Korean PIPA Legal Text

The purpose of this Act is to protect the freedom and rights of individuals, and further, to realize the dignity and value of the individuals, by prescribing the processing and protection of personal information.

The terms used in this Act are defined as follows:

1. The term "personal information" means any of the following information relating to a living individual:
   • (a) Information that identifies a particular individual by his or her full name, resident registration number, pictures, etc.;
   • (b) Information which, even if it by itself does not uniquely identify an individual, may be easily combined with other information to uniquely identify an individual. In such cases, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured;
   • (c) Information under items (a) or (b) above that is pseudonymized in accordance with subparagraph 1-2 below and thereby becomes incapable of uniquely identifying an individual without the use or combination of information for restoration to the original state (hereinafter referred to as “pseudonymized information”);
   1-2. The term “pseudonymization” means a procedure to process personal information so that the information cannot uniquely identify an individual without additional information, by erasing in part, or replacing in whole or in part, such information;
2. The term “processing” means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, searching, output, correction, recovery, use, provision, disclosure, and destruction of personal information and other similar activities;
3. The term “data subject” means an individual who is identifiable through the information processed and is the subject of that information;
4. The term “personal information file” means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy search of the personal information;
5. The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files as part of its work;
6. The term "public institution" means any of the following institutions:
   • (a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;
   • (b) Other national agencies and public entities prescribed by Presidential Decree;
7. The term "fixed visual data processing device" means a device prescribed by Presidential Decree, which is installed at a certain place to continuously or regularly takes pictures of persons or things, etc. or transmits such pictures via a wired or wireless network;
   
   7-2. The term "mobile visual data processing device" means a device prescribed by Presidential Decree, which a person can wear or carry or which can be attached to or mounted on a movable object to take pictures of persons or things, etc. or to transmit such pictures through a wired or wireless network;
8. The term “scientific research” means research that applies scientific methods, such as technological development and demonstration, fundamental research, applied research and privately funded research.

(1) The personal information controller shall specify explicitly the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.

(2) The personal information controller shall process personal information in an appropriate manner necessary for the purposes for which the personal information is processed, and shall not use it beyond such purposes.

(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.

(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject’s rights and the severity of the relevant risks.

(5) The personal information controller shall make public its Privacy Policy under Article 30 and other matters related to personal information processing, and shall guarantee the data subject’s rights, such as the right to request access to his or her personal information.

(6) The personal information controller shall process personal information in a manner to minimize the possibility of infringing the privacy of a data subject.

(7) If it is still possible to fulfill the purposes of collecting personal information by processing anonymized or pseudonymized personal information, the personal information controller shall endeavor to process personal information through anonymization, where anonymization is possible, or through pseudonymization, if it is impossible to fulfill the purposes of collecting personal information through anonymization.

(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes or regulations.

A data subject has the following rights in relation to the processing of his or her own personal information:

1. The right to be informed of the processing of such personal information;
2. The right to determine whether or not to consent and the scope of consent regarding the processing of such personal information;
3. The right to confirm whether personal information is being processed and to request access (including the provision of copies; hereinafter the same applies) to and transmission of such personal information;
4. The right to suspend the processing of, and to request correction, erasure, and destruction of such personal information;
5. The right to appropriate redress for any damage arising out of the processing of such personal information through a prompt and fair procedure.
6. The right to refuse to accept a decision made through a fully automated processing of personal information or to request an explanation thereof.

(1) The State and local governments shall formulate policies to prevent harmful consequences of beyondpurpose collection, abuse and misuse of personal information, indiscrete surveillance and tracking, etc. and to enhance the dignity of human beings and to ensure the protection of individual privacy.

(2) The State and local governments shall establish policy measures, such as improving statutes or regulations, necessary to protect the data subject's rights as provided in Article 4.

(3) The State and local governments shall formulate policies necessary for protecting the personal information of children under 14 years of age so that such children can clearly understand the effects of the processing of personal information and the rights of data subjects, etc.

(4) The State and local governments shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve unreasonable social practices relating to the processing of personal information.

(5) When applying statutes or regulations or municipal ordinances regarding the processing of personal information, the State and local governments shall be in conformity with the principles of information protection to guarantee the rights of data subjects.

(1) Except as otherwise provided in other statutes, the processing and protection of personal information shall be governed by this Act.

(2) An enactment of other statutes or amendment to existing statutes regarding the processing and protection of personal information shall be made fit for the purpose and principles of this Act.

(1) The Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) shall be established under the Prime Minister to independently perform business affairs relating to the protection of personal information.

(2) The Protection Commission shall be deemed a central administrative agency under Article 2 of the Government Organization Act: Provided, That Article 18 of the Government Organization Act shall not apply to any of the following matters:

1. Business affairs specified in subparagraphs 3 and 4 of Article 7-8;
2. Matters falling under subparagraph 1 among those to be deliberated and resolved on under Article 7-9 (1).

(1) The Protection Commission shall be comprised of nine Commissioners including two Standing Commissioners (one Chairperson and one Vice Chairperson).

(2) Commissioners of the Protection Commission shall be selected from among any of the following persons with sufficient experience and expertise in the protection of personal information, with the Chairperson and Vice Chairperson being proposed by the Prime Minister, two other Commissioners being proposed by Chairperson, two other Commissioners being recommended by the negotiation body of the political party to which the President belongs or belonged, and three other persons being recommended by another negotiation body and named or appointed by the President:

1. A person who serves, or served, as a public official of Grade III or higher (including public officials belonging to the Senior Executive Service) who is responsible for personal information protection;
2. A person who has been serving, or served, as a judge, prosecutor or lawyer for 10 years or longer;
3. A person who served as an officer at a public institution or group (including groups comprised of personal information controllers) for three years or longer or a person recommended by the above public institution or group who was in charge of personal information protection for three years or longer;
4. A person who has expertise in a field relating to personal information and has been serving, or served, as an associate professor or higher at a school set forth in subparagraph 1 of Article 2 of the Higher Education Act for five years or longer.

(3) The Chairperson and the Vice Chairperson shall be appointed from among public officials in political service.

(4) The Chairperson, Vice Chairperson and the head of the secretariat under Article 7-13 shall become cabinet member, notwithstanding Article 10 of the Government Organization Act.

(1) The Chairperson shall represent the Protection Commission, preside over meetings of the Protection Commission, and oversee the related business affairs.

(2) If the Chairperson cannot perform his or her duties for inevitable reasons, the Vice Chairperson shall act on his or her behalf, and if both the Chairperson and Vice Chairperson cannot perform his or her duties for inevitable reasons, another Commissioner, determined by the Protection Commission in advance, shall act on behalf of Chairperson.

(3) The Chairperson may attend the National Assembly and make statements in relation to the business affairs of the Protection Commission, and if required by the National Assembly, he or she shall attend the National Assembly to make a report or respond to questions.

(4) The Chairperson may attend a meeting of the State Council and recommend the Prime Minister to submit a bill concerning the business affairs under his or her jurisdiction.

(1) A Commissioner shall serve for a term of three years but may be consecutively appointed one time.

(2) When the post of a Commissioner becomes vacant, a new Commissioner shall be named or appointed without delay. In such cases, the term of the named or appointed succeeding Commissioner shall be newly commenced.

(1) No Commissioner shall be dismissed or de-commissioned against his or her will except in the following cases:

1. Where he or she is unable to perform his or her duties for a long period due to mental or physical disorder;
2. Where he or she falls under any ground for disqualification provided for in Article 7-7;
3. Where he or she violates his or her duties under this Act or any other Act.

(2) Each Commissioner shall independently perform his or her duties in compliance with statutes and his or her conscience.

(1) Each Commissioner shall neither concurrently engage in any of the following posts, nor engage in any work for profits related to his or her duties:

1. Member of the National Assembly or Local Council;
2. State or local public official; 3. Other positions prescribed by Presidential Decree.

(2) Matters relating to work for profit set forth in paragraph (1) shall be prescribed by Presidential Decree.

(3) A Commissioner shall not engage in political activities.

(1) Persons falling under any of the following cannot be a Commissioner:

1. Non-Korean national;
2. A person falling under any of the subparagraphs under Article 33 of the State Public Officials Act;
3. A party member set forth in Article 22 of the Political Parties Act.

(2) A Commissioner falling under any of the above subparagraphs 1 through 3 shall be automatically discharged from his or her position: Provided, That, in the case of subparagraph 2 of Article 33 of the State Public Officials Act, this only applies to a person who was declared bankrupt and did not apply for immunity within the application deadline, or received a confirmed decision of immunity disapproval or cancellation, according to the Debtor Rehabilitation and Bankruptcy Act; in the case of subparagraph 5 of Article 33 of the Same Act, this only applies to Articles 129 through 132 of the Criminal Act, Article 2 of the Act on Special Cases Concerning the Punishment of Sexual Crimes, subparagraph 2 of Article 2 of the Act on the Protection of Children and Youth against Sex Offenses and a person who committed a crime prescribed in Articles 355 or 356 of the Criminal Act with regard to his or her duties and received a suspended sentence of imprisonment without labor or a heavier punishment.

The Protection Commission shall perform the following affairs:

1. Matters relating to the improvement of statutes or regulations relating to personal information protection;
2. Matters relating to the establishment or execution of policies, systems or plans relating to personal information protection;
3. Matters relating to investigation into infringement upon the right of data subjects and the ensuing dispositions;
4. Handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information;
5. Exchange and cooperation with international organizations and foreign personal information protection agencies to protect personal information;
6. Matters relating to the investigation and study, education and promotion of statutes or regulations, policies, systems and status relating to personal information protection;
7. Matters relating to support for and dissemination of technological development relating to personal information protection, the standardization of technologies, and nurturing of experts;
8. Matters provided in this Act and other statutes or regulations as affairs under the jurisdiction of the Protection Commission.

(1) The Protection Commission shall deliberate and resolve on the following matters:

1. Matters relating to the assessment of personal information breach incident factors under Article 8-2;
2. Establishment of the Master Plan referred to in Article 9 and the Implementation Plan referred to in Article 10;
3. Matters relating to the improvement of policies, systems, and law relating to personal information protection;
4. Matters relating to the coordination of positions taken by public institutions with respect to the processing of personal information;
5. Matters relating to the interpretation and operation of statutes or regulations related to the protection of personal information;
6. Matters relating to the use and provision of personal information under Article 18 (2) 5; 6-2. Matters relating to orders to suspend cross-border transfers of personal information under Article 28-9;
7. Matters relating to the results of the privacy impact assessment under Article 33 (4);
8. Matters relating to the imposition of penalty surcharges under Article 64-2;
9. Matters relating to the presentation of opinions and recommendation for improvement under Article 61;
   9-2. Matters concerning recommendations for correction pursuant to Article 63-2 (2);
10. Matters relating to corrective measures under Article 64;
11. Matters relating to accusation and recommendation for disciplinary actions under Article 65;
12. Matters relating to the publication of processing results and orders for publication under Article 66;
13. Matters relating to the imposition of administrative fines under Article 75;
14. Matters relating to the enactment, amendment and abolition of statutes or regulations under its jurisdiction and rules of the Protection Commission;
15. Matters referred to a meeting by Chairperson or at least two Commissioners of the Protection Commission with respect to the protection of personal information;
16. Other matters on which the Protection Commission deliberates or resolves pursuant to this Act or other statutes or regulations.

(2) The Protection Commission may take the following measures if necessary to deliberate and resolve matters provided in paragraph (1): 1. Listening to the opinions of relevant public officials, experts in personal information protection, civic organizations and relevant business operators; 2. Requesting submission of relevant materials or facts with respect to relevant agencies.

(3) Relevant agencies upon receipt of a request made under paragraph (2) 2 shall comply with the request unless there are extraordinary circumstances.

(4) Upon deliberating and resolving on matters provided in paragraph (1) 3, the Protection Commission may advise on the improvement of such matters to the relevant agency.

(5) The Protection Commission may inspect whether the details of its advice given under paragraph (4) has been implemented or not.

(1) Meetings of the Protection Commission shall be convened by the Chairperson when he or she deems it necessary or at the request of not less than 1/4 of all incumbent Commissioners.

(2) The Chairperson or at least two Commissioners of the Protection Commission may propose a bill to the Protection Commission.

(3) The quorum for holding meetings of the Protection Commission shall be the presence of a majority of its members enrolled, and any resolution shall require the affirmative votes of a majority of the members present.

(1) A Commissioner of the Protection Commission shall be excluded from deliberation and resolution on a case if:

1. The Commissioner or his or her current or former spouse is a party to the relevant case or is a joint right holder or a joint obligor with respect to the case;
2. The Commissioner is or was a relative of a party to the case;
3. The Commissioner has given any testimony, expert opinion, or legal advice with respect to the case;
4. The Commissioner is or was involved in the case as an agent or representative of a party to the case;
5. The Commissioner or a public institution, corporation or group where he or she belongs shares interests with a person who provides advice or other support for the case.

(2) Where the circumstances indicate that it would be impracticable to expect fair deliberations and resolutions by a Commissioner, any party may file a motion for challenge, and the Protection Commission shall make a decision by resolution.

(3) A Commissioner may recuse himself or herself from the case on the grounds provided in paragraph (1) or (2).

(1) The Protection Commission may have sub-commissions which will deliberate and resolve minor personal information breach cases or similar or repetitive matters to ensure more efficient work procedures.

(2) Each sub-commission shall be comprised of three members.

(3) Matters deliberated and resolved by the sub-commission pursuant to paragraph (1) shall be deemed deliberated and resolved by the Protection Commission.

(4) Resolution for a meeting of the sub-commission shall be made by the presence of all the members enrolled and affirmative votes of all members present.

The Protection Commission shall have a secretariat to perform business affairs, and matters that are not specified in this Act in relation to the organization of the Protection Commission shall be prescribed by Presidential Decree.

Matters that are not specified in this Act and other statutes in relation to the operation of the Protection Commission shall be prescribed by the rules of the Protection Commission.

(1) The head of a central administrative agency shall request the Protection Commission to assess the factors of personal information breach incident where a policy or system that entails personal information processing is adopted or changed by the enactment or amendment of any statute under his or her jurisdiction.

(2) Upon receipt of a request made pursuant to paragraph (1), the Protection Commission may advise the head of the relevant agency of the matters necessary to improve the relevant statute or regulation by analyzing and reviewing the personal information breach incident factors of such statute or regulation.

(3) Matters necessary for the procedure and method to assess the personal information breach incident factors under paragraph (1) shall be prescribed by Presidential Decree.

(1) The Protection Commission shall establish a Master Plan to protect personal information (hereinafter referred to as a “Master Plan”) every three years in consultation with the heads of relevant central administrative agencies to ensure the protection of personal information and the rights and interests of data subjects:

(2) The Master Plan shall include the following:

1. Basic goals and intended directions of the protection of personal information;
2. Improvement of systems and statutes or regulations related to the protection of personal information;
3. Measure to prevent personal information breaches;
4. Vitalization of self-regulation to protect personal information;
5. Promoting education and public relations to protect personal information;
6. Training of specialists in the protection of personal information;
7. Other matters necessary to protect personal information.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own Master Plan to protect personal information of relevant institutions (including affiliated entities).

(1) The head of a central administrative agency shall establish an implementation plan to protect personal information each year in accordance with the Master Plan and submit it to the Protection Commission, and shall execute the implementation plan subject to the deliberation and resolution of the Protection Commission.

(2) Matters necessary for the establishment and execution of the implementation plan shall be prescribed by Presidential Decree.

(1) To efficiently establish the Master Plan, the Protection Commission may request materials or opinions regarding the status of regulatory compliance, personal information management, etc. by personal information controllers from personal information controllers, the heads of relevant central administrative agencies, the heads of local governments and related organizations or associations, etc.

(2) The Protection Commission may conduct an investigation with respect to data controllers, the competent head of the central administrative departments or agencies and local governments, and the competent agencies and organizations about the level and actual status of how personal data is managed where necessary to implement policies for personal data protection and to evaluate performance, etc.

(3) The head of a central administrative agency may request the materials referred to in paragraph (1) from personal information controllers in the fields under his or her jurisdiction to efficiently establish and promote Implementation Plans.

(4) Any person upon receipt of a request to furnish the materials under paragraphs (1) through (3) shall comply with the request unless there are extraordinary circumstances.

(5) The scope and method to furnish the materials under paragraphs (1) through (3) and other necessary matters shall be prescribed by Presidential Decree.

(1) The Protection Commission shall conduct an annual assessment of central administrative agencies and institutions affiliated with such agencies, local governments, or any other institutions prescribed by Presidential Decree for the performance of policies and work for the protection of personal information and the compliance of obligations under this Act (hereinafter referred to as "assessment of the level of personal information protection").

(2) The Protection Commission may require the head of a relevant public institution to submit relevant materials where necessary for the assessment of the level of personal information protection.

(3) The Protection Commission may disclose the results of the assessment of the level of personal information protection on its website, etc.

(4) The Protection Commission may grant awards to exemplary institutions and employees belonging thereto according to the results of the assessment of the level of personal information protection, and recommend improvement to the head of a relevant public institutions, if deemed necessary for the protection of personal information. In such cases, the head of the public institution shall make good faith efforts to comply with the recommendation, and notify the Protection Commission of the results of the measures taken.

(5) Other matters necessary for the criteria, methods, and procedures for the assessment of the level of personal information protection, the scope of data to be submitted under paragraph (2), etc. shall be prescribed by Presidential Decree.

(1) The Protection Commission may establish the Standard Personal Information Protection Guidelines (hereinafter referred to as the “Standard Guidelines”) regarding the personal information processing standard, types of personal information breaches, preventive measures, etc., and recommend that personal information controllers comply with such Guidelines.

(2) The head of a central administrative agency may establish the personal information protection guidelines regarding the personal information processing in the fields under his or her jurisdiction in accordance with the Standard Guidelines; and may recommend that personal information controllers comply with such guidelines.

(3) The National Assembly, the Court, the Constitutional Court, and the National Election Commission may establish and implement its own personal information protection guidelines for each relevant institution (including affiliated entities).

The Protection Commission shall establish policies necessary for the following matters to promote and support self-regulating activities of personal information controllers to protect personal information:

1. Education and public relations concerning the protection of personal information;
2. Promotion and support of agencies and organizations related to the protection of personal information;
3. Introduction and facilitation of privacy mark;
4. Support for personal information controllers in the establishment and implementation of self-regulatory rules;
5. Other matters necessary to support the self-regulating data protection activities of personal information controllers.

