is properly anonymized.
(4) Where the Financial Services Commission deems that the personal credit information is properly anonymized according to the results of an examination under paragraph (3), it shall be presumed that the relevant personal credit information is one that no longer uniquely identifies the relevant credit data subject.
(5) The Financial Services Commission may entrust the duty of examination under paragraph (3) and recognition under paragraph (4) to a data agency under Article 26-4, as prescribed by Presidential Decree.
(6) No credit information company, etc. shall process pseudonymized information to uniquely identify an individual for profit-making or improper purposes.
(7) Where it becomes possible to uniquely identify an individual in the process of using pseudonymized information, a credit information company, etc. shall immediately cease the processing of the information, and shall immediately erase the information that can uniquely identify an individual.
(8) Where a credit information company, etc. pseudonymizes or anonymizes personal credit information, it shall retain the records of measures for three years according to the following classifications:
1. Where it pseudonymizes personal credit information:
(a) Date of pseudonymization;
(b) Items of pseudonymized information;
(c) Reasons and grounds for the pseudonymization;
2. Where it anonymized personal credit information:
(a) Date of anonymization;
(b) Items of anonymized information;
(c) Reasons and grounds for anonymization.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 40-3 (Exceptions to Application for Pseudonymized Data)
 Articles 32 (7), 33-2, 35-2, 35, 35-2, 35-3, 36, 36-2, 37, 38, 38-2, 38-3, 39, and 39-2 through 39-4 shall not apply to pseudonymized information.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 41 (Prohibited Matters for Claims Collection Agency)
(1) No claims collection agency shall lend its name to another person to allow him/her to do claims collection business.
(2) No claims collection agency shall use words other than the phrase containing "credit information" for its trade name unless otherwise allowed by other statutes: Provided, That in cases where a claims collection agency engages in credit inquiry business or credit rating business after obtaining authorization for credit rating business under Article 335-3 (1) of the Financial Investment Services and Capital Markets Act as well, this shall not apply. <Amended on May 28, 2013>
 Article 41-2 (Verification of Recruitment Channels of Agents of Recruitment Business)
(1) Where a credit information provider or user outsources recruitment business (referring to the business of concluding contracts related to his/her business on behalf of other persons or mediating such contracts, regardless of how named; hereinafter the same shall apply) to a third party for operating his/her business, he/she shall verify the following matters as to the person outsourced with such recruitment business and prescribed by Presidential Decree (hereinafter referred to as "agent of recruitment business"):
1. Whether any credit information acquired or provided by fraud or other improper means or methods (hereinafter referred to as "illegally acquired credit information") is used in the recruitment business;
2. Channels through which personal credit information, etc. used in the recruitment business is acquired;
3. Other matters prescribed by Presidential Decree.
(2) If a credit information provider or user verifies that an agent of recruitment business has used illegally acquired credit information in recruitment business, he/she shall terminate the entrustment contract with the relevant agent of recruitment business.
(3) Upon terminating the entrustment contract with an agent of recruitment business under paragraph (2), a credit information provider or user shall notify this to the Financial Services Commission or a registration agency prescribed by Presidential Decree.
(4) Matters necessary for verification under paragraph (1) and timing, methods, etc. of reporting under paragraph (3) shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 42 (Prohibition of Divulgence for Non-Business Purposes)
(1) No person who is or was an executive officer or employee of a credit information company, etc., and an outsourced agent of the processing of credit information under Article 17 (2) (hereinafter referred to as "person related with credit information business") shall divulge or use any personal confidential information, including credit information and privacy (hereinafter referred to as "personal confidential information") acquired during the course of business for non-business purposes.
(2) No act that a credit information company, etc., and a person related with credit information business provide credit information for a credit information company, etc. under this Act shall be deemed to be the divulgence or use of credit information for non-business purposes under paragraph (1).
(3) If a person who has obtained personal confidential information divulged, in violation of paragraph (1) (including another person who obtains such divulged personal confidential information from such person) learns that such personal confidential information has been divulged in breach of paragraph (1), the person shall not supply or use such personal confidential information.
(4) No person who has obtained personal credit information from a credit information company, etc., and a person related with credit information business, shall not provide such personal credit information to any other person: Provided, That in cases where such provision is allowed by this Act or other Acts, this shall not apply.
 Article 42-2 (Imposition of Penalty Surcharges)
(1) Where any of the following conducts are committed (referring to the Protection Commission where an enterprise or corporation involved in commercial transactions defined in Article 45-3 (1) commits such conduct), the Financial Services Commission may impose a penalty surcharge in an amount equivalent to up to 3/100 of the total sales: Provided, That where a conduct falling under subparagraph 1 is committed, it may impose a penalty surcharge not exceeding five billion won: <Amended on Feb. 4, 2020>
1. Where any personal credit information is lost, stolen, divulged, altered or compromised, in violation of Article 19 (1);
1-2. Where a person provides personal credit information to a third party without the consent of the credit data subject in violation of Article 32 (1) or (2) even in cases not falling under Article 32 (6) 9-2 and where a person knowingly receives such personal credit information for a profit-making or improper purposes;
1-3. Where personal credit information is used even in cases not falling under Article 32 (6) 9-2 or 33 (1) 4, in violation of Article 33 (1);
1-4. A person who processes pseudonymized information in ways to uniquely identifying an individual for profit-making or improper purposes, in violation of Article 40-2 (6);
2. Where it discloses or uses any personal confidential information for any purpose other than for business purpose, in violation of Article 42 (1);
3. Where it provides any personal confidential information to any other person or uses it knowing that it has been illegally divulged, in violation of Article 42 (3).
(2) In imposing penalty surcharges under paragraph (1), when a credit information company, etc. refuses to submit data for calculation of sales amount or submits false data, the sales amount may be estimated on the basis of the data, such as the financial statements or other financial data, of a credit information company, etc. the scale of which is similar to that of the relevant credit information company, etc.: Provided, That if no sales amount exists, or in cases prescribed by Presidential Decree where it is impractical to calculate sales amount, a penalty surcharge may be imposed not exceeding 20 billion won.
(3) In imposing a penalty surcharge under paragraph (1), the Financial Services Commission or the Protection Commission shall take the following matters into consideration: <Amended on Feb. 4, 2020>
1. Details and severity of the violation;
2. Duration and frequency of the violation;
3. Amount of gains acquired by committing the violation.
(4) A penalty surcharge under paragraph (1) shall be calculated based on matters prescribed in paragraph (3), and the detailed standards and procedures for calculation thereof shall be prescribed by Presidential Decree.
(5) If a person subject to payment of a penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Financial Services Commission or the Protection Commission shall collect the late payment penalty equivalent to 6/100 per annum of the unpaid penalty surcharge from the day following the payment deadline. In such cases, the period for collecting of the penalty surcharge shall not exceed 60 months. <Amended on Apr. 18, 2017; Feb. 4, 2020>
(6) If a person obligated to pay a penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Financial Services Commission or the Protection Commission shall demand the payment by a fixed deadline, and if the penalty surcharge and the late payment penalty referred to in paragraph (5) are not paid within the specified period, they shall be collected in the same manner as the delinquent national taxes. <Amended on Feb. 4, 2020>
(7) Where any penalty surcharge imposed under paragraph (1) is to be refunded in accordance with the judgment of the court, etc., an interest on the refund equivalent to 6/100 per annum shall be paid from the date the penalty surcharge is paid until the date of refund.
(8) If a person prescribed by Presidential Decree, such as a recruiter who deals with a financial information provider or user after entering into an entrustment contract (referring to a recruiter under subparagraph 2 of Article 14-2 of the Specialized Credit Finance Business Act) falls under any subparagraph of paragraph (1), he/she shall be deemed an employee of the relevant credit information provider or user to the extent of the relevant violation: Provided, That this shall not apply where the relevant credit information provider or user has taken reasonable care and supervision in order to prevent such violation of the recruiter, etc.
(9) Other matters necessary for the imposition and collection of penalty surcharges shall be prescribed by Presidential Decree.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 43 (Liability to Compensate for Damages)
(1) Where a credit information company, etc., and other persons provided with credit information from the credit information company, etc. violate this Act and inflict damage to a credit data subject, they shall be held liable for such damage: Provided, That in cases where a credit information company, etc., and other persons provided with credit information from the credit information company, etc. have proven an absence of intention or negligence, this shall not apply. <Amended on Feb. 4, 2020>
(2) Where a credit information company, etc. or any other credit information user (including a consignee; hereafter the same shall apply in this Article) is responsible for divulging any personal credit information, in violation of this Act by intent or gross negligence, or inflict to a credit data subject any damage arising from the loss, stealth, divulgence, alteration or compromise thereof, it shall be responsible to compensate the damage within the limit not exceeding five times the damage: Provided, That this shall not apply where a credit information company, etc. or any other credit information user proves that it has had no such intention or has not committed gross negligence. <Newly Inserted on Mar. 11, 2015; Feb. 4, 2020>
(3) In determining an amount to be compensated under paragraph (2), the court shall take the following matters into consideration: <Newly Inserted on Mar. 11, 2015>
1. Degree of the knowledge of the possible intention or occurrence of loss;
2. Extent of damage suffered from the violation;
3. Economic gains acquired by the credit information company, etc. or any other credit information user by committing the violation;
4. Fines and penalty surcharges for the violation;
5. Duration, frequency, etc. of the violation;
6. Economic status of the credit information company, etc. or any other credit information user;
7. Degree of efforts exercised by the credit information company, etc. or any other credit information user in recollecting the relevant personal credit information after the loss, stealth, or leakage thereof;
8. Degree of efforts exercised by the credit information company, etc. or any other credit information user for damage relief.
(4) Where a claims collection agency or a delegated claims collector has inflicted damage to debtors and persons related therewith, he/she shall be held liable for such damage: Provided, That where he/she has proven an absence of intention or negligence on his or her part, this shall not apply. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(5) Where a credit information company has inflicted damage to a client for reasons attributable to the credit information company, it shall be held liable for such damage. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(6) Where a person entrusted with the processing of credit information under Article 17 (1) has inflicted damage to a credit data subject, in violation of this Act, the entrusting and entrusted persons shall be jointly and severally held liable for such damage. <Amended on Mar. 11, 2015; Feb. 4, 2020>
(7) Where a delegated claims collector has violated this Act or the Fair Debt Collection Practices Act and inflicted damage to debtors or persons related therewith under the Fair Debt Collection Practices Act, the claims collection agency and delegated claims collector shall be jointly and severally held liable for such damage: Provided, That where the claims collection agency has proven an absence of intention or negligence on its part in the appointment and management of the delegated claims collector, this shall not apply. <Amended on Mar. 11, 2015; Feb. 4, 2020>
 Article 43-2 (Claim for Statutory Damages)
(1) Where a credit information company, etc. or other persons provided with credit information by the credit information company, etc. violates this Act, a credit data subject may seek damages from the credit information company, etc. or such other persons in a reasonable amount not exceeding three million won in lieu of claiming damages under Article 43. In such cases, neither relevant credit information company, etc. nor such other persons shall be exempt from liability without proving an absence of intention or negligence: <Amended on Feb. 4, 2020>
1. Deleted; <Feb. 4, 2020>
2. Deleted; <Feb. 4, 2020>
(2) Article 39-2 (2) and (3) of the Personal Information Protection Act shall apply mutatis mutandis to the modification of claims for damages under paragraph (1) and the recognition of damages by the court. <Amended on Feb. 4, 2020>
(3) Deleted. <Feb. 4, 2020>
[This Article Newly Inserted on Mar. 11, 2015]
 Article 43-3 (Guarantee of Compensation for Damage)
A credit information company, etc. prescribed by Presidential Decree shall take measures necessary to fulfill the liability to compensate damage under Article 43, such as purchase of insurance, joining a mutual aid program, or accumulation of reserves, in accordance with the standards determined by the Financial Services Commission.
[This Article Newly Inserted on Mar. 11, 2015]
 Article 44 (Credit Information Companies Association)
(1) Credit information companies, MyData companies, and claims collection agencies may establish a Credit Information Companies Association for the purposes of promoting sound development of the industries related to credit information and maintaining order in business among credit information companies, MyData companies, and claims collection agencies. <Amended on Feb. 4, 2020>
(2) The Credit Information Companies Association shall be a corporation.