(1) September 30 of each year shall be designated as the Personal Information Protection Day to raise awareness among citizens as to the importance of the protection and processing of personal information.

(2) The State and local governments may hold various events to spread the culture of personal information protection during the week in which the Personal Information Protection Day is included.

(1) The Government shall establish policy measures necessary to enhance the personal information protection standard in the international environment.

(2) The Government shall establish relevant policy measures so that the rights of data subjects may not be infringed on owing to cross-border transfers of personal information.

(1) A personal information controller may collect personal information in any of the following cases, and use it within the scope of the purpose of collection:

1. Where consent is obtained from a data subject;
2. Where special provisions exist in other statutes or it is unavoidable due to obligations under statutes or regulations;
3. Where it is unavoidable for a public institution’s performance of work under its jurisdiction as prescribed by statutes or regulations, etc.;
4. Where it is necessary to take measures at the request of a data subject in the course of performing a contract concluded with the data subject or concluding a contract;
5. Where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
6. Where it is necessary to attain the legitimate interests of a personal information controller, which such interest is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal information controller and does not go beyond a reasonable scope.
7. Where it is urgently necessary for the public safety and security, public health, etc.

(2) A personal information controller shall inform a data subject of the following matters when it obtains consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The purpose of the collection and use of personal information;
2. Particulars of personal information to be collected;
3. The period for retaining and using personal information;
4. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

(3) A personal information controller may use personal information without the consent of a data subject within the scope reasonably related to the initial purpose of the collection as prescribed by Presidential Decree, in consideration whether disadvantages have been caused to the data subject and whether necessary measures to ensure safety such as encryption have been taken.

(1) A personal information controller shall collect the minimum personal information necessary to attain the purpose when collecting personal information pursuant to Article 15 (1). In such cases, the burden of proof that the minimum personal information is collected shall be borne by the personal information controller.

(2) A personal information controller shall collect personal information by specifically informing a data subject of the fact that he or she may deny the consent to the collection of other personal information than the minimum information necessary in case of collecting the personal information with consent of the data subject.

(3) A personal information controller shall not refuse to provide goods or services to a data subject on ground that the data subject does not consent to the collection of personal information exceeding minimum requirement.

(1) A personal information controller may provide (or share; hereinafter the same shall apply) the personal information of a data subject to a third party in any of the following cases:

1. Where consent is obtained from the data subject;
2. Where the personal information is provided within the scope of purposes for which it is collected pursuant to Articles 15 (1) 2, 3, and 5 through 7.

(2) A personal information controller shall inform a data subject of the following matters when it obtains the consent under paragraph (1) 1. The same shall apply when any of the following is modified:

1. The recipient of personal information;
2. The purpose for which the recipient of personal information uses such information;
3. Particulars of personal information to be provided;
4. The period during which the recipient retains and uses personal information;
5. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

(3) (deleted)

(4) A personal information controller may provide personal information without the consent of a data subject within the scope reasonably related to the purposes for which the personal information was initially collected, in accordance with the matters prescribed by Presidential Decree taking into consideration whether disadvantages are caused to the data subject, whether measures necessary to secure safety, such as encryption, have been taken, etc.

(1) No personal information controller shall use personal information beyond the scope provided in Article 15 (1) or provide it to any third party beyond the scope provided in Articles 17 (1) and 28-8 (1).

(2) Notwithstanding paragraph (1), where any of the following subparagraphs applies, a personal information controller may repurpose personal information or provide it to a third party, unless doing so is likely to unfairly infringe on the interest of a data subject or third party: Provided, That subparagraphs 5 through 9 shall be applied only to public institutions:

1. Where separate consent is obtained from the data subject;
2. Where special provisions exist in other statutes;
3. Where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
4. (deleted);
5. Where it is impossible to perform the work under its jurisdiction as provided in other statutes, unless the personal information controller repurposes personal information or provides it to a third party, and it is subject to the deliberation and resolution by the Commission;
6. Where it is necessary to provide personal information to a foreign government or international organization to perform a treaty or other international convention;
7. Where it is necessary for the investigation of a crime, institution and maintenance of a prosecution;
8. Where it is necessary for a court to proceed with trial-related work;
9. Where it is necessary for the enforcement of punishment, probation and custody;
10. Where it is urgently necessary for the public safety and security, public health, etc.

(3) A personal information controller shall inform the data subject of the following matters when it obtains the consent under paragraph (2) 1; the same shall apply when any of the following is modified:

1. The recipient of personal information;
2. The purpose of use of personal information (in the case of provision of personal information, it means the purpose of use by the recipient);
3. Particulars of personal information to be used or provided;
4. The period for retaining and using personal information (where personal information is provided, it means the period for retention and use by the recipient);
5. The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.

(4) Where a public institution repurposes personal information or provides it to a third party under paragraph (2) 2 through 6 and 8 through 10, the public institution shall post matters necessary for the legal basis for such use or provision, purpose, scope, and the like on the Official Gazette or on its website, as prescribed by Notification of the Protection Commission.

(5) Where a personal information controller provides personal information to a third party for another purpose in any case provided in any subparagraph of paragraph (2), the personal information controller shall request the recipient of the personal information to limit the purpose and method of use and other necessary matters, or to prepare necessary safeguards to ensure the safety of the personal information. In such cases, the person upon receipt of such request shall take measures necessary to ensure the safety of the personal information.

A person who receives personal information from a personal information controller shall not use the personal information, or provide it to a third party, for any purpose other than the intended one, except in the following circumstances:

1. Where separate consent is obtained from the data subject;
2. Where special provisions exist in other statutes.

(1) When a personal information controller processes personal information collected from sources other than data subjects, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1. The source of collected personal information;
2. The purpose of processing personal information;
3. The fact that the data subject is entitled to request suspension of processing of personal information or to withdraw consent, as prescribed in Article 37.

(2) Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes the same pursuant to Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which notification can be given to the data subject.

(3) Matters necessary for the time, method, and procedure of giving notification to the data subject pursuant to the main clause of paragraph (2), shall be prescribed by Presidential Decree.

(4) Paragraph (1) and the main clause of paragraph (2) shall not apply to any of the following cases: Provided, That this shall be the case only where it is manifestly superior to the rights of data subjects under this Act:

1. Where personal information, which is subject to a notification request, is included in the personal information files referred to in any subparagraph of Article 32 (2);
2. Where such notification is likely to cause harm to the life or body of any other person, or to unfairly damage the property and other interests of any other person.

(1) A personal information controller who meets the criteria prescribed by Presidential Decree shall regularly notify data subjects of the details of the use and provision of personal information collected under this Act or the method of accessing the information system through which such details can be confirmed: Provided, That the notification may be omitted where personal information that enables notifications to the data subject, such as contact information, has not been collected or retained.

(2) Matters necessary for the scope of data subjects subject to notification, information to be notified, frequency, method, etc. of notification under paragraph (1) shall be prescribed by Presidential Decree.

(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, the expiry of the processing period of pseudonymized information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes or regulations.

(2) When a personal information controller destroys personal information pursuant to paragraph (1), measures necessary to prevent recovery and revival shall be taken.

(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso of paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

(1) Where a personal information controller intends to obtain the consent of the data subject (including his or her legal representative as stated in Article 22-2 (1); hereafter in this Article the same shall apply) to the processing of his or her personal information, the personal information controller shall present the request for consent to the data subject in a clearly recognizable manner where each matter requiring consent is distinctly presented, and obtain his or her consent thereto. In such cases, the personal information controller shall categorize the matters requiring consent falling under the following subparagraphs and obtain consent, respectively.

1. Where consent shall be obtained under Article 15 (1) 1;
2. Where consent shall be obtained under Article 17 (1) 1;
3. Where consent shall be obtained under Article 18 (2) 1;
4. Where consent shall be obtained under subparagraph 1 of Article 19;
5. Where consent shall be obtained under Article 23 (1) 1;
6. Where consent shall be obtained under Article 24 (1) 1;
7. Where the personal information controller intends to obtain consent to the processing of personal information in order to promote goods or services or solicit purchase thereof;
8. Other cases prescribed by Presidential Decree where it is necessary to obtain consent by categorizing the matters requiring consent to protect a data subject.

(2) Where a personal information controller obtains the consent under paragraph (1) in writing (including electronic documents under Article 2, subparagraph 1 of the Framework Act on Electronic Documents and Transactions), the personal information controller shall clearly specify important matters prescribed by Presidential Decree such as the purpose of collection and use of personal information and the items of personal information to be collected and used, in the manner prescribed by Notification of the Protection Commission, so as to make such matters easy to be understood.

(3) With respect to the personal information that can be processed without consent of the data subject, a personal information controller shall disclose the relevant items and legal basis for such processing under Article 30 (2) by separating such information from the personal information processed with consent of the data subject, or shall inform the data subject thereof by e-mail or any other means prescribed by Presidential Decree. In such cases, the burden of proof that personal information can be processed without consent shall be borne by the personal information controller.

(4) (deleted)

(5) A personal information controller shall not refuse to provide goods or services to a data subject on the grounds that the data subject would not consent to the matter eligible for selective consent, or would not consent pursuant to paragraph (1) 3 and 7.

(6) (deleted)

(7) Except as provided in paragraphs (1) through (5), matters necessary for detailed methods to obtain the consent of data subjects shall be prescribed by Presidential Decree, in consideration of the collection media of personal information and other factors.

(1) When the consent of a child under 14 years of age is required to process the personal information of such child, a personal information controller shall obtain the consent of his or her legal representative and confirm whether the legal representative has granted consent.

(2) Notwithstanding paragraph (1), information prescribed by Presidential Decree as minimum information necessary for obtaining the consent of a legal representative may be collected directly from the relevant child without consent of the legal representative.

(3) A personal information controller shall, when notifying a child under 14 years of age of matters relating to the processing of personal information, use such a form and such a clear and plain language that the child can easily understand.

(4) Except as provided in paragraphs (1) through (3), matters necessary for the methods of obtaining consent and of obtaining confirmation of consent, etc., shall be prescribed by Presidential Decree.

(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as “sensitive information”), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, and other personal information that is likely to markedly threaten the privacy of any data subject: Provided, That this shall not apply in any of the following circumstances:

1. Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;
2. Where other statutes or regulations require or permit the processing of sensitive information.

(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged.

(3) Where a personal information controller deems that there is a risk of privacy invasion because sensitive information of the data subject is included in the information disclosed in the course of the provision of goods or services, the personal information controller shall communicate to the data subject the possibility of disclosure of sensitive information and the method of selecting non-disclosure in an easily understandable manner before providing the goods or services.

(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes or regulations (hereinafter referred to as "personally identifiable information"), except in any of the following cases:

1. Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;
2. Where other statutes or regulations specifically require or permit the processing of unique identification information.

(2) (deleted)

(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.

(4) The Protection Commission shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree.

(5) The Protection Commission may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4).

(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases:

1. Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations or Board of Audit and Inspection Regulations specifically requires or permits the processing of resident registration numbers;
2. Where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
3. Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in cases prescribed by Notification of the Protection Commission.

(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in a safe manner by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects and encryption timing by object, etc. shall be prescribed by Presidential Decree, taking into account the amount of personal information processed, data breach impact, etc.

(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).

(4) The Protection Commission may prepare and support such measures as legislative arrangements, policy-making, necessary facilities, and systems build-up in order to support the provision of the measures provided for in paragraph (3).

(1) No one shall install and operate any fixed visual data processing device at open places, except in any of the following cases:

1. Where specifically allowed by statutes or regulations;
2. Where it is necessary for the prevention and investigation of crimes;
3. Where a person with legitimate authority installs and operates such device for the safety and management of facilities and prevention of fire;
4. Where a person with legitimate authority installs and operates such device for traffic enforcement;
5. Where a person with legitimate authority installs and operates such device for the collection, analysis, and provision of traffic information;
6. Cases prescribed by Presidential Decree, where the photographed image information is not stored.

(2) No one shall install and operate any fixed visual data processing device to look into the places which are likely to noticeably threaten individual privacy, such as a bathroom, restroom, sauna, and dressing room used by many unspecified persons: Provided, That this shall not apply to the facilities prescribed by Presidential Decree, which are used to detain or protect persons in accordance with statutes or regulations, such as correctional institutions and mental health care centers.

(3) The head of a public institution who intends to install and operate fixed visual data processing devices pursuant to the subparagraphs of paragraph (1) and a person who intends to install and operate fixed visual data processing devices pursuant to the proviso of paragraph (2) shall gather opinions of relevant specialist and interested persons through the procedures prescribed by Presidential Decree such as public hearings and information sessions.

(4) A person who installs and operates fixed visual data processing devices pursuant to the subparagraphs of paragraph (1) (hereinafter referred to as “fixed visual data processing device operator”) shall take necessary measures including posting on a signboard the following matters, so that data subjects may easily recognize such devices: Provided, That this shall not apply to military installations defined in subparagraph 2 of Article 2 of the Protection of Military Bases and Installations Act, important national facilities defined in subparagraph 13 of Article 2 of the United Defense Act, and other facilities prescribed by Presidential Decree:

1. The purpose and place of installation;
2. The scope and hours of photographing;
3. The contact information of the person in charge of its management;
4. Other matters prescribed by Presidential Decree.

(5) A fixed visual data processing device operator shall neither arbitrarily manipulate a fixed visual data processing device for purposes other than those for which the device was installed, nor direct the device toward different spots, nor use sound recording functions.

(6) A fixed visual data processing device operator shall take measures necessary to ensure safety pursuant to Article 29 to prevent personal information from being lost, stolen, divulged, forged, altered, or damaged.

(7) A fixed visual data processing device operator shall establish an appropriate policy to operate and manage the fixed visual data processing devices, as prescribed by Presidential Decree: Provided, That the fixed visual data processing device operator need not formulate a policy to operate and manage the fixed visual data processing devices if he or she has included matters regarding the operation and management of fixed visual data processing devices when formulating the Privacy Policy under Article 30.

(8) A fixed visual data processing device operator may entrust the business affairs regarding the installation and operation of fixed visual data processing devices to a third party: Provided, That public institutions shall comply with the procedures and requirements prescribed by Presidential Decree when entrusting the business affairs regarding the installation and operation of fixed visual data processing devices to a third party.

(1) A person who intends to operate a mobile visual data processing device for work purposes shall not take photographs (limited to cases falling within the scope of personal information; hereinafter the same shall apply) of a person or things related to such person at public places, except in the following cases:

1. In any of the cases falling under any subparagraph of Article 15 (1);
2. Where the data subject fails to express his or her intention to refuse to be photographed, although the fact of photographing is clearly stated to inform the data subject; in such cases, it shall be limited to cases where it is unlikely to unduly infringe upon the right of a data subject and where it does not exceed reasonable limits;
3. Other cases prescribed by Presidential Decree, corresponding to those referred to in subparagraphs 1 and 2.

(2) No one shall take photographs of a person or things related to such person through a mobile visual data processing device at a place used by many unspecified persons where an individual's privacy could be significantly compromised, such as a bathroom, toilet, sauna, and changing room: Provided, That this shall not apply to cases prescribed by Presidential Decree, where it is necessary for lifesaving and first-aid services.

(3) Where a person or thing related to such person is photographed with a portable visual data processing device in cases falling under the subparagraphs of paragraph (1), the fact of photographing shall be indicated and notified as prescribed by Presidential Decree, by such means as light, sound, and signboard.

(4) Except as provided in paragraphs (1) through (3), Article 25 (6) through (8) shall apply mutatis mutandis to the operation of mobile visual data processing devices.

(1) A personal information controller shall, when entrusting the processing of personal information to a third party, do so in a document that states the following:

1. Prevention of personal information processing for other purposes than performing the entrusted work;
2. Technical and managerial safeguards of personal information;
3. Other matters prescribed by Presidential Decree to ensure safe management of personal information.

(2) A personal information controller who entrusts the processing of personal information pursuant to paragraph (1) (hereinafter referred to as "person entrusting") shall disclose the details of the entrusted affairs and the entity that processes personal information (including a third party re-entrusted from a person entrusted with the processing of personal information; hereinafter referred to as “person entrusted”) in the manner prescribed by Presidential Decree so as to be easily recognizable by data subjects at any time.

(3) The person entrusting shall, in case of entrusting the promotion of goods or services, or soliciting of sales thereof, notify data subjects of the entrusted work and the person entrusted in the manners prescribed by Presidential Decree. The same shall apply where the entrusted work or the person entrusted has been changed.

(4) The person entrusting shall educate the person entrusted so that personal information of data subjects may not be lost, stolen, divulged, forged, altered, or damaged owing to the outsourcing of work, and supervise how the person entrusted processes such personal information safely by inspecting the status of processing, etc., as prescribed by Presidential Decree.

(5) An person entrusted shall not use any personal information beyond the scope of the work entrusted by the personal information controller, nor provide personal information to a third party.

(6) A person entrusted shall, when he or she intends to re-entrust the processing of entrusted personal information to a third party, obtain consent from the person entrusting.

(7) With respect to liability for damages arising out of the processing of personal information entrusted to an person entrusted in violation of this Act, the person entrusted shall be deemed an employee of the personal information controller.

(8) Articles 15 through 18, 21, 22, 22-2, 23, 24, 24-2, 25, 25-2, 27, 28, 28-2 through 28-5, 28-7 through 28-11, 29, 30, 30-2, 31, 33, 34, 34-2, 35, 35-2, 36, 37, 37-2, 38, 59, 63, 63-2, and 64-2 shall apply mutatis mutandis to outsourcees. In such cases, "personal information controller" shall be construed as "person entrusted".

(1) A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his or her business, a merger, etc.:

1. The fact that the personal information will be transferred;
2. The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as “business transferee, etc.”);
3. The method and procedure for withdrawing consent if the data subject does not wish his or her personal information to be transferred.

(2) Upon receiving personal information, the business transferee, etc. shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3) Upon receiving personal information owing to business transferee, etc., a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purposes dating to the time of the transfer. In such cases, the business transferee shall be deemed the personal information controller.