(3) The Credit Information Companies Association shall perform the following duties, as prescribed by its articles of association: <Amended on Feb. 4, 2020>
1. Maintaining sound business practices among credit information companies, MyData companies, and claims collection agencies;
2. Engaging in research and study to develop industries related to credit information;
3. Counseling and handling petitions related to credit information;
3-2. Business permitted for the Credit Information Companies Association under this Act and other statutes or regulations;
4. Other duties prescribed by Presidential Decree.
(4) Except as provided in this Act, the provisions concerning an incorporated association of the Civil Act shall apply mutatis mutandis to the Credit Information Companies Association.
CHAPTER VII SUPPLEMENTARY PROVISIONS
 Article 45 (Supervision and Inspection)
(1) The Financial Services Commission shall supervise credit information companies, etc. (including data agencies and excluding persons prescribed by Presidential Decree who are other than the following persons; hereafter in this Article and Article 45-2, the same shall apply) about whether a credit information company, etc. complies with this Act or orders under this Act: <Amended on Feb. 4, 2020>
1. Credit information companies and claims collection agencies;
2. MyData companies;
3. Credit information collection agencies;
4. A credit information provider or use who falls under any of the subparagraphs of Article 38 of the Act on the Establishment of Financial Services Commission;
5. A person who runs financial business or insurance business prescribed by Presidential Decree, other than those provided in subparagraph 4.
(2) The Financial Services Commission may, if deemed necessary for the supervision under paragraph (1), order a credit information company, etc. to report in relation to its business, financial standing, etc.
(3) The Governor of the Financial Supervisory Service may have the personnel of the Financial Supervisory Service inspect the business and financial standing of a credit information company, etc. under this Act.
(4) The Governor of the Financial Supervisory Service may, if deemed necessary for an inspection under paragraph (3), request a credit information company, etc. to submit data and have persons concerned attend meetings and state their opinions.
(5) A person who conducts an inspection under paragraph (3) shall carry identification verifying his/her authority to present it to relevant persons.
(6) The Governor of the Financial Supervisory Service shall report the findings of an inspection under paragraph (3) to the Financial Services Commission, as determined by the Financial Services Commission.
(7) If a credit information company, etc. is deemed likely to undermine the sound management of industries related to credit information and the rights and interests of a credit data subject by violating this Act (including the Fair Debt Collection Practices Act in cases of claims collection agencies; hereafter in this paragraph the same shall apply) or orders under this Act, the Financial Services Commission shall take measures set forth in any of the following subparagraphs or request the Governor of the Financial Supervisory Service to take any of the measures set forth in subparagraphs 1 through 3: <Amended on Apr. 18, 2017; Feb. 4, 2020>
1. Caution or warning to a credit information company, etc.;
2. Caution or warning to executive officers;
3. Request for disciplinary action, including caution, suspension from office, reduction in salary, and official reprimand, against employees;
4. Recommendation for dismissal of executive officers or suspension from office or demand for dismissal from office of employees;
5. Corrective order against violations;
6. Suspension of provision of credit information.
(8) The Financial Services Commission shall take management responsibility for preventing serious disruption of credit order, including divulgence of personal credit information. <Newly Inserted on Feb. 4, 2020>
 Article 45-2 (Financial Services Commission's Authority to Issue Orders to Take Measures)
The Financial Services Commission may order a credit information company, etc. to take necessary measures, such as submission of data, suspension of processing, corrective measures, and public disclosure with respect to the following matters, in order to protect credit data subjects and establish sound credit order:
1. Matters regarding credit information held by credit information companies, etc.;
2. Matters regarding processing of credit information;
3. Matters regarding improving the business affairs of credit information companies, etc.;
4. Matters regarding the disclosure of the credit information utilization status;
5. Other matters prescribed by Presidential Decree as necessary for protecting credit data subjects or establishing a sound credit order.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 45-3 (Request for Submission of Data and Investigation by Protection Commission)
(1) In any of the following cases, the Protection Commission may request a credit information provider or user (hereinafter referred to as "enterprise or corporation involved in commercial transactions") exempt from supervision by the Financial Services Commission to submit data, including relevant articles and documents, pursuant to Article 45:
1. Where an enterprise or corporation involved in commercial transactions becomes aware of any violation, or suspicion of violation, of any of the following regulations (hereinafter referred to as "regulations for protecting information in commercial transactions"):
(a) Articles 15 and 17;
(b) Articles 19 and 20-2;
(c) Articles 32, 33, 34, 36, 37, 38, 38-3, 39-4, 40-2, and 42;
2. Where the Protection Commission receives a report or petition about a violation of the regulations for protecting information in commercial transactions by an enterprise or corporation involved in commercial transactions;
3. Other cases prescribed by Presidential Decree as necessary for protecting personal credit information.
(2) If an enterprise or corporation involved in commercial transactions fails to submit data required under paragraph (1) or if it is deemed to have violated the regulations for protecting information in commercial transactions, the Protection Commission may require public officials of the Protection Commission to enter the office or place of business of the enterprise or corporation or a person related to such violation, and to investigate the current status of business affairs, books, documents, etc. In such cases, a public official who conducts an inspection shall carry identification indicating his/her authority and present it to relevant persons.
(3) The Protection Commission shall not provide any third party with the documents, data, etc. furnished or collected pursuant to paragraph (1), nor disclose them to the general public, except as provided in this Act.
(4) Where the Protection Commission receives data via information and communications networks or digitalizes the collected data, etc., it shall take systematic and technical security measures to prevent any leakage of personal information, trade secrets, etc.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 45-4 (Corrective Measures of Protection Commission)
Where the Protection Commission deems that there are reasonable grounds to believe that there has been an infringement of personal credit information, and failure to take action is likely to cause damage that is difficult to remedy, it may order an enterprise or corporation involved in commercial transactions to take the following measures:
1. To suspend infringement of personal credit information;
2. To temporarily suspend the processing of personal credit information;
3. Other measures necessary to protect personal information and to prevent personal information infringement.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 45-5 (Regular Evaluation of Status of Utilization and Management of Personal Credit Information)
(1) The Financial Services Commission may require a credit information company, etc. prescribed by Presidential Decree, to submit the results of an inspection conducted by a credit information administrator or guardian pursuant to Article 20 (6), and verify the results and indicate the results thereof in scores or ratings.
(2) The Financial Services Commission may send the scores or ratings indicated under paragraph (1) and other matters prescribed by Presidential Decree to the Governor of the Financial Supervisory Service, so as to use them for inspections under Article 45 (3).