(1) In processing personal information, a personal information controller shall limit the scope of persons who process the personal information under his or her command and supervision, such as an executive officer or employee, temporary agency worker, and part-time worker (hereinafter referred to as “personal information handler”) to a minimum extent and shall appropriately manage and supervise such personal information handlers.

(2) A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information.

(1) A personal information controller may process pseudonymized information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc.

(2) A personal information controller shall not include information that may be used to uniquely identify an individual when providing pseudonymized information to a third party according to paragraph (1).

(1) Notwithstanding Article 28-2, the combination of pseudonymized information processed by different personal information controllers for statistical purposes, scientific research and preservation of records for public interest, etc. shall be conducted by a specialized institution designated by the Protection Commission or the head of the related central administrative agency.

(2) A personal information controller who intends to transfer the combined information outside the organization that combined the information shall obtain approval from the head of the specialized institution after processing the information into pseudonymized information or the form referred to in Article 58-2.

(3) Necessary matters including the procedures and methods of combination pursuant to paragraph (1), standards and procedures to designate, or revoke the designation of, a specialized institution management and supervision, and standards and procedures of transfer and approval pursuant to paragraph (2) shall be prescribed by Presidential Decree.

(1) In processing pseudonymized information under Article 28-2 or 28-3, a personal information controller shall take such technical, administrative, and physical measures as separately storing and managing additional information needed for restoration to the original state, which are necessary to ensure safety as prescribed by Presidential Decree to prevent personal information from being lost, stolen, divulged, forged, altered, or damaged.

(2) In processing pseudonymized information in accordance with Article 28-2 or 28-3, a personal information controller may separately determine the processing period of the pseudonymized information in consideration of the processing purpose, etc.

(3) A personal information controller who intends to process pseudonymized information under Article 28-2 or 28-3 shall prepare and retain records relating to matters prescribed by Presidential Decree including the purpose of processing the pseudonymized information, a recipient in cases pseudonymized information is provided to a third party, the processing period of pseudonymized information, etc. (limited to cases where the processing period is separately determined under paragraph (2)) to manage the details of the processing of pseudonymized information, and shall retain the records for at least three years from the date of destruction in the event of destruction of pseudonymized information.

(1) No person who processes pseudonymized information under Article 28-2 or 28-3 shall process such information for the purpose of uniquely identifying an individual.

(2) When information that can uniquely identify an individual is generated in the process of processing pseudonymized information under Article 28-2 or 28-3, a personal information controller shall immediately cease the processing of the relevant information, and shall retrieve and destroy the information without delay.

@Articles 20, 20-2, 27, 34 (1), 35, 35-2, 36, and 37 shall not apply to pseudonymized information processed under Article 28-2 or 28-3.

(1) No cross-border provision (including inquiry), entrusted processing, or storage (hereafter in this Section referred to as "transfer") of personal information shall be allowed by a personal information controller: Provided, That in any of the following cases, the cross-border transfer of personal information may be allowed:

1. Where separate consent is obtained from the data subject;
2. Where there are special provisions regarding the cross-border transfer of personal information in a statute, a treaty to which the Republic of Korea is a party, or other international conventions;
3. In any of the following cases where it is necessary to entrust the processing of personal information and to retain such personal information in order to conclude and perform a contract with the data subject:
   • (a) Where the matters set forth in the subparagraphs of paragraph (2) are disclosed in the Privacy Policy provided in Article 30;
   • (b) Where the matters provided in the subparagraphs of paragraph (2) are communicated to the data subject by means prescribed by Presidential Decree, such as electronic mail;
4. Where the recipient of personal information obtains certification determined and publicly notified by the Protection Commission, such as the certification of personal information protection under Article 32-2, and takes all of the following measures:
   • (a) Safety measures necessary for protecting personal information and measures necessary for guaranteeing the rights of data subjects;
   • (b) Measures necessary for implementing certified matters in the country to which personal information is to be transferred;
5. Where the Protection Commission recognizes that the personal information protection system of the country or international organization to which the personal information is to be transferred, the scope of guarantee of the rights of the data subject, and the procedures for damage relief, etc. are substantially equal to the level of personal information protection under this Act.

(2) A personal information controller shall inform data subjects of the following matters in advance when obtaining consent under paragraph (1) 1:

1. Particulars of the personal information to be transferred;
2. The country to which the personal information is transferred, transfer date, and method;
3. Name of the recipient of personal information (referring to the name of a corporation and the contact information of the corporation, if the recipient is a corporation);
4. The purpose of using personal information by the recipient of personal information and the period of retention and use of personal information;
5. The method and procedure for refusing the transfer of personal information and the effect of such refusal.

(3) A personal information controller that intends to change the matters provided in any subparagraph of paragraph (2) shall inform a data subject of such change and obtain the data subject's consent thereto.

(4) A personal information controller shall comply with other provisions of this Act and Articles 17 through 19 and Chapter V of this Act, which are related to the cross-border transfer of personal information, and shall take protective measures prescribed by Presidential Decree, where it makes crossborder transfers of personal information pursuant to the proviso, with the exception of the subparagraphs, of paragraph (1).

(5) A personal information controller shall not enter into a contract for cross-border transfers of personal information containing terms and conditions that are in violation of this Act.

(6) Except as provided in paragraphs (1) through (5), matters necessary for the criteria and procedures for the cross-border transfer of personal information, etc. shall be prescribed by Presidential Decree.

(1) The Protection Commission may order a personal information controller to suspend cross-border transfers of personal information in any of the following cases where the cross-border transfer of personal information is ongoing or where any further cross-border transfer is expected:

1. Cases in violation of Article 28-8 (1), (4), or (5);
2. Where the recipient of personal information or the State or international organization to which the personal information is transferred fails to properly protect the personal information when compared to the level of personal information protection under this Act, and thus the data subject suffers damage or is highly likely to suffer damage.

(2) Upon receipt of an order to suspend cross-border transfers of personal information under paragraph (1), a personal information controller may file an objection with the Protection Commission within seven days after receipt of such order.

(3) Matters necessary for the standards for orders to suspend cross-border transfers of personal information under paragraph (1), the procedures for filing an objection under paragraph (2), etc. shall be prescribed by Presidential Decree.

Notwithstanding Article 28-8, personal information controllers in a country that restricts cross-border transfers of personal information may be subject to restrictions at a level equivalent to those imposed by the country: Provided, That this shall not apply where cross-border transfers are necessary to implement a treaty or other international conventions.

Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving access records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.

(1) A personal information controller shall establish a personal information processing policy including the following matters (hereinafter referred to as "Privacy Policy"). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32:

1. The purposes for which personal information is processed;
2. The period for processing and retaining personal information;
3. Provision of personal information to a third party (if applicable);
   3-2. Procedures and methods for destroying personal information (if personal information shall be preserved according to the proviso of Article 21 (1), this shall include the basis of preservation and particulars of personal information to be preserved);
   3-3. The possibility of disclosure of sensitive information and the method of selecting non-disclosure under Article 23 (3) (if applicable);
4. Entrusting personal information processing (if applicable);
   4-2. Matters relating to processing, etc. of pseudonymized information under Articles 28-2 and 28-3 (if applicable);
5. The rights and obligations of data subjects and legal representatives, and how to exercise such rights;
6. Contact information, such as the name of a privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the work related to personal information protection and handles related grievances;
7. Installation and operation of an automatic collection tool for personal information, including Internet access data files, and the denial thereof (if applicable);
8. Other matters prescribed by Presidential Decree regarding the processing of personal information.

(2) Upon establishing or modifying the Privacy Policy, a personal information controller shall disclose the content so that data subjects may easily recognize it in such a way as prescribed by Presidential Decree.

(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, the terms that are beneficial to the data subjects shall prevail.

(4) The Protection Commission may prepare the Privacy Policy Guidelines and encourage the personal information controllers to comply with such Guidelines.

(1) The Protection Commission shall evaluate the following with respect to the Privacy Policy and may recommend that the relevant personal information controller improve the policy pursuant to Article 61 (2), if it is deemed necessary to improve the policy based on the evaluation results:

1. Whether the matters that shall be included in the Privacy Policy pursuant to this Act are appropriately determined;
2. Whether the Privacy Policy has been prepared in an easily understandable manner;
3. Whether the Privacy Policy is disclosed in such a way that the data subject can easily confirm.

(2) Matters necessary for those subject to the evaluation of the Privacy Policy, criteria and procedures therefor, etc. shall be prescribed by Presidential Decree.

(1) A personal information controller shall designate a privacy officer who shall have general supervision and control of the work regarding personal information processing: Provided, That a personal information controller whose number of employees, turnover, etc. meet the criteria prescribed by Presidential Decree need not designate a privacy officer.

(2) Where a privacy officer is not designated under the proviso of paragraph (1), the business owner or representative of the personal information controller shall become the privacy officer.

(3) A privacy officer shall perform the following work:

1. To establish and implement a personal information protection plan;
2. To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;
3. To handle grievances and remedial compensation in relation to personal information processing;
4. To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;
5. To prepare and implement an education program about personal information protection;
6. To protect, control, and manage the personal information files;
7. Other work prescribed by Presidential Decree for the appropriate processing of personal information.

(4) In performing the work provided in the subparagraphs of paragraph (3), a privacy officer may occasionally inspect the current status of personal information processing, processing systems, etc. if necessary, and may request a report thereon from the relevant parties.

(5) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes or regulations in relation to the protection of personal information, he or she shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he or she belongs, if necessary.

(6) A personal information controller shall not allow the privacy officer to give or be subject to disadvantages without good cause while performing the affairs provided in the subparagraphs of paragraph (3), and shall guarantee the independent performance of work by the privacy officer.

(7) A personal information controller may organize and operate a council of privacy officers comprised of the privacy officers provided in paragraph (1) so as to safely process and protect personal information, exchange information, and conduct other joint projects prescribed by Presidential Decree.

(8) The Protection Commission may provide support necessary for the activities of the council of privacy officers under paragraph (7).

(9) Matters necessary for the qualification requirements for a privacy officer under paragraph (1), the work under paragraph (3), the guarantee of independence under paragraph (6), and other relevant matters, shall be prescribed by Presidential Decree, taking into consideration sales, the scale of personal information retained, etc.

(1) A personal information controller with no address or place of business in the Republic of Korea who is prescribed by Presidential Decree in consideration of the sales, the scale of personal information retained, and other factors shall designate a person who acts as an agent for the following (hereinafter referred to as "domestic agent"). In such cases, the domestic agent shall be designated in writing:

1. Work of a privacy officer under Article 31 (3);
2. Notification and reporting of the personal data under Article 34 (1) and (3);
3. Submission of materials such as articles and documents under Article 63 (1).

(2) A domestic agent shall have an address or business office in Korea.

(3) The personal information controller shall include the following in the Privacy Policy if he or she designates a domestic agent pursuant to paragraph (1):

1. Name of the domestic agent (in cases of a corporation, referring to its name and the name of its representative);
2. Address (in cases of a corporation, referring to the location of a business office), telephone number, and e-mail address of the domestic agent.

(4) If a domestic agent violates this Act in relation to the subparagraphs of paragraph (1), the personal information controller shall be deemed to have committed such a violation.
[Moved from Article 39-11]

(1) Upon operating personal information files, the head of a public institution shall register the following matters with the Protection Commission. The same shall also apply where the registered matters are modified:

1. The titles of the personal information files;
2. The grounds and purposes for the operation of the personal information files;
3. Particulars of personal information that are recorded in the personal information files;
4. The method of processing personal information;
5. The period for retaining personal information;
6. The recipient of personal information, if it is provided routinely or repetitively;
7. Other matters prescribed by Presidential Decree.

(2) Paragraph (1) shall not apply to any of the following personal information files:

1. Personal information files that record national security, diplomatic secrets, and other matters relating to grave national interests;
2. Personal information files that record the investigation of crimes, institution and maintenance of a prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;
3. Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;
4. Personal information files prescribed by Presidential Decree, which are recognized as having little need for continuous management, such as ephemeral files;
5. Classified personal information files pursuant to other statutes or regulations.

(3) The Protection Commission may, if necessary, review where personal information files are registered and the content thereof under paragraph (1), and may recommend that the head of a relevant public institution make improvements.

(4) If necessary to guarantee the rights of data subjects, the Protection Commission shall make public the status of registered personal information files under paragraph (1) so that anyone may access them with ease.

(5) Matters necessary for the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.

(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(1) The Protection Commission may certify whether the data processing and other data protection-related action of a personal information controller abide by this Act, etc.

(2) The certification provided for in paragraph (1) shall be effective for three years.

(3) In any of the following cases, the Protection Commission may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1:

1. Where personal information protection has been certified by fraud or other improper means;
2. Where follow-up management provided for in paragraph (4) has been denied or obstructed;
3. Where the certification criteria provided for in paragraph (8) have not been satisfied;
4. Where personal information protection-related statutes or regulations are breached, and the grounds for the violation are material.

(4) The Protection Commission shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.

(5) The Protection Commission may authorize the specialized institutions prescribed by Presidential Decree to perform the work related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).

(6) Any person who has obtained certification under paragraph (1) may indicate or promote the details of the certification, as prescribed by Presidential Decree.

(7) Qualifications of certification examiners who conduct the certification examination subject to paragraph (1), criteria for disqualification, and other related matters shall be prescribed by Presidential Decree, taking into account specialty, career, and other necessary matters.

(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and measures to ensure safety are based on this Act, shall be prescribed by Presidential Decree.

(1) Where there is a risk of a personal information breach of data subjects due to the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze risk factors and to improve them (hereinafter referred to as “privacy impact assessment”), and submit the results thereof to the Protection Commission.

(2) The Protection Commission may designate a person who satisfies the requirements prescribed by Presidential Decree such as human resources and facilities as an institution that performs a privacy impact assessment (hereinafter referred to as "assessment institution"), and the head of a public institution shall request the assessment institution to conduct the privacy impact assessment.

(3) Privacy impact assessments shall take into account the following:

1. The number of personal information being processed;
2. Whether the personal information is provided to a third party;
3. The probability to violate the rights of the data subjects and the degree of risks;
4. Other matters prescribed by Presidential Decree.

(4) The Protection Commission may provide its opinion on the privacy impact assessment results submitted under paragraph (1).

(5) The head of a public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.

(6) The Protection Commission shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.

(7) The Protection Commission may revoke the designation of an assessment institution that has obtained designation under paragraph (2) in any of the following cases: Provided, That it shall revoke the designation in cases falling under subparagraph 1 or 2:

1. Where the designated assessment institution has obtained its designation by fraud or other improper means;
2. Where the designated assessment institution wants revocation of such designation or has closed its business;
3. Where the designated assessment institution ceases to meet the requirements for designation provided in paragraph (2);
4. Where the designated assessment institution has poorly performed its work either by intention or gross negligence, and is deemed incapable of duly performing its affairs;
5. Other cases that fall under any ground prescribed by Presidential Decree.

(8) Where the Protection Commission revokes designation pursuant to paragraph (7), it shall hold a hearing in accordance with the Administrative Procedures Act.

(9) Matters necessary for the criteria, methods, procedures, etc. for privacy impact assessments under paragraph (1) shall be prescribed by Presidential Decree.

(10) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.

(11) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if there is a risk of a personal information beach of data subjects in operating the personal information files.

(1) A personal information controller shall notify data subjects of the following matters without delay when the personal information controller becomes aware of loss, theft, or divulgence (hereafter in this Article referred to as "divulgence, etc.") of personma information: Provided, That if the contact information of the data subject is unknown or if any other good cause exists, a measure may be taken in lieu of giving notice, as prescribed by Presidential Decree:

1. Particulars of divulgence, etc. of personal information;
2. When and how divulgence, etc. of personal is made;
3. Any information about how the data subjects can minimize the risk of damage from divulgence, etc.;
4. Countermeasures taken by the personal information controller and remedial procedure;
5. Help desk and contact points for the data subjects to report damage.

(2) A personal information controller shall prepare countermeasures to minimize the risk of damage in the case of divulgence, etc. of personal information and take necessary measures.

(3) Upon becoming aware of divulgence, etc. of personal information, the personal information controller shall, without delay, file a report with the Protection Commission or a specialized institution designated by Presidential Decree with respect to the matters provided in the subparagraphs of paragraph (1), as prescribed by Presidential Decree in consideration of the types of personal information, the process and scale of divulgence, etc., and other factors. In such cases, the Protection Commission and the specialized institution designated by Presidential Decree may provide technical assistance for the prevention of the spread of damage, recovery from damage, and other purposes.

(4) Matters necessary for notifying divulgence, etc. under paragraph (1) and timing, methods, and procedures for reporting breach, etc. under paragraph (3) shall be prescribed by Presidential Decree.

(1) A personal information processor shall make sure to prevent personal information such as personally identifiable information, account information, and credit card information from being exposed to the public through information and communications networks.

(2) With respect to personal information exposed to the public, if requested by the Protection Commission or a specialized institution designated by Presidential Decree, the personal information controller shall take necessary measures such as erasing or blocking the relevant information.

(1) A data subject may request access to his or her own personal information, which is processed by a personal information controller, from the personal information controller.

(2) Notwithstanding paragraph (1), where a data subject intends to request access to his or her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Protection Commission, as prescribed by Presidential Decree.

(3) Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall grant the data subject access to his or her own personal information within the period prescribed by Presidential Decree. In such cases, if there is good cause for not permitting access during such period, the personal information controller may postpone access after notifying the relevant data subject of the said ground and if the said ground ceases to exist, the data subject shall be permitted to access the personal information without delay.

(4) In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1. Where access is prohibited or limited by statutes;
2. Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;
3. Where a public institution has grave difficulties in performing any of the following work:
   • (a) Imposition, collection or refund of taxes;
   • (b) Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other statutes;
   • (c) Testing and qualification examination regarding academic competence, technical capability and employment;
   • (d) Ongoing evaluation or decision-making in relation to compensation or grant assessment;
   • (e) Ongoing audit and examination under other statutes.