(3) Matters concerning the confirmation of the results of the inspection, and indication of scores and ratings under paragraph (1), and methods, procedures, etc. for transmission under paragraph (2) shall be determined and publicly notified by the Financial Services Commission.
[This Article Newly Inserted on Feb. 4, 2020]
 Article 46 (Notification of Content of Measure for Retired Executive Officer)
(1) Where it is deemed that an executive office or employee retired from a credit information company, etc. would receive a measure falling under any of Article 45 (7) 2 through 4 if he/she held his/her office in such credit information company or were under employment by such credit information company, the Financial Commission (including the Governor of the Financial Supervisory Service empowered to make a measure pursuant to Article 45 (7)) may notify the content of such measure to the head of such credit information company, etc.
(2) The head of the credit information company, etc. in receipt of the notification under paragraph (1) shall notify the relevant retired executive officer or employee of such notification, and record and keep the content of such measure.
[This Article Newly Inserted on Apr. 18, 2017]
 Article 47 (Submission of Business Report)
(1) Credit information companies, MyData companies, claims collection agencies, credit information collection agencies, and data agencies shall prepare a quarterly business report in the form determined by the Governor of the Financial Supervisory Service and submit it to the Governor of the Financial Supervisory Service by the last day of the month following the last month of every quarter. <Amended on Feb. 4, 2020>
(2) The report under paragraph (1) shall state names and be affixed with seals of the representative, in-charge personnel or agent thereof. <Amended on Feb. 4, 2020>
(3) Details and other matters necessary to prepare the business report under paragraph (1) shall be determined by the Governor of the Financial Supervisory Service.
 Article 48 (Hearings)
The Financial Services Commission shall hold a hearing if it intends to render any of the following dispositions:
1. Revocation of permission or authorization for a credit information business, a MyData business, and a claims collection business under Article 14 (1);
2. Revocation of the registration of a delegated claims collector under Article 27 (6).
[This Article Wholly Amended on Feb. 4, 2020]
 Article 49 (Delegation and Entrustment of Authority)
The Financial Services Commission's authorities prescribed by Presidential Decree under this Act may be delegated or entrusted to the Special Metropolitan City Mayor, a Metropolitan City Mayor, a Special Self-Governing City Mayor, a Do Governor, a Special Self-Governing Province Governor, the Governor of the Financial Supervisory Service, a centralized credit information collection agency, a data agency, the Credit Information Companies Association, or other persons prescribed by Presidential Decree, as prescribed by Presidential Decree. <Amended on Aug. 14, 2018; Feb. 4, 2020>
 Article 50 (Penalty Provisions)
(1) Any person who violates Article 42 (1) or (3) shall be punished by imprisonment for not more than 10 years or by a fine not exceeding 100 million won:
(2) Any of the following persons shall be punished by imprisonment for not more than five years or by a fine not exceeding 50 million won: <Amended on Nov. 28, 2017; Feb. 4, 2020>
1. Any person who engages in a credit information business, MyData business, or claims collection business without obtaining permission therefor;
2. Any person who obtains permission or authorization under Article 4 (2) or 10 (1) by fraud or other improper means;
3. Deleted; <Feb. 4, 2020>
4. Any person who violates Article 17 (6);
4-2. A person who combines data sets, in violation of Article 17-2 (1);
5. Any person who, without authorization, changes or deletes any information in a credit information computer system under Article 19 (1) or make it otherwise unusable, or a person who, without authorization, retrieves, duplicates or uses in other ways such credit information;
5-2. A person who provides the services of a credit information collection agency, without obtaining permission for a credit information collection agency, in violation of Article 25 (1);
5-3. A person who entrusts claims collection service to a person other than a claims collection agency, in violation of Article 27-2;
6. Any person who violates Article 32 (1) or (2) (including cases applied mutatis mutandis under Article 34) and a person who is provided with or uses personal credit information while knowing the circumstance;
7. Any person who violates Article 33 (including cases applied mutatis mutandis under Article 34);
7-2. A person who processes pseudonymized information for the purpose of uniquely identifying an individual for profit-making or improper purposes, in violation of Article 40-2 (6);
8. Any person who violates Article 42 (4).
(3) Any of the following persons shall be punished by imprisonment for not more than three years or by a fine not exceeding 30 million won: <Amended on Feb. 4, 2020>
1. Any person who conducts business during a period of business suspension under Article 14 (2);
1-2. A person who provides a client with false information, in violation of Article 22-7 (1) 1;
1-3. A person who forces a request for investigation of credit information, in violation of Article 22-7 (1) 2;
1-4. A person who forces a person subject to investigation of credit information to provide investigation data and answers;
1-5. A person who investigates privacy or the like, other than commercial transaction relationships including financial transactions, in violation of Article 22-7 (1) 4;
2. A person, not being a credit information collection agency, who establishes the Common Computer Network under Article 25 (6);
3. A person who finds out a certain person's whereabouts, etc., in violation of the main clause of Article 40 (1) 4;
3-2. A person who uses titles, including "intelligence service agent", "detective", or other titles similar thereto, in violation of Article 40 (1) 5;
4. Any person who violates Article 41 (1);
5. Any person who has failed to verify whether an agent of recruitment business has used illegally acquired credit information in the recruitment business, etc., in violation of Article 41-2 (1).
(4) Any of the following persons shall be punished by imprisonment for not more than one year or by a fine not exceeding 10 million won: <Amended on Feb. 4, 2020>
1. A person who becomes the largest shareholder through the acquisition, etc. of shares in a credit information company, MyData company, or claims collection agency, without obtaining approval from the Financial Services Commission, in violation of Article 9 (1);
1-2. Any person who fails to apply for approval, in violation of Article 9 (2);
2. Any person who fails to dispose of stocks obtained without approval, in violation of an order under Article 9 (3);
3. Deleted; <Feb. 4, 2020>
4. Any person who violates Article 18 (2);
5. Any person who violates Article 20 (2);
6. Any person who renders claims collection service without registering with the Financial Services Commission as a delegated claims collector, in violation of Article 27 (3);
7. Any person who violates Article 27 (4).
8. Any person who, in violation of Article 27 (5), collects claims that are not the object of collection, or who renders claims collection service through a delegated claims collector who is not registered, or who has been registered with another claims collection agency, or who is suspended from his/her business;
9. Any person who renders claims collection service during a period of business suspension under Article 27 (7).
[This Article Wholly Amended on Mar. 11, 2015]
 Article 51 (Joint Penalty Provisions)
Where the representative of a juristic person, or the agents, employees, or any other person employed by a juristic person or individual violates the provisions of Article 50 in connection with business of the juristic person or individual, the fine referred to in the relevant Article shall be imposed upon the juristic person or individual concerned in addition to the violator: Provided, That in cases where the juristic person or individual has not been negligent in exercising due care and oversight in relation to the relevant business to prevent such violation, this shall not apply.