(5) Matters necessary for the methods and procedures to file access requests, to limit access, to give notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

(1) A data subject may request the personal information controller satisfying the criteria prescribed by Presidential Decree in consideration of the ability to process personal information, etc. to transmit to him or her personal information that satisfies all of the following requirements:

1. The personal information, the transmission of which is requested by the data subject, shall be any of the following personal information on himself or herself:
   • (a) Personal information processed with consent under Article 15 (1) 1, 23 (1) 1, or 24 (1) 1;
   • (b) Personal information processed to take measures at the request of a data subject in the course of performing or concluding a contract under Article 15 (1) 4;
   • (c) Among the personal information processed pursuant to Article 15 (1) 2 and 3, Article 23 (1) 2, or Article 24 (1) 2, the personal information designated as being subject to request for transmission by deliberation and resolution by the Protection Commission at the request of the head of a relevant central administrative agency for the interest of a data subject or public interest of a data subject;
2. Personal information, the transmission of which is requested, shall not be information separately generated by analyzing and processing the personal information collected by a personal information controller;
3. The personal information, the transmission of which is requested, shall be the personal information processed by a computer or any other information processing device.

(2) A data subject may request a personal information controller satisfying the criteria prescribed by Presidential Decree in consideration of the sales, the scale of personal information retained, the capability of personal information processing, industrial characteristics, and other relevant factors, to transmit his or her personal information requested under paragraph (1) to the following persons, to the extent it is technically feasible and reasonable:

1. Institutions specializing in managing personal information under Article 35-3 (1);
2. A person who fulfills his or her duty of safeguards under Article 29 and meets the standards for facilities and technology prescribed by Presidential Decree.

(3) Upon receipt of a request for transmission under paragraphs (1) and (2), the personal information controller shall transmit the relevant information in a form processable through a computer or other information processing device to the extent reasonable in terms of time, expenses, and technology.

(4) Upon receipt of a request for transmission under paragraphs (1) and (2), a personal information controller shall transmit the personal information of the data subject, notwithstanding the relevant provisions of any of the following statutes:

1. Article 81-13 of the Framework Act on National Taxes;
2. Article 86 of the Framework Act on Local Taxes;
3. Provisions of statutes prescribed by Presidential Decree, which are similar to those provided in subparagraphs 1 and 2.

(5) A data subject may withdraw his or her request for transmission under paragraphs (1) and (2).

(6) A personal information controller may refuse the request for transmission under paragraph (1) or (2) or suspend the transmission in cases prescribed by Presidential Decree, such as where it is impossible to verify whether a data subject is the person in question.

(7) No data subject shall infringe upon another person's rights or legitimate interests on the grounds of a request for transmission under paragraphs (1) and (2).

(8) Except as provided in paragraphs (1) through (7), necessary matters, such as the scope of information subject to a request for transmission, methods of requesting transmission, deadlines and methods for transmission, methods of withdrawing requests for transmission, rejection of requests for transmission, and methods of suspending transmission, shall be prescribed by Presidential Decree.

(1) A person who intends to perform any of the following work shall be designated by the Protection Commission or the head of a relevant central administrative agency as an institution specializing in managing personal Information:

1. Support for the exercise of the right to request the transmission of personal information under Article 35-2;
2. Establishing and standardizing a personal information transmission system to support the exercise of the rights of data subjects;
3. Managing and analyzing personal information to support the exercise of rights of data subjects;
4. Other affairs prescribed by Presidential Decree to effectively support the exercise of the rights of data subjects.

(2) Requirements for designation as an institution specializing in managing personal information under paragraph (1) shall be as follows:

1. The applicant shall have the technical level and expertise to transmit, manage, and analyze personal information;
2. The applicant shall be equipped with a level of measures to ensure safety for safely managing personal information;
3. The applicant shall have the financial capability necessary for the stable operation of an institution specializing in managing personal Information.

(3) No institution specializing in managing personal information shall engage in any of the following acts:

1. Forcing a data subject to request the transmission of his or her personal information, or unfairly inducing it;
2. Any other act prescribed by Presidential Decree, which is likely to infringe on personal information or restrict the rights of a data subject.

(4) If an institution specializing in managing personal information falls under any of the following, the head of the Protection Commission or of a relevant central administrative agency may revoke the designation of the institution specializing in managing personal information: Provided, that he or she shall revoke such designation in cases falling under subparagraph 1:

1. Where the institution has obtained the designation by fraud or other improper means;
2. Where the institution ceases to meet the requirements for designation under paragraph (2).

(5) If the Protection Commission or the head of a relevant central administrative agency intends to revoke the designation under paragraph (4), he or she shall hold hearings under the Administrative Procedures Act.

(6) The Protection Commission and the head of a relevant central administrative agency may provide an institution specializing in managing personal information support necessary for performing its work.

(7) In performing affairs under the subparagraphs of paragraph (1) at the request of a data subject, an institution specializing in managing personal information may collect from the data subject expenses incurred in performing such work.

(8) Matters necessary for the procedures for the designation of an institution specializing in managing personal information under paragraph (1), the detailed requirements for designation under paragraph (2), the procedures for revocation of designation under paragraph (4), etc. shall be prescribed by Presidential Decree.

(1) The Protection Commission shall systematically manage and supervise the current status of personal information controllers provided in Articles 35-2 (1) and (2) and institutions specializing in managing personal information provided in Article 35-3 (1), the details of use, the actual status of management, etc.

(2) The Protection Commission may build and operate a personal information transmission support platform to ensure the safe and efficient transmission of personal information, including the following:

1. The current status of institutions specializing in managing personal information and a list of personal information items that can be transmitted;
2. Details of a data subject's request for transmission and withdrawal of such request;
3. Support functions such as managing the history of transmission of personal information;
4. Other matters necessary to transmit personal information.

(3) The Protection Commission may interlink or integrate the transmission systems built and operated by institutions specializing in managing personal information for the efficient operation of personal information transmission support platforms under paragraph (2). In such cases, it shall have a prior consultation with the head of a relevant central administrative agency and the relevant institution specializing in managing personal information.

(4) Matters necessary for management and supervision and the establishment and operation of a personal information transmission support system under paragraphs (1) through (3) shall be prescribed by Presidential Decree.

(1) A data subject who has accessed his or her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes or regulations.

(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take measures necessary to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes or regulations in relation to correction or erasure; and shall notify such data subject of the result.

(3) The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4) Where the request of a data subject falls under the proviso of paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5) While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6) Matters necessary for the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

(1) A data subject may request the relevant personal information controller to suspend the processing of his or her personal information or may withdraw his or her consent to personal information processing. In such cases, if the personal information controller is a public institution, the data subject may request the institution to suspend the processing of his or her personal information contained in the personal information files to be registered pursuant to Article 32 or may withdraw his or her consent to personal information processing.

(2) Upon receipt of the request for suspension of processing under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1. Where special provisions exist in other statutes or it is unavoidable to observe obligations under statutes or regulations;
2. Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;
3. Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;
4. Where it is impracticable to perform a contract such as the provision of services as agreed upon with the said data subject without processing the personal information in question, and the data subject has not clearly expressed the desire to terminate the agreement.

(3) A personal information controller shall, when a data subject withdraws his or her consent pursuant to paragraph (1), take necessary measures without delay, such as destroying collected personal information to prevent recovery and reproduction thereof: Provided, That in cases falling under any subparagraph of paragraph (2), a personal information controller need not take measures following the withdrawal of consent.

(4) When rejecting a request for suspension of processing pursuant to the proviso of paragraph (2) or failing to take measures following the withdrawal of consent pursuant to the proviso of paragraph (3), the personal information controller shall notify the data subject of the reason without delay.

(5) The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(6) Matters necessary for the methods and procedures to request the suspension of processing, to withdraw consent, to reject such request, and to give notification, etc. pursuant to paragraphs (1) through (5) shall be prescribed by Presidential Decree.

(1) If a decision (excluding an automatic disposition by an administrative authority under Article 20 of the Framework Act on Administration; hereafter in this Article referred to as "automated decision") made by processing personal information with a completely automated system (including a system to which artificial intelligence technologies are applied) has a significant effect on his or her right or duty, a data subject shall have the right to file with the relevant personal information controller an objection against the relevant decision: Provided, That this shall not apply to cases where automated decisions are made pursuant to Article 15 (1) 1, 2, and 4.

(2) A data subject may, if the personal information controller has made an automated decision, request explanation, etc. thereof.

(3) Where a data subject refuses to accept an automated decision or requests a personal information controller to provide explanations, etc. thereof pursuant to paragraph (1) or (2), the personal information controller shall not apply the automated decision unless there is a compelling reason not to do so, or shall take necessary measures, such as re-processing through human involvement and providing explanations.

(4) A personal information controller shall disclose the criteria and procedures for making automated decisions and the methods, etc. of processing personal information so that data subjects can easily confirm them.

(5) Except as provided in paragraphs (1) through (4), matters necessary for the procedures and methods for refusing to accept automated decisions, requesting explanations, etc. thereof, necessary measures in response to refusal, a request for explanations, etc., the criteria and procedures for making automated decisions, the disclosure of the method in which personal information is processed, etc. shall be prescribed by Presidential Decree.

(1) A data subject may authorize his or her representative to file requests for access under Article 35, transmission under Article 35-2, rectification or erasure under Article 36, suspension of processing and withdrawal of consent under Article 37, and refusal and requests for explanation, etc. under Article 37-2 (hereinafter referred to as “request for access, etc.”) by the methods and procedures prescribed by Presidential Decree, such as written documents.

(2) The legal representative of a child under 14 years of age may file a request for access, etc. to the personal information of the child with a personal information controller.

(3) A personal information controller may charge a person who files a request for access, etc. a fee and postage (only in cases of a request to mail the copies), as prescribed by Presidential Decree: Provided, That in cases of a request for transmission under Article 35-2 (2), the personal information controller may assess a fee, taking into account additional facilities necessary for transmission and other factors as well.

(4) A personal information controller shall prepare detailed methods and procedures to enable data subjects to file requests for access, etc., and disclose such methods and procedures so that the data subjects may become aware of them. In such cases, the methods and procedures for filing requests for access, etc. shall be no more difficult than the methods and procedures for the collection of the relevant personal information.

(5) A personal information controller shall prepare and provide necessary procedures for data subjects to raise objections regarding the denial of a request for access, etc. from such data subjects.

(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for such damage. In such cases, the said personal information controller may not be released from responsibility for compensation if it fails to prove the absence of intention or negligence.

(2) (deleted)

(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his or her own personal information, caused by intention or negligence of a personal information controller, the Court may determine the amount of compensation for damage not exceeding five times such damage: Provided, That the same shall not apply to the personal information controller who has proved the absence of intention or negligence.

(4) The Court shall take into account the following when determining the amount of compensation for damage under paragraph (3):

1. The degree of intention or expectation of damage;
2. The amount of loss caused by the violation;
3. Economic benefits the personal information controller gained in relation to the violation;
4. A fine and a penalty surcharge to be levied subject to the violation;
5. The duration, frequency, etc. of violations;
6. The property of the personal information controller;
7. The personal information controller’s efforts to retrieve the affected personal information after the loss, theft, or divulgence of personal information;
8. The personal information controller’s efforts to remedy damage suffered by the data subject.

(1) Notwithstanding Article 39 (1), a data subject, who suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his or her own personal information, caused by intention or negligence of a personal information controller, may claim a reasonable amount of damages not exceeding three million won. In such cases, the said personal information controller may not be released from the responsibility for compensation if it fails to prove the absence of intention or negligence.

(2) In the case of a claim made under paragraph (1), the Court may determine a reasonable amount of damages not exceeding the amount provided for in paragraph (1) taking into account all arguments in the proceedings and the results of examining evidence.

(3) A data subject who has claimed compensation pursuant to Article 39 may change such claim to the claim provided for in paragraph (1) until the closure of fact-finding proceedings.

(1) There shall be established a Personal Information Dispute Mediation Committee (hereinafter referred to as the “Dispute Mediation Committee”) to mediate disputes over personal information.

(2) The Dispute Mediation Committee shall be composed of up to 30 members, including one chairperson, and the members shall be ex officio members and commissioned members.

(3) The commissioned members shall be commissioned by the Chairperson of the Protection Commission from among the following persons, and public officials of the national agencies prescribed by Presidential Decree shall be ex officio members:

1. Persons who previously served as members of the Senior Executive Service of the central administrative agencies in charge of personal information protection, or persons who presently work or have worked at equivalent positions in the public sector and related organizations, and have job experience in personal information protection;
2. Persons who presently serve or have served as associate professors or higher positions in universities or in publicly recognized research institutes;
3. Persons who presently serve or have served as judges, public prosecutors, or attorneys-at-law;
4. Persons recommended by data protection-related civic organizations or consumer groups;
5. Persons who presently work or have worked as senior officers for the trade associations comprised of personal information controllers.

(4) The chairperson shall be commissioned by the Chairperson of the Protection Commission from among Committee members who are not public officials.

(5) The term of office for the chairperson and commissioned members shall be two years, and their term may be renewable for one further term.

(6) In order to conduct dispute settlement efficiently, the Dispute Mediation Committee may, if necessary, establish a mediation panel that is comprised of not more than five Committee members in each sector of mediation cases, as prescribed by Presidential Decree. In such cases, the resolution of the mediation panel delegated by the Dispute Mediation Committee shall be construed as that of the Dispute Mediation Committee.

(7) The quorum for holding a Dispute Mediation Committee or a mediation panel shall be the presence of a majority of its members, and any resolution shall require the affirmative votes of a majority of the members present.

(8) The Protection Commission may deal with the business affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding.

(9) Except as provided in this Act, matters necessary to operate the Dispute Mediation Committee shall be prescribed by Presidential Decree.

None of the Committee members shall be dismissed or de-commissioned against his or her will except when he or she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his or her duties due to mental or physical incompetence.

(1) A member of the Dispute Mediation Committee shall be excluded from deliberation and resolution on a case requested for dispute mediation pursuant to Article 43 (1) (hereafter in this Article referred to as “case”) if:

1. The member or his or her current or former spouse is a party to the case or is a joint right holder or a joint obligor with respect to the case;
2. The member is or was a relative of a party to the case;
3. The member has given any testimony, expert opinion, or legal advice with respect to the case;
4. The member is or was involved in the case as an agent or representative of a party to the case.

(2) Where the circumstances indicate that it would be impracticable to expect fair deliberations and resolution by a Committee member, any party may file a motion for challenge to the chairperson. In such cases, the chairperson shall determine whether or not to accept the motion without referring the motion to the Dispute Mediation Committee for resolution.

(3) Where any committee member falls under the case of paragraph (1) or (2), he or she may recuse himself or herself from deliberation and resolution on the case in question.

(1) Any person who wishes a dispute over personal information mediated may apply for mediation of the dispute to the Dispute Mediation Committee.

(2) Upon receipt of an application for dispute mediation from a party to the case, the Dispute Mediation Committee shall notify the counterparty of the application for mediation.

(3) Where a personal information controller is notified of dispute mediation under paragraph (2), he or she shall respond to it unless there is a compelling reason not to do so.

(1) The Dispute Mediation Committee shall examine the case and prepare a proposal of mediation within 60 days from the date of receiving an application pursuant to Article 43 (1): Provided, That the Dispute Mediation Committee may pass a resolution to extend such period by reason of inevitable circumstances.

(2) Where the period is extended pursuant to the proviso of paragraph (1), the Dispute Mediation Committee shall inform the applicant of the reasons for extending the period and other matters concerning the extension of such period.

(1) Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may request disputing parties to provide materials necessary to mediate the dispute. In such cases, such parties shall comply with the request in the absence of good cause.

(2) Where it is necessary to verify facts for the mediation of a dispute, the Dispute Mediation Committee may require members of the Dispute Mediation Committee or public officials belonging to the secretariat prescribed by Presidential Decree to enter the place related to the case and to investigate or inspect relevant data. In such cases, where any party to the relevant dispute has good cause for refusing the relevant investigation or inspection, he or she may refuse the investigation or access by explaining such grounds therefor.

(3) A public official who performs his or her duties pursuant to Article 2 shall carry identification verifying his or her authority and present it to relevant persons.

(4) If deemed necessary to mediate a dispute, the Dispute Mediation Committee may request relevant agencies, etc. to provide necessary cooperation, such as the submission of materials or opinions.

(5) The Dispute Mediation Committee may summon disputing parties or relevant witnesses to appear before the Committee to hear their opinions, if deemed necessary.

Opinions and statements made in mediation proceedings shall not be invoked in a lawsuit (excluding quasi-retrial of the relevant conciliation).

Upon receipt of an application for dispute mediation pursuant to Article 43 (1), the Dispute Mediation Committee may present a draft settlement to the disputing parties and recommend a settlement before mediation.

(1) The Dispute Mediation Committee may prepare a proposal of mediation including the following matters:

1. Suspension of the violation to be investigated;
2. Restitution, compensation and other necessary remedies;
3. Any measure necessary to prevent recurrence of the identical or similar violations.

(2) Upon preparing proposal of mediation pursuant to paragraph (1), the Dispute Mediation Committee shall present the proposal of mediation to each party without delay.

(3) If a party presented with the proposal of mediation prepared under paragraph (2) fails to notify the Dispute Mediation Committee of his or her acceptance or denial of the proposal of mediation within 15 days from the date of receipt of such decision, he or she shall be deemed to have accepted the decision.

(4) If the parties accept the draft mediation decision (including deemed acceptance under paragraph (3)), the Dispute Mediation Committee shall prepare a written mediation decision and deliver the original copies thereof to each party or his or her agents after the chairperson of the Dispute Mediation Committee and the parties affix their names and seals thereto: Provided, That in cases of deemed acceptance under paragraph (3), the names, seals, and signatures of each party may be omitted.

(5) The mediation agreed upon pursuant to paragraph (4) shall have the same effect as a settlement before the court.

(1) Where the Dispute Mediation Committee deems that it is inappropriate to mediate any dispute in view of its nature, or that an application for mediation of any dispute is filed for an improper purpose, it may reject the mediation. In this case, the reasons for rejecting the mediation shall be notified to the applicant.

(2) If one of the parties files a lawsuit while mediation proceedings are pending, the Dispute Mediation Committee shall suspend the dispute mediation and notify the parties thereof.

(1) The State, a local government, a data protection organization or institution, a data subject, and a personal information controller may request or apply for a collective dispute mediation (hereinafter referred to as “collective dispute mediation”) to the Dispute Mediation Committee where damages or infringement on rights occur to multiple data subjects in an identical or similar manner, and such incident is such as prescribed by Presidential Decree.