 Article 52 (Administrative Fines)
(1) Any of the following persons shall be subject to an administrative fine not exceeding 100 million won: <Newly Inserted on Feb. 4, 2020>
1. A person who fails to file a report or files a false report, in violation of Article 9-2 (2);
2. A person who fails to comply with a request from the Financial Services Commission to provide data or information under Article 9-2 (3) or provides false data or information;
(2) Any of the following persons shall be subject to an administrative fine not exceeding 50 million won: <Amended on Apr. 18, 2017; Nov. 28, 2017; Feb. 4, 2020>
1. A person who, even though he or she is not a permitted credit information company, MyData company, or claims collection agency, uses in his or her trade name or name, any expression containing credit information, credit investigation, personal credit rating, credit management, MyData, claims collection, or any other name similar thereto, in violation of Article 12;
2. A person who violates Article 15 (2);
2-2. A person who transfers information without pseudonymization or anonymization, in violation of Article 17-2 (2);
3. A person who violates Article 19;
4. A person who violates Article 20 (6);
4-2. A person who collects credit information, in violation of Article 22-9 (3);
4-3. A person who transmits personal credit information, in violation of Article 22-9 (4) or (5);
4-4. A claims collection agency where its delegated claims collector violates Article 27 (9) 1: Provided, That this shall not apply to cases where the claims collection agency does not neglect to pay due diligence to the management of the relevant services in order to prevent such violation;
5. A person who violates Article 32 (4) or (5) (including cases to which it applies mutatis mutandis under Article 34);
5-2. A person who fails to separately retain information, in violation of Article 39-2 (3);
6. A person who fails to terminate an entrustment contract with an agent of recruitment business, in violation of Article 41-2 (2);
7. A person who fails to comply with any order under Article 45 (2) through (4) or refuses, obstructs, or evades any inspection or request thereunder;
8. A person who fails to submit a report or submits an untruthful report in violation of Article 47.
(3) Any of the following persons shall be subject to an administrative fine not exceeding 30 million won: <Amended on Nov. 28, 2017; Feb. 4, 2020>
1. A person who violates Article 17 (4);
2. A person who violates Article 20 (1) or (3);
2-2. A person who fails to designate a credit information administrator or guardian, in violation of Article 20 (3) or (4);
3. A person who violates Article 20-2 (2);
4. A person who violates Article 21;
4-2. A person who performs a credit rating, in violation of Article 22-4 (1) or (2);
4-3. A person who commits an unfair practice, in violation of Article 22-4 (3);
4-4. A person who performs a credit rating, in violation of Articles 22-5 (1) and 22-6 (1);
4-5. A person who violates Article 22-5 (2);
4-6. A person who violates Article 22-5 (3);
4-7. A person who violates Article 22-6 (2);
4-8. A person who violates Article 22-6 (3);
4-9. A person who violates Article 22-9 (1);
4-10. A person who violates Article 22-9 (2);
5. Any person who violates Article 23 (5);
5-2. A claims collection agency where its delegated claims collector violates Article 27 (9) 2: Provided, That this shall not apply to cases where the claims collection agency does not neglect to pay due diligence to the management of the relevant services in order to prevent such violation;
6. A person who violates Article 32 (8) or (9) (including cases to which it applies mutatis mutandis under Article 34);
6-2. A person who fails to transmit personal credit information, in violation of Article 33-2 (3) and (4);
6-3. A person who fails to inform a credit subject of the matters to be informed, in violation of Article 34-2 (1);
6-4. A person who fails to comply with a request made by a credit data subject, in violation of the proviso of Article 34-2 (3);
6-5. A person who fails to inform that separate requests may be made, in violation of Article 34-2 (4);
6-6. A person who fails to give a notice, in violation of Article 35-3 (1);
7. A person who violates Article 31 (1) or (3);
7-2. A person who fails to provide explanations, in violation of Article 36-2 (1);
8. Any person who violates Article 37 (3);
9. A person who violates Article 38 (3) through (6) or (8);
10. A person who violates Article 38-2;
11. A person who violates Article 38-3;
12. Any person who violates Article 39;
13. A person who fails to inform a credit data subject of the matters provided in the subparagraphs of Article 39-4 (1), in violation of that paragraph;
14. A person who fails to report the result of measures taken, in violation of Article 39-4 (3);
15. A person who uses information to transmit any advertising information for profit-making purposes, in violation of Article 40 (2);
16. A person who fails to separately retain or erase additional information used for pseudonymization, in violation of Article 40-2 (1);
17. A person who fails to formulate and implement technical, physical, and administrative security measures for pseudonymized personal credit information, in violation of Article 40-2 (2);
18. A person who fails to cease processing or to delete information immediately, in violation of Article 40-2 (7);
(4) A person who violates Article 10 (4) or 17 (7) shall be subject to an administrative fine not exceeding 20 million won: <Amended on Feb. 4, 2020>
(5) Any of the following persons shall be subject to an administrative fine not exceeding 10 million won: <Amended on Apr. 18, 2017; Dec. 31, 2018; Feb. 4, 2020>
1. A person who violates Article 8 (1);
2. A person who violates Article 11 (1) or (2) or Article 13;
2-2. A person who engages in incidental business affairs without filing a report with the Financial Services Commission, in violation of Article 11-2 (1);
2-3. A person who has failed to comply with an order for restriction or correction issued by the Financial Services Commission under Article under Article 11-12 (8);
2-4. A person who engages in ordinary course of business for another profit-making corporation without approval from the Financial Services Commission, in violation of Article 13;
3. Deleted; <Feb. 4, 2020>
4. A person who violates Article 17 (5);
5. A person who violates Article 18 (1);
6. A person who violates Article 20-2 (1), (3) or (4);
7. A person who fails to submit a report to the Financial Services Commission, in violation of Article 22-2;
7-2. A person who fails to formulate the regulations on the management of users, in violation of Article 22-6 (4);
8. A person who fails to present a certificate in conducting claims collection business, in violation of Article 27 (8);
9. Any person who violates Article 31;
10. A person who violates Article 32 (3), (7) or (10) (including cases to which it applies mutatis mutandis under Article 34);
11. A person who violates Article 35;
11-2. A person who fails to provide explanations to the relevant credit data subject, in violation of Article 35-2;
11-3. A person who fails to retain records regarding the pseudonymization or anonymization of personal credit information, in violation of Article 40-2 (8);
12. A person who fails to notify the termination of an entrustment contract, in violation of Article 41-2 (3);
13. Deleted; <Apr. 18, 2017>
14. Deleted; <Apr. 18, 2017>
(6) Administrative fines provided in paragraphs (1) through (5) shall be imposed and collected by the Financial Services Commission, as prescribed by Presidential Decree: Provided, That administrative fines under paragraphs (2) through (5) related to a violation of the regulations for protecting information in commercial transactions by an enterprise or corporation involved in commercial transactions shall be imposed and collected by the Protection Commission, as prescribed by Presidential Decree. <Amended on Feb. 4, 2020>
(7) Where a claims collection agency falling under the main clause of paragraph (2) 4-2 receives a criminal punishment pursuant to the Fair Debt Collection Practices Act, an administrative fine shall not be imposed on such agency, and where the claim collection agency receives a criminal punishment after an administrative fine has been imposed, the imposition of such administrative fine shall be revoked. <Newly Inserted by Nov. 28, 2017; Feb. 4, 2020>
[This Article Wholly Amended on Mar. 11, 2015]
ADDENDA <Act No. 9617, Apr. 1, 2009>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation.
Article 2 (Applicability to Use of Similar Names)
No person who has used the title "credit rating" or similar in his/her trade name before the Credit Information Use and Protection Act enters into force as amended by Act No. 6428, shall be governed by the amended provisions of Article 12.
Article 3 (Special Cases concerning Provision and Utilization of Personal Credit Information)
Where a credit information provider/user has established commercial transaction relationships, including financial transactions, with an owner of credit information by verifying his/her personal credit information and obtaining consent therefrom under the amended provisions of Article 32 (1) before this Act enters into force, if a credit information provider/user intends to obtain personal credit information of the owner of credit information for the purpose of maintaining and managing such commercial transaction relationship, including financial transactions, the amended provisions of Article 32 (2) shall not apply.
Article 4 (Transitional Measures concerning Credit Information Business Owner)
A credit information business owner licensed to engage in credit information business pursuant to the previous provisions at the time this Act enters into force shall be deemed to have been licensed as a credit information company under this Act.
Article 5 (Transitional Measures concerning Penalty Provisions and Administrative Fines)
Where penalty provisions or administrative fines have been imposed against any act conducted before this Act enters into force, the previous provisions shall apply.
Article 6 (Transitional Measures concerning Credit Investigation Company)
(1) Where a person who has been licensed to engage in credit investigation business in accordance with the Credit Investigation Business Act repealed by the Credit Information Use and Protection Act (Act No. 4866), meets the capital requirements under the amended provisions of Article 6 (2) 1, notwithstanding the amended provisions of Article 5 (1), he/she may be licensed to engage in credit inquiry business. If he/she meets the capital requirements under the amended provisions of Article 6 (2) 2, notwithstanding the amended provisions of Article 5 (1), he/she may be licensed to engage in claims collection business.
(2) Where a person who has been licensed to engage in credit investigation business under paragraph (1), intends to transfer such business, the transferee shall be a juristic person licensed to engage in credit information business under the amended provisions of Article 4 (2).
Article 7 (Transitional Measures concerning Permit for Modification)
A person licensed for modification of his/her credit information business in accordance with the previous provisions at the time this Act enters into force shall be deemed to have declared or reported such modification under the amended provisions of Article 8.
Article 8 (Transitional Measures concerning Approval for Change in Controlling Shareholder)
The controlling shareholder of a credit information company at the time this Act enters into force shall be deemed to have been approved for the change in controlling shareholder under the amended provisions of Article 9.
Article 9 (Transitional Measures concerning Disqualifications for Persons Engaged in Credit Information Business)
Where any person engaged in credit information business at the time this Act enters into force is disqualified under the amended provisions of Articles 22 (1), 27 (1) and 28, on grounds that occurred before this Act enters into force, notwithstanding such amended provisions, the previous provisions shall apply.
Article 10 (Transitional Measures concerning Registration of Delegated Claims Collector)
Notwithstanding the amended provisions of Article 27 (5), a claims collection agency may render claims collection service through its own delegated claims collectors unregistered in accordance with the amended provisions of Article 27 (3) as of the date this Act enters into force: Provided, That they shall be registered pursuant to the amended provisions of Article 27 (3) within three months from the date this Act enters into force, and no claims collection agency shall render any claims collection service through any delegated claims collector unregistered after the aforementioned period lapses.
Article 11 (Transitional Measures concerning Establishment of Association, etc.)
An incorporated credit information association established by the Civil Act before this Act enters into force shall be deemed the Credit Information Companies Association established under the amended provisions of Article 44.
Article 12 Omitted.
Article 13 (Relationship with other Statutes)
In the event that other statutes cite the previous provisions of the Credit Information Use and Protection Act at the time this Act enters into force, if the cited provisions exist in this Act, the provisions of this Act shall be deemed to have been cited in lieu of the previous provisions.
ADDENDA <Act No. 10228, Apr. 5, 2010>
Article 1 (Enforcement Date)
This Act shall enter into force three months after the date of its promulgation.
Articles 2 through 5 Omitted.
ADDENDA <Act No. 10465, Mar. 29, 2011>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 7 Omitted.
ADDENDUM <Act No. 10690, May 19, 2011>
This Act shall enter into force three months after the date of its promulgation.
ADDENDA <Act No. 11690, Mar. 23, 2013>
Article 1 (Enforcement Date)
(1) This Act shall enter into force on the date of its promulgation.
(2) Deleted.
Articles 2 through 7 Omitted.
ADDENDA <Act No. 11845, May 28, 2013>
Article 1 (Enforcement Date)
This Act shall enter into force three months after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 17 Omitted.
ADDENDA <Act No. 12844, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Act shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 7 Omitted.