(2) Upon receipt of a request or an application for collective dispute mediation under paragraph (1), the Dispute Mediation Committee may commence, by its resolution, collective dispute mediation proceedings pursuant to paragraphs (3) through (7). In such cases, the Dispute Mediation Committee shall publicly announce the commencement of such proceedings for a period prescribed by Presidential Decree.

(3) The Dispute Mediation Committee may accept an application from any data subject or personal information controller other than the parties to the collective dispute mediation to participate in the collective dispute mediation additionally as a party.

(4) The Dispute Mediation Committee may, by its resolution, select one or a few persons as a representative party, who most appropriately represents the common interest among the parties to the collective dispute mediation pursuant to paragraphs (1) and (3).

(5) When the personal information controller accepts a collective dispute mediation award presented by the Dispute Mediation Committee, the Dispute Mediation Committee may advise the personal information controller to prepare and submit a compensation plan for the benefit of the non-party data subjects suffered from the same incident.

(6) Notwithstanding Article 48 (2), if a group of data subjects among a multitude of data subject parties to the collective dispute mediation files a lawsuit before the court, the Dispute Mediation Committee shall not suspend the proceedings but exclude the relevant data subjects, who have filed the lawsuit, from the proceedings.

(7) The period for collective dispute mediation shall not exceed 60 days from the following day when public announcement referred to in paragraph (2) ends: Provided, That the period can be extended by the resolution of the Dispute Mediation Committee in extenuating circumstances.

(8) Other necessary matters, such as the procedures for collective dispute mediation, shall be prescribed by Presidential Decree.

(1) Except as provided in Articles 43 through 49, the method and procedures to mediate disputes and matters necessary to deal with such dispute mediation shall be prescribed by Presidential Decree.

(2) Except as provided in this Act, the Judicial Conciliation of Civil Disputes Act shall apply mutatis mutandis to the operation of the Dispute Mediation Committee and dispute mediation proceedings.

The Dispute Mediation Committee may notify the Protection Commission and the heads of relevant central administrative agencies of its opinions for the improvement of the protection of personal information and the protection of the rights of data subjects in connection with the performance of the work under its jurisdiction.

Any of the following organizations may file a lawsuit (hereinafter referred to as “class action lawsuit”) with the court to prevent or suspend an infringement with respect to personal information if a personal information controller rejects or would not accept the collective dispute mediation under Article 49:

1. A consumer group registered with the Fair Trade Commission pursuant to Article 29 of the Framework Act on Consumers that meets all of the following criteria:
   • (a) Its by-laws shall constantly state the purpose to augment the rights and interests of data subjects;
   • (b) The number of full members shall exceed 1,000;
   • (c) Three years shall have passed since the registration under Article 29 of the Framework Act on Consumers;
2. A non-profit, non-governmental organization referred to in Article 2 of the Assistance for Non-Profit, Non-Governmental Organizations Act that meets all of the following criteria:
   • (a) At least 100 data subjects, who experienced the same infringement as a matter of law or fact, shall submit a request to file a class action lawsuit;
   • (b) Its by-laws shall state the purpose of data protection and it has conducted such activities for the most recent three years;
   • (c) The number of regular members shall be at least 5,000;
   • (d) It shall be registered with any central administrative agency.

(1) A class action lawsuit shall be subject to the exclusive jurisdiction of the competent district court (panel of judges) at the place of business or main office, or at the address of the business manager in the case of no business establishment, of the defendant.

(2) Where paragraph (1) applies to a foreign business entity, the same shall be determined by the place of business or main office, or the address of the business manager located in the Republic of Korea.

The plaintiff of a class-action lawsuit shall retain an attorney-at-law as a litigation attorney.

(1) An organization that intends to file a class action shall submit to the court an application for permission of lawsuit describing the following in addition to the complaint:

1. Plaintiff and his or her litigation attorney;
2. Defendant;
3. Detailed violation of the rights of data subjects.

(2) An application for certification of lawsuit filed under paragraph (1) shall be accompanied by the following materials:

1. Materials that prove that the organization which has filed a lawsuit meets all criteria provided for in Article 51;
2. Documentary evidence that proves that the personal information controller has rejected the dispute mediation or would not accept the mediation award.

(1) The court shall permit a class action only when all of the following requirements are satisfied:

1. That the personal information controller has rejected the dispute mediation or would not accept the mediation award;
2. That none of the descriptions in the application for permission of lawsuit filed under Article 54 is defective.

(2) The court decision that permits, or refuses to permit, a class action may be challenged through immediate appeal.

When a judgment dismissing a plaintiff's complaint becomes conclusive, any other organizations provided for in Article 51 cannot file a class-action lawsuit regarding the identical case: Provided, That this shall not apply in any of the following circumstances:

1. Where, after the judgment became conclusive, new evidence has been found by the State, a local government, or a State or local government-invested institution regarding the said case;
2. Where the judgment dismissing the lawsuit proves to have been caused by intention by the plaintiff.

(1) Except as otherwise expressly provided for in this Act, the Civil Procedure Act shall apply to a class action.

(2) When a decision to permit a class action lawsuit is made under Article 55, a preservation order provided for in Part IV of the Civil Execution Act may be issued.

(3) Matters necessary for class action lawsuit proceedings shall be provided by the Supreme Court Regulations.

(1) Chapter III through VIII shall not apply to any of the following personal information:

1. (deleted);
2. Personal information collected or requested to be provided for the analysis of information related to national security;
3. (deleted);
4. Personal information collected or used for its own purposes of reporting by the press, missionary activities by religious organizations, and nomination of candidates by political parties, respectively.

(2) Articles 15, 22, 22-2, 27 (1) and (2), 34, and 37 shall not apply to any personal information that is processed by means of the fixed visual data processing devices installed and operated at open places pursuant to the subparagraphs of Article 25 (1).

(3) Articles 15, 30 and 31 shall not apply to any personal information that is processed by a personal information controller to operate a group or association for friendship, such as an alumni association and a hobby club.

(4) In the case of processing personal information pursuant to paragraph (1), a personal information controller shall process the personal information to the minimum extent necessary to attain the intended purpose for the minimum period; and shall also make necessary arrangements, such as technical, managerial and physical safeguards, individual grievance handling and other necessary measures for the safe management and appropriate processing of such personal information.

This Act shall not apply to information that no longer identifies a certain individual when combined with other information, reasonably considering time, cost, technology, etc.

Anyone who processes or has processed personal information shall be prohibited from engaging in any of the following activities:

1. To acquire personal information or to obtain consent to personal information processing by fraud or other improper means;
2. To divulge personal information acquired in the course of performing his or her work, or to provide it for any third party’s use without authority;
3. To use, damage, destroy, alter, forge, or divulge any other person’s personal information without legitimate authority or beyond proper authority.

Any person who performs or has performed the following work shall not divulge any confidential information acquired in the course of performing his or her duties to any other person, nor use such information for any purpose other than for his or her duties: Provided, That, this shall not apply except as provided in other statutes:

1. Work of the Protection Commission provided in Article 8;
2. Work of designating specialized institutions and duties of specialized institutions under Article 28-3;
3. Certification of personal information protection provided in Article 32-2;
4. Privacy impact assessments provided in Article 33;
5. Work of designating institutions specializing in managing personal information and affairs of such institutions under Article 35-3;
6. Dispute mediation of the Dispute Mediation Committee under Article 40.

(1) The Protection Commission may present its opinion to any relevant agency through deliberation and resolution where it is deemed necessary with respect to the statutes or regulations or municipal ordinances containing provisions that are likely to affect the protection of personal information.

(2) The Protection Commission may advise a personal information controller to improve the status of personal information processing where doing so is deemed necessary to protect personal information. In such cases, upon receiving the advice, the personal information controller shall make sincere efforts to comply with the advice, and shall inform the Protection Commission of the results.

(3) The head of a related central administrative agency may recommend that a personal information controller improve the status of personal information processing pursuant to the statutes under the related central administrative agency’s jurisdiction where doing so is deemed necessary to protect personal information. In such cases, upon receiving the recommendation, the personal information controller shall make sincere efforts to comply with the recommendation, and shall inform the head of the related central administrative agency of the results.

(4) Central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission may provide their opinions, or provide guidance or inspection with respect to the protection of personal information to their affiliated entities and the public institutions under their jurisdiction.

(1) Anyone who suffers infringement of rights or interests relating to his or her personal information in the course of personal information processing by a personal information controller may report such infringement to the Protection Commission.

(2) The Protection Commission may designate a specialized institution in order to efficiently receive and handle the claim reports pursuant to paragraph (1), as prescribed by Presidential Decree. In such cases, such specialized institution shall establish and operate a personal information infringement call center (hereinafter referred to as the “Privacy Call Center”).

(3) The Privacy Call Center shall perform the following work:

1. To receive claim reports and provide consultation in relation to personal information processing;
2. To investigate and confirm incidents and hear opinions of related parties;
3. Work incidental to those under subparagraphs 1 and 2.

(4) The Protection Commission may, if necessary, dispatch its public official to the specialized institution designated under paragraph (2) pursuant to Article 32-4 of the State Public Officials Act in order to efficiently investigate and confirm the incidents pursuant to paragraph (3) 2.

(1) The Protection Commission may request relevant materials, such as articles and documents, from a personal information controller in any of the following cases:

1. Where any violation of this Act is found or suspected;
2. Where any violation of this Act is reported or a civil complaint thereon is received;
3. In cases prescribed by Presidential Decree where it is necessary to protect the personal information of data subjects.

(2) Where a personal information controller fails to furnish materials pursuant to paragraph (1) or is regarded as having violated this Act, the Protection Commission may require its public official to enter the offices or places of business of the personal information controller and other persons related to such violation to inspect the status of business operations, ledgers, documents, etc. In such cases, the public official who conducts the inspection shall carry identification verifying his or her authority and show it to relevant persons.

(3) The Protection Commission may request the heads of the following relevant institutions to cooperate in taking prompt and effective measures where any serious personal information breach occurs due to a violation of laws related to the protection of personal information, such as this Act:

1. Central administrative agencies;
2. A local government;
3. Other public institutions having, delegated or entrusted with, administrative authority pursuant to statutes and regulations or municipal ordinances and rules.

(4) The head of a relevant institution who receives a request for cooperation under paragraph (3) shall comply with such request in the absence of special circumstances.

(5) Matters necessary for requests for the submission of materials, procedures and methods for inspection, etc. under paragraphs (1) and (2) may be determined and publicly notified by the Protection Commission.

(6) The Protection Commission shall neither provide any third party with the documents, materials, etc. furnished or collected pursuant to paragraphs (1) and (2), nor disclose them to the general public, except as provided in this Act.

(7) Upon receiving materials via information and communications networks, or digitalizing the collected materials, etc., the Protection Commission shall take systematic and technical supplementary measures to prevent the divulgence of personal information, trade secrets, etc.

(1) In cases not falling under the subparagraphs of Article 63 (1), the Protection Commission may inspect the status of protection of personal information of a personal information controller that is highly susceptible to a personal information breach incident and deemed to need a preliminary inspection of vulnerabilities in the protection of personal information.

(2) The Protection Commission may, if it finds any violation of this Act through a fact-finding inspection under paragraph (1), formulate a correction scheme and recommend that the relevant personal information controller comply with it.

(3) Upon receipt of the recommendation for correction under paragraph (2), a personal information controller shall notify the Protection Commission as to whether it accepts the recommendation within 10 days from the date of receipt of the recommendation, and inform the Protection Commission of the results of the implementation thereof, as prescribed by Notification of the Protection Commission.

(4) When any person upon receipt of the recommendation for correction under paragraph (2) accepts the relevant recommendation, he or she shall be deemed to have received an order for corrective measures (referring to a recommendation under Article 64 (3) in cases of central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) under Article 64 (1).

(5) If a person upon receipt of the recommendation for correction under paragraph (2) refuses to accept or fails to comply with the relevant recommendation, the Protection Commission may conduct an inspection under Article 63 (2).

(6) The Protection Commission may inspect the status of personal information protection under paragraph (1) jointly with the head of a relevant central administrative agency.

(1) The Protection Commission may order a person who violates this Act (excluding central administrative agencies, local governments, the National Assembly, the Court, the Constitutional Court, and the National Election Commission) to take the following measures:

1. To suspend personal information breach;
2. To temporarily suspend personal information processing;
3. Other measures necessary to protect personal information and to prevent personal information infringement.

(2) A local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission may order their affiliated entities and public institutions, which are found to have violated this Act, to take the measures provided in the subparagraphs of paragraph (1).

(3) When a central administrative agency, a local government, the National Assembly, the Court, the Constitutional Court, or the National Election Commission violates this Act, the Protection Commission may recommend that the head of the relevant agency take any of the measures provided in the subparagraphs of paragraph (1). In such cases, upon receiving the recommendation, the agency shall comply therewith unless there is a compelling reason not to do so.

(1) The Protection Commission may impose a penalty surcharge on the relevant personal information controller within the scope not exceeding 3/100 of the total sales, in any of the following cases: Provided, That a penalty surcharge not exceeding two billion won may be imposed in cases prescribed by Presidential Decree where no sales have been made or where it is impracticable to calculate the sales:

1. Where the personal information controller processes personal information, in violation of Article 15 (1), 17 (1), 18 (1) and (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), or 19;
2. Where the personal information controller processes personal information of a child under 14 years of age without his or her legal representative’s consent, in violation of Article 22-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
3. Where the personal information controller processes sensitive information without the data subject’s consent, in violation of Article 23 (1) 1 (including where it is applied mutatis mutandis pursuant to Article 26 (8));
4. Where the personal information controller processes personally identifiable information or resident registration numbers, in violation of Articles 24 (1) and 24-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
5. Where the personal information controller neglects its management, supervision, or education under Article 26 (4), thereby causing the person entrusted to violate this Act;
6. Where the personal information controller processes information to uniquely identify an individual (including where it is applied mutatis mutandis pursuant to Article 26 (8)) in violation of Article 28-5 (1);
7. Where the personal information controller makes cross-border transfers of personal information, in violation of Article 28-8 (1) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
8. Failing to comply with an order to suspend a cross-border transfer, in violation of Article 28-9 (1) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
9. Where the personal information processed by the personal information controller is lost, stolen, divulged, forged, altered, or damaged; Provided, That this shall not apply where a personal information controller has taken all measures necessary to ensure safety under Article 29 (including where it is applied mutatis mutandis pursuant to Article 26 (8)) to prevent personal information from being lost, stolen, divulged, forged, altered, or damaged.

(2) Where the Protection Commission intends to impose a penalty surcharge under paragraph (1), it shall calculate the penalty surcharge based on the gross sales net of the sales unrelated to the violation.

(3) Where the Protection Committee intends to impose a penalty surcharge pursuant to paragraph (1), it may calculate the sales based on the gross sales of the personal information controller if the personal information controller refuses to submit sales calculation data or submits false data without good case: Provided, That it may presume sales based on the scale of personal information retained, accounting data such as financial statements, prices of products and services, and other data regarding the business state of a personal information controller with a size similar to that of the relevant personal information controller.

(4) The Protection Commission shall, where it imposes a penalty surcharge under paragraph (1), take into account the following matters to ensure that the penalty surcharge shall be proportional to the violation and be effective in preventing breach:

1. The details and degree of a violation;
2. The duration and frequency of violations;
3. Scale of profits derived from a violation;
4. Efforts to take measures to ensure safety, such as encryption;
5. Where the personal information is lost, stolen, divulged, forged, altered, or damaged, the relation to the violation and the scale of loss, theft, divulgence, forgery, alteration, or damage;
6. Whether measures for recovering from damage and preventing the spread of damage have been taken;
7. The type and volume of work of the personal information controller;
8. Types of personal information processed by a personal information controller and the impact on data subjects;
9. The amount of damage caused by the violation;
10. Efforts for the protection of personal information, including the certification of personal information protection and autonomous protection activities;
11. Whether measures have been taken to rectify violations, including cooperation with the Protection Commission.

(5) The Protection Commission need not impose a penalty surcharge in any of the following cases:

1. Where the person subject to the penalty surcharge is objectively deemed unable to pay the penalty surcharge due to insolvency, suspension of payment, capital impairment, etc.;
2. Where there is good cause for the person subject to the penalty surcharge to mistakenly believe that his or her conduct is not illegal;
3. Where the details and degree of the violation are minor or where the assessed penalty surcharge is small;
4. Where any ground prescribed by Presidential Decree exists, on which the data subject has suffered no or minor damage.

(6) Penalty surcharges under paragraph (1) shall be calculated in consideration of paragraphs (2) through (5), but the detailed calculation criteria and procedures shall be prescribed by Presidential Decree.

(7) If the person subject to the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Protection Commission shall collect the additional charge equivalent to 6/100 per annum of the unpaid penalty surcharge from the date following the payment deadline. In such cases, the period for collecting of the additional charge shall not exceed 60 months.

(8) Where a person liable to pay a penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Protection Commission shall demand payment thereof within a specified period; and where the penalty surcharges and additional charges under paragraph (7) are not paid within the specified period, the Protection Commission shall collect such penalty surcharges in the same manner as national taxes are compulsorily collected.

(9) When the penalty surcharges imposed according to paragraph (1) are refunded for such reasons as a court’s decision, the Protection Commission shall make an additional refund in an amount calculated based on the interest rate prescribed by Presidential Decree in consideration of the deposit interest rates of financial companies, etc., for the period beginning on the date of payment of penalty surcharges and ending on the date of the refund.

(10) Notwithstanding paragraph (9), when a disposition to impose penalty surcharges is revoked due to a court’s decision and new penalty surcharges are imposed based on the reasoning of the decision, additional refunds shall be calculated and paid only with respect to the amount that remains after the newly imposed penalty surcharges are deducted from the penalty surcharges already paid.

(1) When there is deemed substantial ground for suspecting a criminal violation of this Act or other data protection-related statutes, the Protection Commission may make an accusation to the competent investigative agency.

(2) When there is deemed substantial ground for deeming that there has been a violation of this Act or other data protection-related statutes, the Protection Commission may recommend the relevant personal information controller to take disciplinary action against the person responsible for such violation (including the representative and the executive officer in charge). In such cases, upon receiving the recommendation, the relevant personal information controller shall comply therewith, and notify the Protection Commission of the results.