ADDENDA <Act No. 13216, Mar. 11, 2015>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation: Provided, That the amended provisions of Articles 20-2 and 32, subparagraph 3 of Article 33, Articles 34, 35, 38-2, and 38-3 shall enter into force one year after the date of its promulgation.
Article 2 (Applicability to Investment Requirements of Credit Information Companies)
The amended provisions of Article 14 (1) 2 shall apply beginning with the first credit information company, the stocks of which are listed on the securities market under Article 8-2 (4) 1 of the Financial Investment Services and Capital Market Act after this Act enters into force.
Article 3 (Applicability to Cancellation of Permission or Authorization)
The amended provisions of Article 14 (1) 5 shall apply beginning with the first credit information company that receives a disposition of business suspension after this Act enters into force.
Article 4 (Applicability to Business Suspension)
(1) The amended provisions of Article 14 (2) 4 and 8 shall apply beginning with the first credit information company that commits a violation after this Act enters into force.
(2) The amended provisions of Article 14 (2) 6 shall apply beginning with the first credit bureau that provides credit information to its affiliated company, etc. after this Act enters into force.
Article 5 (Applicability to Imposition of Penalty Surcharges)
The amended provisions of Article 42-2 shall apply beginning with the first credit information company, etc. which commits a violation after this Act enters into force.
Article 6 (Applicability to Liability to Compensate for Damage)
The amended provisions of Article 43 shall apply beginning with the credit information company, etc. or any other credit information user that assumes responsibility to compensate for damage due to divulgence of credit information after this Act enters into force.
Article 7 (Applicability to Responsibility for Statutory Damages)
The amended provisions of Article 43-2 shall apply beginning with the first credit information company, etc. or any other credit information user that assumes responsibility to compensate for damage due to divulgence of credit information after this Act enters into force.
Article 8 (Transitional Measures concerning Incidental Services or Concurrent Operation of Business Services of Credit Bureaus)
(1) Where a credit bureau has been conducting any incidental service under the former provisions of Article 4 (1) or concurrent operation of business services under Article 11 as at the time this Act enters into force, the existing contracts shall be governed by the former provisions for three years after this Act enters into force, notwithstanding the amended provisions of Articles 4 (1) 1 and 11 (2).
(2) Notwithstanding the amended provisions of Article 4 (1) 1, a credit bureau may render the service to notify the change of addresses of owners of credit information on behalf of the information owner for one and a half year after this Act enters into force.
Article 9 (Transitional Measures concerning Outsourcing of Processing of Credit Information)
Notwithstanding the amended provisions of Article 17, the processing of credit information that has been outsourced under the former provisions as at the time this Act enters into force shall be governed by the former provisions.
Article 10 (Transitional Measures concerning Deletion of Personal Credit Information)
Notwithstanding the amended provisions of Article 20-2 (2), a credit information provider/user who keeps personal credit information for which five years have passed after the commercial relationship was terminated as at the time Article 20-2 (2) enters into force, shall delete the relevant personal credit information within three months after the same amended provisions enters into force.
Article 11 (Transitional Measures concerning Registration, etc. of Credit Information Collection Agency)
(1) A credit information collection agency registered under the former provisions as at the time this Act enters into force shall be deemed permitted by the Financial Services Commission under the amended provisions of Article 25: Provided, That the relevant credit information collection agency shall fulfill the requirements under this Act and obtain permission from the Financial Services Commission within six months after this Act enters into force.
(2) The Credit Information Council established under the Committee for Centralized Management of Credit Information under the former provisions as at the time this Act enters into force shall be deemed the Committee for Intensive Management of Credit Information under the amended provisions of Article 26: Provided, That the relevant credit information collection agency shall satisfy the amended provisions of Article 26-2 before applying for permission with the Financial Services Commission under the proviso to paragraph (1).
Article 12 (Transitional Measures concerning Consent to Provision and Utilization of Personal Credit Information)
Where any personal credit information has been provided and utilized legitimately by a credit information provider/user under the former provisions as at the time the amended provisions of Article 32 enter into force, it shall be deemed that the consent is obtained under the same amended provisions.
Article 13 (Transitional Measures concerning Provision and Use of Personal Identification Information)
Where a credit information provider/user has obtained a consent for provision and use of any personal identification information under the former provisions as at the time the amended provisions of Article 34 enter into force, it shall be deemed that the consent has been obtained under the amended provisions.
Article 14 (Transitional Measures concerning Penalty and Administrative Fines)
The application of penalty or administrative fines for any offence committed before this Act enters into force shall be governed by the former provisions.
Article 15 Omitted.
ADDENDA <Act No. 13337, Jun. 22, 2015>
Article 1 (Enforcement Date)
This Act shall enter into force on the date of its promulgation.
Articles 2 through 5 Omitted.
ADDENDA <Act No. 14122, Mar. 29, 2016>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation.
Articles 2 through 5 Omitted.
ADDENDA <Act No. 14823, Apr. 18, 2017>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation.
Article 2 (Applicability to Limitations on Qualification for Executive Officers or Employees)
The amended provisions of Articles 22 (1) 8 and 27 (1) 9 shall apply beginning with the first person who falls under any such cause for limiting qualification for executive officers or employees as occurs after this Act enters into force.
Article 3 (Applicability to Period for Collecting Additional Dues)
The amended provisions of the latter part of Article 42-2 (5) shall also apply to cases of having failed to pay an additional due within the time limit for payment before this Act enters into force, but an additional due shall not be collected with respect to the period elapsed after this Act enters into force, if the time limit for more than 60 months has elapsed since the time limit for its collection expired as at the time this Act enters into force.
Article 4 (Applicability to Notification of Content of Measures for Retired Executive Officers, etc.)
The amended provisions of Article 46 shall also apply to the executive officers and employees who have committed any violation before this Act enters into force, but retires thereafter.
Article 5 (Transitional Measures concerning Incompetent Persons, etc.)
Notwithstanding the amended provisions of Articles 22 (1) 2 and 27 (1) 2, the former provisions shall apply to persons who have already been declared incompetent or quasi-incompetent as at the time this Act enters into force and for whom such declaration remains effective under Article 2 of the addenda of partial amendment to the Civil (Act No. 10429).
Article 6 (Transitional Measures concerning Demand for Suspension of Performance of Duties of Executive Officers)
Notwithstanding the amended provisions of Article 45 (7) 4, the former provisions shall apply to any violations committed before this Act enters into force.