(3) The head of a related central administrative agency may file a criminal complaint against a personal information controller pursuant to paragraph (1), or recommend that the head of an affiliated agency, organization, etc. take disciplinary action pursuant to paragraph (2), in accordance with the statutes under the central administrative agency’s jurisdiction. In such cases, upon receiving the recommendation under paragraph (2), the head of an affiliated agency, organization, etc. shall comply therewith, and notify the head of the related central administrative agency of the results.

(1) The Protection Commission may publish the recommendation for improvement under Article 61; the order to take corrective measures under Article 64; the imposition of penalty surcharges under Article 64- 2; the accusation or recommendation for a disciplinary action under Article 65; and the imposition of administrative fines under Article 75 and the results thereof.

(2) Where the Protection Commission makes dispositions such as a recommendation for improvement under Article 61, an order to take corrective measures under Article 64, the imposition of a penalty surcharge under Article 64-2, an accusation or recommendation for a disciplinary action under Article 65, or a disposition to impose an administrative fine under Article 75, it may order the person who has received such disposition to publish the fact of receiving such disposition.

(3) The method, criteria, procedure, etc. for publishing the fact of receiving a recommendation for improvement, etc. and issuing orders for publication under paragraphs (1) and (2) shall be prescribed by Presidential Decree.

(1) The Protection Commission shall prepare a report each year, based on necessary materials furnished by related agencies, etc., in relation to the establishment and implementation of personal information protection policy measures, and submit (including transmission via an information and communications networks) it to the National Assembly before the opening of the regular session.

(2) The annual report referred to in paragraph (1) shall contain the following matters:

1. Infringement on the rights of data subjects and the status of remedies thereof;
2. Results of fact-finding surveys on personal information processing and the assessments of the level of personal information protection;
3. Status of implementation of the personal information protection policy measures and achievements;
4. Global legislative and policy trends regarding personal information;
5. Status of the enactment and amendment of statutes, Presidential Decrees, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, and the Board of Audit and Inspection Regulations, in relation to processing of resident registration numbers;
6. Other matters to be disclosed or reported in relation to the personal information protection policy measures.

(1) The authority of the Protection Commission or the head of a related central administrative agency under this Act may in part be delegated or entrusted, as prescribed by Presidential Decree, to the Special Metropolitan City Mayor, Metropolitan City Mayors, Do Governors, Special Self-Governing Province Governors, or the specialized institutions prescribed by Presidential Decree.

(2) The agencies to which the authority of the Protection Commission or the head of a related central administrative agency has been partially delegated or entrusted pursuant to paragraph (1) shall notify the Protection Commission or the head of the related central administrative agency of the results of performing the work delegated or entrusted.

(3) Where delegating or entrusting a part of the authority to a specialized institution pursuant to paragraph (1), the Protection Commission may provide a contribution to the special institution to cover expenses incurred in performing the work.

(1) Among the Commissioners of the Protection Commission, Commissioners other than public officials and employees other than public officials shall be deemed a public official for the purposes of applying penalty under the Criminal Act or other statutes.

(2) Any executive or employee of a relevant agency that performs the works entrusted by the Protection Commission or the head of a related central administrative agency shall be deemed a public official for the purposes of applying Articles 129 through 132 of the Criminal Act.

Any of the following persons shall be punished by imprisonment with labor for not more than 10 years, or by a fine not exceeding 100 million won:

1. A person who causes the suspension, paralysis or other severe hardship of work of a public institution by altering or erasing the personal information processed by the public institution for the purpose of disturbing the personal information processing of such public institution;
2. A person who obtains any personal information processed by third parties by fraud or other improper means or methods and provides it to a third party for a profit-making or unjust purpose, and a person who abets or arranges such conduct.

Any of the following persons shall be punished by imprisonment with labor for not more than five years, or by a fine not exceeding 50 million won:

1. A person who provides personal information to a third party without the consent of a data subject, in violation of Article 17 (1) 1 (including where it is applied mutatis mutandis pursuant to Article 26 (8)) even through Article 17 (1) 2 is not applicable, and a person who knowingly receives such personal information;
2. A person who uses personal information or provides personal information to a third party in violation of Article 18 (1) and (2), 27 (3), 28-2 (including where it is applied mutatis mutandis pursuant to Article 26 (8)), 19, or 26 (5) and a person who knowingly receives such personal information for a profitmaking or improper purposes;
3. A person who collects personal information of a child under 14 years of age without his or her legal representative’s consent, in violation of Article 22-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
4. A person who processes sensitive information, in violation of Article 23 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
5. A person who processes personally identifiable information, in violation of Article 24 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
6. A person who consolidates pseudonymized information without having been designated as a specialized institution by the Protection Commission or the head of a relevant central administrative agency, in violation of Article 28-3 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
7. A person who transfers combined information to outside the institution that has performed the combination without obtaining approval therefor from the head of the specialized institution, or provides a third party with such information, in violation of Article 28-3 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), or a person who knowingly receives such combined information for profit-making or improper purposes;
8. A person who processes pseudonymized information for the purpose of uniquely identifying an individual, in violation of Article 28-5 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
9. A person who divulges personal information acquired in the course of performing his or her work or provides it for any other person's use without authority in violation of subparagraph 2 of Article 59, and a person who knowingly receives such personal information for a profit-making or improper purposes;
10. A person who uses, damages, destroys, alters, forges, or divulges any other person's personal information, in violation of subparagraph 3 of Article 59.

Any of the following persons shall be punished by imprisonment with labor for not more than three years, or by a fine not exceeding 30 million won:

1. A person who arbitrarily manipulates a fixed visual data processing device for purposes other than those for which the device was installed, directs such device toward different spots, or uses sound recording functions, in violation of Article 25 (5) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
2. A person who acquires personal information or obtains consent to personal information processing by fraud or other improper means in violation of subparagraph 1 of Article 59, and a person who knowingly receives such personal information for a profit-making or improper purpose;
3. A person who divulges confidential information acquired while performing his or her duties, or uses such information for purposes other than for the purpose of discharging his or her duties in violation of Article 60.

(1) Any of the following persons shall be punished by imprisonment with labor for not more than two years or by a fine not exceeding 20 million won:

1. A person who fails to take necessary measures, such as correction and erasure, in violation of Article 36 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), and keeps on using the personal information or provides it to a third party;
2. A person who fails to suspend the processing of personal information, in violation of Article 37 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), and keeps on using the personal information or provides it to a third party;
3. Any person who fails to comply with a confidentiality order under Article 39-4 in or outside Korea without good cause;
4. A person who refuses to submit materials or submits false materials in response to a request for the submission of materials under Article 63 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8)) for the purpose of concealing or understating violations of the Act;
5. A person who refuses, obstructs, or evades an investigation by concealing, discarding, or refusing access to, materials, or by forging or falsifying, etc. materials during an entry and inspection conducted pursuant to Article 63 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)).

(2) No prosecution against a crime under paragraph (1) 3 shall be instituted without a criminal complaint is filed by a person who has requested a confidentiality order.

(1) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offenses provided for in Article 70 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine not exceeding 70 million won: Provided, That this shall not apply where such corporation or individual has not been negligent in taking due care and supervisory activities concerning the relevant affairs to prevent such offense.

(2) If the representative of a corporation, or an agent or employee of, or any other person employed by, a corporation or an individual commits any of the offenses provided for in Articles 71 through 73 in connection with the business affairs of the corporation or individual, not only shall such offender be punished, but also the corporation or individual shall be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply where such corporation or individual has not been negligent in taking due care and supervisory activities concerning the relevant affairs to prevent such offense.

Any money or goods or other profits acquired by a person who has violated Articles 70 through 73 in relation to such violation may be confiscated, or, if confiscation is impossible, the value thereof may be collected. In such cases, such confiscation or collection may be levied in addition to other penalty provisions.

(1) Any of the following persons shall be subject to an administrative fine not exceeding 50 million won:

1. A person who installs and operates a fixed visual data processing device, in violation of Article 25 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
2. A person who takes photographs of a person or thing related to such person with a mobile visual processing device, in violation of Article 25-2 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)).

(2) Any of the following persons shall be subject to an administrative fine not exceeding 30 million won:

1. A person who refuses to provide goods or services, in violation of Article 16 (3) or 22 (5) (including where it is applied mutatis mutandis pursuant to 26 (8));
2. A person who fails to notify a data subject of the facts provided in the subparagraphs of Article 20 (1), in violation of paragraphs (1) or (2) of that Article;
3. A person who fails to notify a data subject of the details of the use and provision of personal information or the method of accessing the information system through which such details can be confirmed, in violation of Article 20-2 (1);
4. A person who fails to take necessary measures, such as destroying personal information, in violation of Article 21 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
5. A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), or 25 (6) (including where it is applied mutatis mutandis pursuant to Article 25-2 (4)), or Article 28-4 (1), or 29 (including where it is applied mutatis mutandis pursuant to Article 26 (8));
6. A person who fails to communicate to the data subject the possibility of disclosure of sensitive information and the method of selecting non-disclosure, in violation of Article 23 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
7. A person who processes resident registration numbers, in violation of Article 24-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
8. A person who fails to take encryption measures, in violation of Article 24-2 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
9. A person who fails to provide data subjects with an alternative sign-up tool without using their resident registration numbers, in violation of Article 24-2 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
10. A person who installs and operates a fixed visual data processing device, in violation of Article 25 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
11. A person who takes photographs of a person or a thing related to such person, in violation of Article 25-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
12. A person who fails to notify a data subject of the matters he or she is required to notify, in violation of Article 26 (3);
13. A person who fails to cease the use of, to retrieve or to destroy, information even if information that can uniquely identify an individual has been generated, in violation of Article 28-5 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
14. A person who fails to take protective measures, in violation of Article 28-8 (4) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
15. A person who indicates or promotes the details of certification despite a failure to obtain such certification, in violation of Article 32-2 (6);
16. A person who fails to conduct a privacy impact assessment or to submit the results thereof to the Protection Commission, in violation of Article 33 (1);
17. A person who fails to notify a data subject of the facts provided in the subparagraphs of Article 34 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), in violation of that paragraph;
18. A person who fails to file a report with the Protection Commission or a specialized institution prescribed by Presidential Decree, in violation of Article 34 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
19. A person who limits or denies access, in violation of Article 35 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
20. A person who performs work under Article 35-3 (1) 2 without obtaining designation under that paragraph;
21. A person who violates Article 35-3 (3);
22. A person who fails to take necessary measures, such as correction or erasure, in violation of Article 36 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
23. A person who fails to take necessary measures, such as destruction, in violation of Article 37 (3) or (5) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
24. A person who fails to comply with a request by a data subject without good cause, in violation of Article 37-2 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
25. Any person who fails to submit or falsely submits materials, including articles and documents related thereto under Article 63 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
26. A person who refuses, obstructs, or evades an entry and inspection, in violation of Article 63 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
27. A person who fails to comply with an order to take corrective measures under Article 64 (1).

(3) Any of the following persons shall be subject to an administrative fine not exceeding 20 million won:

1. A person who re-entrusts a third party with entrusted work without consent of the person entrusting, in violation of Article 26 (6);
2. A person who fails to designate a domestic agent, in violation of Article 31-2 (1).

(4) Any of the following persons shall be subject to an administrative fine not exceeding 10 million won:

1. A person who fails to submit materials without good cause or who submits false materials, in violation of Article 11-2 (2);
2. A person who fails to separately store and manage personal information, in violation of Article 21 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
3. A person who obtains consent, in violation of Article 22 (1) through (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
4. A person who, when entrusting work, fails to do so in a document stating the matters provided in Article 26 (1), in violation of that paragraph;
5. A person who fails to disclose the entrusted work and the person entrusted in violation of Article 26 (2);
6. A person who fails to notify the data subject of the fact of transfer of personal information, in violation of Article 27 (1) or (2) (including where it is applied mutatis mutandis pursuant to 26 (8));
7. A person who fails to prepare and retain relevant records, in violation of Article 28-4 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
8. A person who fails to establish or disclose, the Privacy Policy, in violation of Article 30 (1) or (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
9. A person who fails to designate a privacy officer, in violation of Article 31 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
10. A person who fails to notify a data subject of the matters he or she is required to notify, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (4) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
11. A person who fails to submit materials provided in Article 45 (1) without good cause or who submits false materials;
12. A person who refuses, obstructs, or evades an entry, inspection, or access under Article 45 (2), without good cause.

(5) The Protection Commission shall impose and collect administrative fines under paragraphs (1) through (4), as prescribed by Presidential Decree. In such cases, the Protection Commission may reduce or exempt administrative fines based on the degree of, motives for, and consequences of the violation, the size of the personal information controller, etc.

For the purposes of applying the provisions governing administrative fines provided in Article 75, no additional administrative fine shall be imposed for any act subject to penalty surcharges pursuant to Article 64-2.

The purpose of this Decree is to prescribe matters mandated by the Personal Information Protection Act and matters necessary for the enforcement thereof.

“National agencies and public entities prescribed by Presidential Decree” in subparagraph 6 (b) of Article 2 of the Personal Information Protection Act (hereinafter referred to as the “Act”) means:

1. The National Human Rights Commission of Korea established under Article 3 of the National Human Rights Commission of Korea Act;
   1-2. The Corruption Investigation Office for High-Ranking Officials under Article 3 (1) of the Act on the Establishment and Operation of the Corruption Investigation Office for High-Ranking Officials;
2. Public institutions provided for in Article 4 of the Act on the Management of Public Institutions;
3. Local government-invested public corporations and local government public corporations established under the Local Public Enterprises Act;
4. Special corporations incorporated under any special Act;
5. Schools of each level established under the Elementary and Secondary Education Act, the Higher Education Act, and under any other statutes.

(1) “Devices prescribed by Presidential Decree” in subparagraph 7 of Article 2 of the Act means the following:

1. A closed-circuit television means either of the following devices:
   • (a) A device that takes pictures, etc. continuously or regularly through a camera installed at a certain place, or transmits such pictures, etc. to a specified place via transmission channel of wired or wireless closed circuits, etc.;
   • (b) A device that can videotape or record the visual data photographed or transmitted under item (a);
2. A network camera means a device with which a person who installs or manages such device can collect, store, or otherwise process visual data filmed continuously or regularly through a device installed at a certain place, via the wired or wireless Internet at any place.

(2) "Device prescribed by Presidential Decree" in subparagraph 7-2 of Article 2 of the Act means the following:

1. A wearable device: A device, such as eyeglasses or a watch, which is worn on the body or clothes of a person to take pictures, etc. or to collect, store, or transmit such pictures, etc.;
2. A portable device: A device, such as a mobile communications terminal or a digital camera, which a person carries to take pictures, etc. or to collect, store, or transmit such pictures, etc.;
3. An attachable or mountable device: A device that is attached to or mounted on a movable object, such as a vehicle or drone, to take pictures, etc. or to collect, store, or transmit such pictures, etc.

The Commissioners of the Personal Information Protection Commission (hereinafter referred to as the “Protection Commission”) provided for in Article 7 (1) of the Act shall not engage in any of the following work for the purpose of making profits in accordance with Article 7-6 (1) of the Act:

1. Work related to the matters to be deliberated and resolved by the Protection Commission in accordance with Article 7-9 (1) of the Act;
2. Work related to the matters to be mediated by the Personal Information Dispute Mediation Committee referred to in Article 40 (1) of the Act (hereinafter referred to as the “Dispute Mediation Committee”).

(1) The Protection Commission shall establish an expert committee for each of the following sectors (hereinafter referred to as “expert committee”) to professionally conduct a preliminary review on the matters to be deliberated and resolved on under Article 7-9 (1) of the Act:

1. Cross-border transfer of personal information;
2. Other sectors deemed necessary by the Protection Commission.

(2) An expert committee established under paragraph (1) shall be composed of up to 20 members with gender equality being taken into consideration, including one chairperson, who are designated or commissioned by the Chairperson of the Protection Commission from among the following persons; and the chairperson of the expert committee shall be designated by the Chairperson of the Protection Commission from among the expert committee members:

1. Commissioners of the Protection Commission;
2. Public officials of a central administrative agency who are responsible for personal information protection-related work;
3. Persons with abundant expertise and experience in personal information protection;
4. Persons belonging to, or recommended by, personal information protection-related organizations or trade associations.

(3) Except as provided in paragraphs (1) and (2), matters necessary for the composition, operation, etc. of expert committees shall be determined by the Chairperson of the Protection Commission subject to resolution by the Protection Commission.

(1) For the consistent implementation of personal information protection policies, and to facilitate consultation among relevant central administrative agencies with respect to matters related to the protection of personal information, the Personal Information Protection Policy Council (hereinafter referred to as the “Policy Council”) may be established within the Protection Commission.

(2) The Policy Council shall discuss the following matters:

1. Major personal information protection policies, including the Master Plan for the protection of personal information under Article 9 of the Act and the implementation plan under Article 10 of the Act;
2. The enactment and amendment of major statutes or regulations related to the protection of personal information;
3. Cooperation and coordination of opinions on major personal information protection policies;
4. The prevention of and response to personal information breach incidents;
5. The development of technology and professional workforce for the protection of personal information;
6. Other matters requiring consultation among relevant central administrative agencies in connection with the protection of personal information.

(3) The Policy Council shall be comprised of the Senior Executive Service members of the relevant central administrative agencies or equivalent public officials in charge of work related to personal information protection, and they shall be appointed by the head of the relevant central administrative agencies, but the chairperson of the Policy Council (hereinafter referred to as the “Chairperson” in this Article) shall be the Vice Chairperson of the Protection Commission.

(4) If necessary to do the work, the Policy Council may have working-level councils or sector-specific councils.

(5) The chairpersons of the sector-specific councils and working-level councils shall be the Protection Commission’s public officials designated by the Chairperson of the Protection Commission.

(6) If necessary to do the work, the Policy Council, and working-level councils and sector-specific councils may request attendance, submission of materials or opinions, or other necessary cooperation from the related agency, organization, expert, etc.

(7) Except as provided in paragraphs (1) through (6), matters necessary for the operation of the Policy Council shall be determined by the chairperson through a resolution of the Policy Council.

(1) In order to efficiently implement personal information protection policies and strengthen autonomous protection of personal information, each Special Metropolitan City, Metropolitan City, Special SelfGoverning City, Do and Special Self-Governing Province (hereinafter collectively referred to as “City/ Do”) may have a City/Do inter-agency personal information protection council (hereinafter referred to as the “City/Do Council”).

(2) The City/Do Councils shall discuss the following matters:

1. Personal information protection policies of the City/Do;
2. Collection and delivery of opinions from/to related agencies/organizations;
3. Sharing of best practices on protecting personal information;
4. Other matters requiring discussion at the City/Do Councils in relation to the protection of personal information.

(3) Except as provided in paragraphs (1) and (2), matters necessary for the composition and operation of a City/Do Council shall be determined by the ordinance of City/Do.

Meetings of the Protection Commission shall be open to the public: Provided, that a meeting may be held as a closed session, if deemed necessary by the Chairperson of the Protection Commission.

The Protection Commission may request a public institution to dispatch a public official, executive officer, or employee who works for the public institution, where it deems necessary to perform its work.

A Commissioner who attends a meeting of the Protection Commission, the expert committee, or the Policy Council; or a person who attends a meeting of the Protection Commission, the expert committee, or the Policy Council pursuant to Article 7-9 (2) of the Act may be paid allowances, travel expenses, and other necessary costs within budgetary limits: Provided, that this shall not apply where any public official attends a meeting directly related with his or her own work.

(1) The Protection Commission shall advise the improvement of policies, systems, statutes, and regulations to the relevant agency pursuant to Article 7-9 (4) of the Act, along with the details of and reasons for such improvement.

(2) The Protection Commission may request the relevant agency to submit materials about the results of the implementation of its advice in order to examine whether such advice has been implemented pursuant to Article 7-9 (5) of the Act.

(1) The head of a central administrative agency who intends to request an assessment of personal information breach incident factors pursuant to Article 8-2 (1) of the Act (hereinafter referred to as “assessment of personal information breach incident factors”) shall submit to the Protection Commission a written request (or an electronic request form) for an assessment of personal information breach incident factors which contains the following matters:

1. The purposes and major contents of the policy and systems in need of personal information processing to be adopted or changed by the statutes or regulations (including the draft);
2. Self-analysis of personal information breach incident factors with respect to the matters prescribed in paragraph (2) following the adoption and change of the policy and system in need of personal information processing;
3. Measures to protect personal information following the adoption and change of the policy and system in need of personal information processing.

(2) Upon receipt of a written request under paragraph (1), the Protection Commission shall assess data breach incident factors taking into account the following matters, and shall notify the result thereof to the head of the related central administrative agency:

1. Necessity for processing personal information;
2. Appropriateness of guarantees for the rights of data subjects;
3. Safety in the management of personal information;
4. Other matters necessary to assess data breach incident factors.

(3) The head of a central administrative agency who has been advised as prescribed in Article 8-2 (2) of the Act shall endeavor to implement as advised, such as incorporating such advice in the relevant draft statute or regulation: Provided, that where it is impracticable to implement as advised by the Protection Commission, the reason therefor shall be notified to the Protection Commission.

(4) The Protection Commission may request materials necessary to assess data breach incident factors from the head of the related central administrative agency.

(5) The Protection Commission may establish guidelines necessary to assess data breach incident factors, including detailed criteria for and methods of the assessment of data breach incident factors; and shall notify the heads of central administrative agencies of the guidelines.

(6) The Protection Commission may seek counsel, etc. from relevant experts where necessary to assess data breach incident factors.

(1) The Protection Commission shall establish a Master Plan to protect personal information under Article 9 of the Act (hereinafter referred to as “Master Plan”) every three years no later than June 30 of the year preceding the start of the third-year plan.

(2) To establish the Master Plan pursuant to paragraph (1), the Protection Commission may receive subplans by sector, in which mid- and long-term plans, policies, etc. related to personal information protection are reflected, from the heads of the related central administrative agencies, and may reflect them in the Master Plan. In such cases, the Protection Commission shall consult with the heads of the related central administrative agencies about the goals of the Master Plan, intended directions, guidelines to prepare subplans by sector, and other relevant matters.

(3) Upon finalizing the Master Plan, the Protection Commission shall notify the heads of the related central administrative agencies of the Master Plan without delay.

(1) The Protection Commission shall develop guidelines on how to establish implementation plans for the next year no later than June 30 each year, and notify the heads of the related central administrative agencies of such guidelines.

(2) The head of a related central administrative agency shall establish the implementation plan for the sector under his or her jurisdiction, to be implemented during the following year based upon the Master Plan according to the guidelines notified under paragraph (1); and shall submit the same to the Protection Commission no later than September 30 each year.

(3) The Protection Commission shall deliberate and resolve on the implementation plans submitted pursuant to paragraph (2) no later than December 31 of that year.

(1) The Protection Commission may request materials or opinions regarding the following from a personal information controller pursuant to Article 11 (1) of the Act:

1. Matters concerning the management of personal information and personal information files processed by the personal information controller and the installation and operation of fixed or mobile visual data processing devices;
2. Matters concerning whether the privacy officer has been designated pursuant to Article 31 of the Act;
3. Matters concerning technical, managerial, and physical measures to ensure the safety of personal information;
4. Matters concerning access by data subjects, requests for correction, deletion, suspension of personal information processing, and the status of measures taken;
5. Other matters necessary to establish and implement a Master Plan, such as compliance with the Act and this Decree.

(2) When requesting materials, opinions, etc. pursuant to paragraph (1), the Protection Commission shall request the same to the minimum extent necessary to efficiently establish and implement the Master Plan.

(3) Paragraphs (1) and (2) shall apply mutatis mutandis where the head of a central administrative agency requests materials, etc. from a personal information controller under his or her jurisdiction pursuant to Article 11 (3) of the Act. In such cases, the “Protection Commission” shall be construed as the “head of a central administrative agency”, and “Article 11 (1) of the Act” as “Article 11 (3) of the Act”, respectively.

The Protection Commission may provide necessary support to agencies and organizations related to the protection of personal information within budgetary limits to promote self-regulating data-protection activities of personal information controllers pursuant to subparagraph 2 of Article 13 of the Act.

(1) If a personal information controller uses or provides personal information (hereinafter referred to as “additional use or provision of personal information”) without the consent of the data subject in accordance with Article 15 (3) or Article 17 (4) of the Act, the personal information controller shall consider the following matters:

1. Whether it is reasonably related to the original purpose for which the personal information was collected;
2. Whether additional use or provision of personal information is foreseeable in light of the circumstances under which the personal information was collected and processing practices;
3. Whether additional use or provision of personal information does not unfairly infringe on the interests of the data subject;
4. Whether the measures required to ensure safety such as pseudonymization or encryption have been taken.

(2) Where additional use or provision of personal information continues to take place, a personal information controller shall disclose the criteria for assessing the matters referred to in the subparagraphs of paragraph (1) in the Privacy Policy under Article 30 (1) of the Act, and a privacy officer under Article 31 (1) of the Act shall check whether the personal information controller is using or providing additional personal information in accordance with the relevant criteria.

Where a public institution uses personal information for other than the intended purpose, or provides it to a third party pursuant to Article 18 (2) of the Act, it shall record the following in the Register for Control of Out-of-Purpose Use or Provision of Personal Information in the form prescribed by Notification of the Protection Commission; and shall manage the Register:

1. The name of the personal information or personal information file to be used or provided;
2. The name of the institution that uses, or is provided with, personal information;
3. The purpose of use or provision;
4. The statutory ground for such use or provision;
5. Particulars of personal information to be used or provided;
6. The date, frequency, or period for using or providing personal information;
7. Methods of use or provision of personal information;
8. Any limitation or necessary measure that the personal information controller has requested from the recipient pursuant to Article 18 (5) of the Act.

(1) “Personal information controller satisfying the criteria prescribed by Presidential Decree” in the main clause of Article 20 (2) of the Act means any of the following personal information controllers; in such cases, the number of data subjects prescribed in the following shall be calculated based on the daily average during the immediately preceding three months as of the end of the previous year:

1. A person who processes sensitive information defined in Article 23 of the Act (hereinafter referred to as “sensitive information”) or personally identifiable information defined in Article 24 (1) of the Act (hereinafter referred to as “personally identifiable information”) of at least 50 thousand data subjects;
2. A person who processes personal information of at least one million data subjects.

(2) A personal information controller who falls under any subparagraph of paragraph (1) shall notify data subjects of the matters referred to in the subparagraphs of Article 20 (1) of the Act by any of the following methods within three months from the date of being provided with their personal information: Provided, that where the personal information controller is regularly provided with and processes personal information at least twice a year to the extent that the personal information controller has obtained consent from the data subjects under Article 17 (1) 1 of the Act about the matters prescribed in Article 17 (2) 1 through 4 of the Act, he or she shall notify the data subjects within three months from the date of being provided with their personal information, or at least once a year counting from the date of the consent:

1. A method by which the data subjects can easily confirm the details of the notification, such as in writing, electronic mail, telephone, or text message;
2. Giving notification in the course of providing goods or services through a notification window so that the data subjects can easily recognize the relevant matters.

(3) A personal information controller may notify the matters regarding the source of collected personal information, etc. pursuant to Article 20 (2) of the Act while notifying the details of the use and provision of personal information under Article 20-2 (1) of the Act.

(4) A personal information controller specified in any subparagraph of paragraph (1) who has made notification under paragraph (2) shall retain and manage the following matters until the relevant personal information is destroyed pursuant to Article 21 or 37 (5) of the Act:

1. The fact that data subjects are notified;
2. When notification is made; 3. How notification is made.

(1) "Personal information controller who meets the criteria prescribed by Presidential Decree" in the main clause of Article 20-2 (1) of the Act means any of the following personal information controllers; in such cases, the number of data subjects prescribed in the following subparagraphs shall be calculated based on the daily average during the immediately preceding three months as of the end of the previous year:

1. A person who processes sensitive information or personally identifiable information of at least 50 thousand data subjects;
2. A person who processes personal information of at least one million data subjects.

(2) A data subject to be given notification under Article 20-2 (1) of the Act shall be a data subject except the following:

1. A data subject who expresses his or her intention to refuse notification;
2. Where a personal information controller processes the personal information of executive officers and employees under his or her control to perform his or her work, the relevant data subject;
3. Where a personal information controller processes the personal information of executive officers or employees of other public institutions, corporations, or organizations or individuals, including their contact information, to perform his or her work, the relevant data subject;
4. A data subject of personal information that is used or provided under provisions otherwise provided in statutes or for the purpose of complying with legal obligations;
5. A data subject of personal information that is used or provided by public institutions for the purpose of performing their work prescribed in statutes, regulations, etc.

(3) Information to be notified to data subjects under Article 20-2 (1) of the Act shall be as follows:

1. The purpose of collecting and using personal information and the particulars of the personal information collected and used;
2. A third party provided with personal information, the purpose of providing the personal information, and the particulars of the personal information provided: Provided, That excluded herefrom shall be information provided under Articles 13, 13-2, and 13-4 of the Protection of Communications Secrets Act and Article 83 (3) of the Telecommunications Business Act.

(4) Notification under Article 20-2 (1) of the Act shall be given at least once a year by any of the following methods:

1. A method by which a data subject can easily confirm the details of notification, such as in writing, electronic mail, telephone, or text message;
2. Giving notification in the course of providing goods or services through a notification window so that a data subject can easily recognize the relevant details (limited to where notification is given regarding the methods of accessing the information system through which the details of the use and provision of personal information are confirmed under Article 20-2 (1) of the Act).

(1) A personal information controller shall destroy personal information pursuant to Article 21 of the Act by the following methods:

1. Personal information in electronic files shall be permanently deleted so that it cannot be restored: Provided, That where it is substantially impracticable to permanently delete the files due to technical characteristics, the personal information controller shall take measures to make it impossible to restore the information by treating it as information falling under Article 58-2 of the Act;
2. Other records, printouts, paper documents, and media containing personal information, other than those referred to in subparagraph 1, shall be shredded or incinerated.

(2) Detailed matters concerning the safe destruction of personal information subject to paragraph (1) shall be prescribed by Notification of the Protection Commission.

(1) A personal information controller shall meet all of the following requirements when obtaining consent from a data subject to the processing of his or her personal information pursuant to Article 22 of the Act:

1. The data subject shall be able to decide whether to give his or her consent based on his or her free will;
2. Details requiring the consent of the data subject shall be specific and clear;
3. The personal information controller shall use phrases that are easily readable and understandable for the relevant details;
4. The personal information controller shall provide the data subject with the methods of clearly indicating whether to give consent.

(2) A personal information controller shall obtain consent from a data subject to the processing of his or her personal information pursuant to Article 22 of the Act by any of the following methods:

1. To issue a document stating the matters requiring consent, either in person or by mail or facsimile, to the data subject, and obtain a written consent on which the data subject has affixed his or her signature or seal;
2. To inform the data subject of the matters requiring consent, and confirm his or her intent of consent by telephone;
3. To inform the data subject of the matters requiring consent by telephone, have the data subject confirm the matters requiring his or her consent posted on a designated website, etc.; and reconfirm his or her intent of consent by telephone;
4. To post the matters requiring consent on a designated website, etc., and have the data subject express his or her consent thereto;
5. To send an electronic mail containing the matters requiring consent to the data subject, and receiving an e-mail indicating his or her consent thereto;
6. Other methods to inform the data subject of the matters requiring consent by a method similar to those referred to in subparagraphs 1 through 5 and confirm his or her intent of consent.

(3) “Important matters prescribed by Presidential Decree” in Article 22 (2) of the Act means the following:

1. The fact that a data subject may be contacted to promote goods or services or solicit purchase thereof using the data subject’s personal information with respect to the purpose of collecting and using personal information;
2. The following matters with respect to the particulars of personal information to be processed:
   • (a) Sensitive information;
   • (b) Passport numbers, driver’s license numbers, and alien registration numbers as set forth in subparagraphs 2 through 4 of Article 19;
3. The period for retaining and using personal information (in the case of provision, meaning the period for retaining and using personal information by the recipient);
4. The recipient of personal information and the purpose for which the recipient of the personal information uses such information.

(4) Where a personal information controller intends to obtain consent from a data subject under the subparagraphs of Article 22 (1) of the Act, he or she shall clearly indicate the fact that the data subject may choose whether to give consent.

(5) “Means prescribed by Presidential Decree” in the former part of Article 22 (3) of the Act means in writing, or by electronic mail, facsimile, telephone, or text message, or any other means equivalent thereto (hereinafter referred to as “in writing, etc.”).

(6) The head of a central administrative agency may establish the standards for appropriate methods of obtaining consent, out of the various methods of consent stated in paragraph (2), through the personal information protection guidelines under Article 12 (2) of the Act (hereinafter referred to as “personal information protection guidelines”), in consideration of the work of each personal information controller under his or her jurisdiction, the characteristics of their business, the number of data subjects, etc., and may encourage personal information controllers to obtain consent in accordance with such standards

(1) A personal information controller shall confirm whether a legal representative has granted consent pursuant to Article 22-2 (1) of the Act by any of the following methods:

1. Requesting the legal representative to indicate whether to give consent on the website where matters requiring consent are posted, and informing him or her by mobile phone text message that the personal information controller confirms the indication of the consent;
2. Requesting the legal representative to indicate whether to give consent on the website where matters requiring consent are posted, and being provided with information on his or her card, such as a credit card or debit card;
3. Requesting the legal representative to indicate whether to give consent on the website where matters requiring consent are posted, and verifying the identity of the legal representative through identity verification on his or her mobile phone;
4. Issuing the legal representative a document specifying matters requiring consent, either in person or by mail or fax, and requesting him or her to submit the document after signing and affixing seal on it with respect to such matters;
5. Sending the legal representative an electronic mail that specifies matters requiring consent, and requesting him or her to send an electronic mail with consent indicated;
6. Notifying the legal representative of matters requiring consent by telephone to obtain consent, or providing him or her with information on the methods of confirming matters requiring consent, such as via the Internet address, to obtain consent by telephone;
7. Other methods equivalent to those prescribed in subparagraphs 1 through 6 by which matters requiring consent are notified to the legal representative and an indication of his or her consent is confirmed.

(2) "Information prescribed by Presidential Decree" in Article 22-2 (2) of the Act means information on the name and contact details of a legal representative.

(3) Where it is impracticable for a personal information controller to indicate all matters requiring consent due to the characteristics of a medium by which personal information is collected, the personal information controller may provide a legal representative with information on the methods of confirming matters requiring consent, such as the Internet address or the telephone number of the place of business.

“Information prescribed by Presidential Decree” in the main clause, with the exception of the subparagraphs, of Article 23 (1) of the Act means the following data or information: Provided, that where the public institutions process any of the following data or information pursuant to Article 18 (2) 5 through 9 of the Act, the said information shall be excluded herefrom:

1. DNA information acquired from genetic testing, etc.;
2. Data that constitute a criminal history record defined in subparagraph 5 of Article 2 of the Act on the Lapse of Criminal Sentences;
3. Personal information resulting from specific technical processing of data relating to the physical, physiological or behavioral characteristics of an individual for the purpose of uniquely identifying that individual;
4. Personal information revealing racial or ethnic origin.

“Information prescribed by Presidential Decree” in the provisions, with the exception of the subparagraphs, of Article 24 (1) of the Act means any of the following information: Provided, that such information does not include any of the following information processed by the public institutions pursuant to Article 18 (2) 5 through 9 of the Act:

1. Resident registration numbers under Article 7-2 (1) of the Resident Registration Act;
2. Passport numbers under Article 7 (1) 1 of the Passport Act;
3. Driver’s license numbers under Article 80 of the Road Traffic Act; 4. Alien registration numbers under Article 31 (5) of the Immigration Act.

(1) Article 30 shall apply mutatis mutandis to measures to ensure the safety of personally identifiable information under Article 24 (3) of the Act. In such cases, “Article 29 of the Act” shall be construed as “Article 24 (3) of the Act”; and “personal information” as “personally identifiable information”, respectively.

(2) “Personal information controller meeting the criteria prescribed by Presidential Decree” in Article 24 (4) of the Act means any of the following personal information controllers:

1. A public institution;
2. A person who processes personally identifiable information of at least 50 thousand data subjects.

(3) The Protection Commission shall inspect, at least once every two years, whether the personal information controllers who falls under any subparagraph of paragraph (2) have taken measures necessary to ensure safety pursuant to Article 24 (4) of the Act.