ADDENDA <Act No. 14839, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Act shall enter into force on the date of its promulgation: Provided, That among the Presidential Decrees amended pursuant to Article 5 of this Addenda, the parts amending the Presidential Decrees the enforcement dates of which do not yet arrive shall enter into force on the dates on which the relevant Presidential Decrees enter into force, respectively.
Articles 2 through 6 Omitted.
ADDENDUM <Act No. 15146, Nov. 28, 2017>
This Act shall enter into force six months after the date of its promulgation.
ADDENDUM <Act No. 15748, Aug. 14, 2018>
This Act shall enter into force on the date of its promulgation.
ADDENDUM <Act No. 15933, Dec. 11, 2018>
This Act shall enter into force on the date of its promulgation.
ADDENDUM <Act No. 16188, Dec. 31, 2018>
This Act shall enter into force on the date of its promulgation.
ADDENDA <Act No. 16930, Feb. 4, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation.
Articles 2 through 10 Omitted.
ADDENDA <Act No. 16957, Feb. 4, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation: Provided, That each of the following amended provisions shall enter into force on date set forth in the relevant subparagraph:
1. The amended provisions of Articles 33-2, 34-2, 34-3, 45-5, and 52 (3) 6-2 through 6-5: The date prescribed by Presidential Decree within one year after this Act is promulgated;
2. The amended provisions of Articles 22-9 (3) through (7) and 52 (2) 4-2 and 4-3: The date prescribed by Presidential Decree within one year and six months after this Act is promulgated.
Article 2 (Applicability to Permission for Corporate Credit Inquiry Business)
The amended provisions of Article 5 (4) shall begin to apply where a person, who intends to engage in the business of providing corporate credit rating or technology credit rating services, applies for permission for corporate credit inquiry business concerning the relevant services, after this Act enters into force.
Article 3 (Applicability to Approval for Change in Controlling Shareholders)
The amended provisions of Article 9 shall begin to apply to cases that fail to meet the requirements for approval for change in controlling shareholders under the relevant amended provisions due to a reason that arises after this Act enters into force.
Article 4 (Applicability to Examining Qualifications of Largest Shareholder)
The amended provisions of Article 9-2 shall begin to apply where a person fails to meet requirements for maintaining qualification due to an event that occurs after this Act enters into force.
Article 5 (Applicability to Qualifications of Executive Officers)
The amended provisions of Articles 22 (1) and (2) and 22-8 shall begin to apply the executive officers appointed (including those consecutively appointed) after this Act enters into force.
Article 6 (Special Cases concerning Permission for Credit Information Business)
(1) A person who engages in credit information business at the time of the promulgation of this Act may, within the scope of business which he or she is engaged in, report to the Financial Services Commission upon satisfying the requirements for maintenance under Article 6 (4), within two months from the date on which four months lapse after the promulgation of this Act.
(2) Upon receipt of a report under paragraph (1), the Financial Services Commission shall examine whether the reporting person satisfies the requirements for maintaining authorization under Article 6 (4), and shall give notice of the results thereof to the reporting person no later than the day immediately before the enforcement date of this Act. In such cases, the person, who receives notice confirming that it satisfies the requirements for maintaining authorization under Article 6 (4), shall be deemed to have obtained permission for credit information business on the enforcement date of this Act. <Amended on Feb. 29, 2008>
(3) A person who filed a report under paragraph (1) may continue the business he or she is engaged in, for the six-month period from the enforcement of this Act, even if the person receives the notice that it has failed to satisfy the requirements for maintaining authorization under Article 6 (4). In such cases, the business shall be deemed credit information business under this Act within the scope of the business he or she is engaged in.
(4) A person who filed a report may, upon receipt of the notice under paragraph (2) informing that he or she has failed to satisfy the requirements for maintaining authorization under Article 6 (4), file another report with the Financial Services Commission within three months from the enforcement date of this Act, upon satisfying the requirements.
(5) Upon receipt of a report under paragraph (4), the Financial Services Commission shall examine whether the reporting person satisfies requirements for maintaining authorization under Article 15 or the requirements for maintaining registration under Article 20, and shall give notice of the results thereof to the reporting person within six months from the enforcement date of this Act.
Article 7 (Transitional Measures concerning MyData Business)
A person who is engaged in a MyData business shall satisfy the requirements prescribed in this Act and obtain permission from the Financial Services Commission within six months after this Act enters into force.
Article 6 (Transitional Measure concerning Modification of Qualifications of Executive Officers)
Notwithstanding the amended provisions of Article 22 (1) and (2) and 22-8, the previous provisions concerning qualifications of executive officers incumbent at the time this Act enters into force shall apply until their terms of office end.
Article 9 (Transitional Measures concerning Public Notification of Credit Information Utilization Status)
(1) A public notice of a credit information utilization status under the previous provisions as at the time this Act enters into force shall be deemed a public notice of a credit information utilization status under the amended provisions of Article 31 (1).
(2) A credit information company, etc. shall amend the credit information utilization status referred to in paragraph (1) to meet the purport of amending Article 31 (1) within six months after this Act enters into force.
Article 10 (Transitional Measures concerning Consent to Use of Personal Credit Information)
Consent obtained from a credit data subject under the previous provisions as at the time this Act enter into force shall be deemed consent obtained under the amended provisions of Articles 34-2 and 34-3.
Article 11 (Transitional Measures concerning Penalty Provisions)
(1) The previous penalty provisions and the previous provisions concerning administrative fines shall apply to acts committed before this Act enters into force.
(2) Imposition disposition of penalty surcharges or any other administrative disposition against any act committed before this Act enters into force shall be governed by the previous provisions.
Article 12 Omitted.
Article 13 (Relationship to other Statutes or Regulations)
Where other statutes or regulations cite the previous provisions of the Credit Information Use and Protection Act at the time this Act enters into force, when the cited provisions exist in this Act, the provisions of this Act shall be deemed to have been cited in lieu of the previous provisions.
ADDENDA <Act No. 17354, Jun. 9, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 8 Omitted.
ADDENDA <Act No. 17799, Dec. 29, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force one year after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 26 Omitted.
ADDENDUM <Act No. 18124, Apr. 20, 2021>
This Act shall enter into force three months after the date of its promulgation.
ADDENDA <Act No. 19234, Mar. 14, 2023>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 11 Omitted.