(4) The inspection referred to in paragraph (3) shall be conducted by requiring the personal information controllers provided for in paragraph (2) to submit necessary material online or in writing.

(5) “Specialized institutions prescribed by Presidential Decree” in Article 24 (5) of the Act means any of the following institutions:

1. The Korea Internet and Security Agency established under Article 52 of the Act on Promotion of Information and Communications Network Utilization and Information Protection. (hereinafter referred to as the “Korea Internet and Security Agency”);
2. A corporation, organization, or institution determined and prescribed by Notification of the Protection Commission as deemed to have technical and financial capacity and equipment to conduct the inspection pursuant to Article 24 (4) of the Act.

(1) Any personal information controller who retains resident registration numbers by electronic means shall take encryption measures pursuant to Article 24-2 (2) of the Act.

(2) The encryption of resident registration numbers by a personal information controller under paragraph (1) shall start from one of the following dates:

1. As to the personal information controllers who retain the resident registration numbers of less than one million data subjects: January 1, 2017;
2. As to the personal information controllers who retain the resident registration numbers of at least one million data subjects: January 1, 2018.

(3) The Protection Commission may determine and publicly notify the detailed matters regarding encryption measures under paragraph (1), taking into account the technical and economic feasibility and other factors.

(1) "Cases prescribed by Presidential Decree" in Article 25 (1) 6 of the Act means any of the following cases:

1. Where any photographed visual data is temporarily processed to compute statistical values or statistical characteristic values, such as the number, genders, and ages of visitors;
2. Other cases equivalent to that prescribed in subparagraph 1, which have been deliberated and resolved on by the Protection Commission.

(2) “Facilities prescribed by Presidential Decree” in the proviso of Article 25 (2) of the Act means the following facilities:

1. Correctional facilities defined in subparagraph 1 of Article 2 of the Execution of Sentences and Treatment of Inmates;
2. Mental medical institutions (with accommodation facilities), mental treatment facilities, and mental patient rehabilitation facilities defined in subparagraph 5 through 7 of Article 3 of the Act on the Improvement of Mental Health and the Support for Welfare Services for Mental Patients.

(3) The head of a central administrative agency may establish a Privacy Policy which includes the detailed matters necessary to minimize infringement on the privacy of data subjects; and may encourage the personal information controllers under his or her jurisdiction to comply with the Privacy Policy when they install and operate fixed visual data processing devices at the facilities referred to in the subparagraphs of paragraph (2) pursuant to the proviso of Article 25 (2) of the Act.

(1) The head of a public institution that intends to install and operate fixed visual data processing devices pursuant to Article 25 (1) of the Act shall gather opinions from relevant experts and interested parties through any of the following procedures:

1. To give administrative advance notice or to hear opinions under the Administrative Procedures Act;
2. To hold an information session or to conduct a survey or polling with respect to the neighborhood residents, etc. directly affected by the installation of those fixed visual data processing devices.

(2) A person who intends to install and operate fixed visual data processing devices at the facilities specified in the proviso of Article 25 (2) of the Act shall gather opinions from the following persons:

1. Relevant experts;
2. Persons working in the relevant facilities, persons detained or accommodated in the relevant facilities, or interested parties, including the guardians of such persons.

(1) A person who installs and operates fixed visual data processing devices pursuant to Article 25 (1) of the Act (hereinafter referred to as “fixed visual data processing device operator”) shall post the matters referred to in the subparagraphs of Article 25 (4) of the Act on a signboard so that data subjects may easily recognize that such devices have been installed and in operation: Provided, that a signboard, indicating the operation of fixed visual data processing devices in the pertinent facilities and whole area, may be posted at the entry and other easily noticeable place where several fixed visual data processing devices are installed in a building:

1. (deleted);
2. (deleted);
3. (deleted).

(2) Notwithstanding paragraph (1), where any of the following applies to a fixed visual data processing device installed and operated by a fixed visual data processing device operator, the operator may post the matters referred to in the subparagraphs of Article 25 (4) of the Act on its website, in lieu of posting them on the signboard:

1. Where the fixed visual data processing device is installed by a public institution for such purposes as long range photographing, over-speed and traffic signal violation enforcement service, or traffic flow survey, while the possibility of a personal information breach is significantly low;
2. Where a signboard cannot be posted because of the characteristics of the location or is not easily noticeable by data subjects even if posted, e.g., a fixed visual data processing device installed for surveillance of mountain fire.

(3) If the matters referred to in the subparagraphs of Article 25 (4) of the Act cannot be posted on a website under paragraph (2), a fixed visual data processing device operator shall make public the said matters in one or more of the following methods:

1. Posting at easily noticeable places of the fixed visual data processing device operator’s workplace, business premise, office, shop, etc. (hereinafter referred to as “workplace, etc.”);
2. Publishing them in the Official Gazette (only where the fixed visual data processing device operator is a public institution) or a general daily newspaper, weekly newspaper or online newspaper, as defined in subparagraph 1 (a) and (c), or 2 of Article 2 of the Act on the Promotion of Newspapers circulating mainly over the Special Metropolitan City, Metropolitan City, Do, or Special Self-Governing Province (hereinafter referred to as “City/ Do”) where the fixed visual data processing device operator’s workplace is located.

(4) “Facilities prescribed by Presidential Decree” in the proviso, with the exception of the subparagraphs, of Article 25 (4) of the Act means the national security facilities provided for in Article 32 of the Regulations on Security Work.

(1) Each fixed visual data processing device operator shall establish a policy to operate and manage fixed visual data processing devices including the following matters pursuant to Article 25 (7) of the Act:

1. The statutory ground and purpose for installing the fixed visual data processing devices;
2. The number of the fixed visual data processing devices installed, the locations of installation, and the scope of photographing;
3. The manager and department in charge, and the person who is entitled to access the visual data;
4. The duration of filming, retention period, retention place, and processing method of the visual data;
5. How and where the fixed visual data processing device operator checks the visual data;
6. The measures taken to deal with the data subject’s request to access the visual data;
7. The technical, managerial, and physical safeguards to protect the visual data;
8. Other matters necessary to install, operate, and manage the fixed visual data processing devices.

(2) Article 31 (2) and (3) shall apply mutatis mutandis to the disclosure of the policy to operate and manage fixed visual data processing devices established pursuant to paragraph (1). In such cases, “personal information controller” shall be construed as “fixed visual data processing device operator”, “Article 30 (2) of the Act” as “Article 25 (7) of the Act”, and “Privacy Policy” as “policy to operate and manage fixed visual data processing devices”, respectively.

(1) Where a public institution entrusts the installation and operation of fixed visual data processing devices to a third party pursuant to the proviso of Article 25 (8) of the Act, it shall do so in writing stating the following:

1. The purpose and scope of entrusted business affairs;
2. Matters concerning limitation to re-entrustment;
3. Matters concerning the measures to ensure safety, including limitation to access to visual data;
4. Matters concerning the inspection of the status of visual data retained;
5. Matters concerning damage liability in case of breach of contractual obligation on the part of a person to whom the work is entrusted .

(2) Where business affairs are entrusted pursuant to paragraph (1), the name and contact information of the person entrusting shall be posted on the signboard, etc. referred to in Article 24 (1) through (3).

"Cases prescribed by Presidential Decree" in the proviso of Article 25-2 (2) of the Act means where it is necessary to take photographs of a person or things related to such person (limited to where such photographs constitute personal information; hereinafter the same shall apply) for the lifesaving, first-aid services, etc. in the event of a crime, fire, disaster, or any other situation equivalent thereto.
[Previous Article 27 moved to Article 27-3]

Where persons or things related to such persons are photographed with a mobile visual data processing device in cases falling under the subparagraphs of Article 25-2 (1) of the Act, the fact of photographing shall be indicated and informed by means of light, sound, signboard, written notice, or announcement, or other means or methods equivalent thereto so that data subjects can easily recognize such fact: Provided, That the fact of photographing may be informed by the means notified on the website established by the Protection Commission where it is difficult to inform data subjects of the fact due to the characteristics of photographing methods, such as aerial photographing using a drone.

Except as provided in the Act and this Decree, the Protection Commission may establish the Standard Personal Information Protection Guidelines referred to in Article 12 (1) of the Act regarding the standards for installing and operating fixed visual data processing devices and for operating mobile visual data processing devices, the entrusting of their installation and operation, and other matters; and may encourage fixed visual data processing device operators and persons who operate mobile visual data processing devices to comply with the Standard Guidelines.
[Moved from Article 27]

(1) “Matters prescribed by Presidential Decree” in Article 26 (1) 3 of the Act means the following:

1. The purpose and scope of entrusted work;
2. Matters concerning limitation to re-entrustment;
3. Matters concerning measures to ensure safety, including limitation to access to personal information;
4. Matters concerning supervision and inspection of the status of management of personal information retained in relation to entrusted work;
5. Matters concerning liability, such as compensation for damages caused by a breach of contractual obligations on the part of a person entrusted under Article 26 (2) of the Act (hereinafter referred to as “person entrusted”).

(2) “Manner prescribed by Presidential Decree” in Article 26 (2) of the Act means the method wherein a personal information controller that has entrusted personal information processing (hereinafter referred to as “person entrusting”) continuously posts details of the entrusted work and the person entrusted on its website.

(3) Where it is impossible to post on the website as prescribed in paragraph (2), the entrusted work and the person entrusted shall make public in one or more of the following manners:

1. Posting at easily noticeable places such as workplace of a person entrusting;
2. Publishing in the Official Gazette (only where the person entrusting is a public institution) or a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers which mainly covers the City/Do where the person entrusting’s workplace, etc. is located;
3. Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice annually and distributed to data subjects on a continual basis;
4. Stipulating in an agreement, etc. for the supply of goods and services executed between the person entrusting and the data subjects and providing a copy of the same to the data subjects.

(4) “Manners prescribed by Presidential Decree” in the former part of Article 26 (3) of the Act means in writing, etc.

(5) Where a person entrusting is unable to inform the data subjects of the entrusted work and the person entrusted in the manner stated in paragraph (4) without its negligence, the person entrusting shall post the relevant matters on its website for at least 30 days: Provided, that a person entrusting who has no website shall post them at easily noticeable places of its workplace, etc. for at least 30 days.

(6) Where a person entrusted processes personal information, the person entrusting shall supervise whether the person entrusting complies with the obligations of a personal information controller provided for in the Act and this Decree and the matters referred to in Article 26 (1) of the Act, pursuant to Article 26 (4) of the Act.

(1) “Manner prescribed by Presidential Decree” in the provisions, with the exception of the subparagraphs, of Article 27 (1) of the Act and the main clause of Article 27 (2) of the Act means in writing, etc.

(2) Where a person who intends to transfer personal information pursuant to Article 27 (1) of the Act (hereinafter referred to as “business transferor, etc.” in this Article) fails to inform the data subjects of the matters stated in Article 27 (1) of the Act in the manner stated in paragraph (1) without his or her negligence, the person shall post the relevant matters on the website for at least 30 days: Provided, that if there is a good reason for not being able to post the required information on its website, the business transferor, etc. may inform the data subjects of the matters stated in each subparagraph of Article 27 (1) of the Act through any of the following methods:

1. Posting the information at easily noticeable places of the workplace, etc. of the business transferor, etc. for at least 30 days;
2. Publishing the information in a general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) or 2 of Article 2 of the Act on the Promotion of Newspapers which mainly covers the City/Do where the business transferor, etc.’s workplace, etc. is located.

(1) The standards for the designation of an expert agency (hereinafter referred to as “Expert Data Combination Agency”) pursuant to Article 28-3 (1) of the Act shall be as follows:

1. Under Notification prescribed by the Protection Commission, the agency shall have formed an organization responsible for the combination and release of pseudonymized information and employed at least three full-time personnel with qualifications or experience relating to personal information protection;
2. Under Notification prescribed by the Protection Commission, the agency shall have set up space, facilities and equipment necessary to combine pseudonymized information safely and prepared policies and procedures relating to the combination and release of pseudonymized information;
3. Under Notification prescribed by the Protection Commission, the agency shall have financial capabilities;
4. No disclosure shall have been made under Article 66 of the Act for the recent three years.

(2) Any corporation, organization, or institution intending to be designated as an Expert Data Combination Agency pursuant to Article 28-3 (1) of the Act shall submit to the head of the Protection Commission or the related central administrative agency an application for the Designation of Expert Data Combination Agency prescribed by Notification of the Protection Commission with the following documents attached (including electronic documents; the same shall apply hereinafter):

1. Articles of incorporation or bylaws;
2. Documents prescribed and notified by the Protection Commission supporting that the agency satisfies the designation standards under paragraph (1).

(3) The head of the Protection Commission or related central administrative agency may designate the corporation, organization, or institution which submitted the application for the Designation of Expert Data Combination Agency under paragraph (2) as an Expert Data Combination Agency if it satisfies the designation standards under paragraph (1).

(4) Designation as an Expert Data Combination Agency shall be effective for three years from the date of designation, and if the Expert Data Combination Agency requests extension of the effective period, and such request satisfies the designation standards under paragraph (1), the head of the Protection Commission or the related central administrative agency may re-designate it as an Expert Data Combination Agency.

(5) If the Expert Data Combination Agency falls under any of the following, the head of the Protection Commission or related central administrative agency may cancel the designation of the Expert Data Combination Agency: Provided, that in the cases of subparagraph 1 or 2, designation shall be canceled:

1. If the agency has received the designation by fraud or improper means;
2. If the agency voluntarily requests cancellation of its designation or discontinues its business;
3. If the agency becomes non-compliant with the standards for designation of an Expert Data Combination Agency under paragraph (1);
4. If a personal information breach incident, including divulgence of information, occurs in connection with data combination, release, etc.;
5. If the agency otherwise violates any obligation under the Act or this Decree.

(6) The head of the Protection Commission or related central administrative agency shall hold a hearing when seeking to cancel the designation of an Expert Data Combination Agency in accordance with paragraph (5).

(7) The head of the Protection Commission or related central administrative agency shall publicly announce any designation, re-designation or cancellation of designation of an Expert Data Combination Agency in the Official Gazette or the websites of the Protection Commission or related central administrative agency. In such cases, if the head of the related central administrative agency designated, re-designated, or canceled the designation of any Expert Data Combination Agency, the head of the central administrative agency shall notify the Protection Commission of the same.

(8) Except as provided in paragraphs (1) through (7), matters necessary in connection with the designation, re-designation and cancellation of designation of an Expert Data Combination Agency shall be prescribed by Notification of the Protection Commission.

(1) Any personal information controller intending to request an Expert Data Combination Agency to combine pseudonymized information (hereinafter referred to as “Applicant”) shall submit the data combination request in the form prescribed by Notification of the Protection Commission, together with the following documents, to the relevant Expert Data Combination Agency:

1. Documents related to the Applicant such as business registration certificate, certified copy of register of corporation, etc.;
2. Documents related to the pseudonymized information for combination;
3. Documents proving the purpose of combination;
4. Other documents prescribed by Notification of the Protection Commission’s notification as necessary for combining and releasing pseudonymized information.

(2) Any Expert Data Combination Agency intending to combine pseudonymized information under Article 28-3 (1) of the Act shall make sure that the combined information does not identify a particular individual. In such cases, the Protection Commission may make the Korea Internet and Security Agency or other agencies designated by Notification of the Protection Commission assist with relevant work necessary to make a particular individual unidentifiable.

(3) The Applicant that intends to take the information which was combined by the Expert Data Combination Agency pursuant to Article 28-3 (2) of the Act out of the Expert Data Combination Agency shall pseudonymize or otherwise process the information combined pursuant to paragraph (2) as the information under Article 58-2 of the Act at a place which was established within the Expert Data Combination Agency and underwent the necessary technical, managerial and physical measures required to ensure safety and receive permission therefor from the Expert Data Combination Agency.

(4) The Expert Data Combination Agency shall permit the release pursuant to Article 28-3 (2), if each of the following standards are met. In such cases, the Expert Data Combination Agency shall form a Release Review Committee to grant permission for release of combined information:

1. There is a relationship between the purpose of combination and the released information;
2. It is not possible to identify any particular individual using such information;
3. A security plan is established with regard to the released information.

(5) The Expert Data Combination Agency may charge the Applicant for the costs necessary for the combination, release, etc. of information.

(6) Except as provided in paragraphs (1) through (5), the procedures and methods of combining pseudonymized information, release of combined information and permission therefor, shall be set forth in Notification of the Protection Commission.

(1) Any head of the Protection Commission or related central administrative agency who has designated an Expert Data Combination Agency shall manage and supervise, among others, whether the Expert Data Combination Agency has maintained the work performance capacity, technologies and facilities required.

(2) The Expert Data Combination Agency shall submit to the head of the Protection Commission or the related central administrative agency the following documents every year for the management and supervision pursuant to paragraph (1):

1. Report on the combination and release of pseudonymized information;
2. Documents supporting that the agency continues to meet the standards for designation as an Expert Data Combination Agency;
3. Documents prescribed by Notification of the Protection Commission supporting that the agency has taken measures to secure the safety of pseudonymized information.

(3) The Protection Commission shall manage/supervise the following matters:

1. The Expert Data Combination Agency’s violation of law in the process of approving the combination and release of pseudonymized information;
2. The Applicant’s processing status with respect to pseudonymized information;
3. Other necessary matters required for the safe processing of pseudonymized information prescribed by Notification of the Protection Commission.

(1) A personal information controller shall implement the following safety measures for pseudonymized information and additional information to restore pseudonymized information to the original state (hereinafter in this Article referred to as “additional information”) in accordance with Article 28-4 (1) of the Act:

1. Measures to ensure safety under Article 30;
2. Separate storage of pseudonymized information and additional information: Provided, That any unnecessary additional information shall be destroyed;
3. Separation of access rights to pseudonymized information and additional information: Provided, That if the personal information controller finds it difficult to separate access rights due to good reason such as the personal information controller being a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises which cannot afford an additional employee to handle pseudonymized information, it shall manage and control access rights by granting the minimum degree of access necessary to do the work and recording the status of access rights granted.

(2) “Matters prescribed by Presidential Decree” in Article 28-4 (3) of the Act mean any of the following:

1. Purpose of processing pseudonymized information;
2. Items of pseudonymized personal information;
3. Use history of pseudonymized information;
4. Recipient of pseudonymized information provided by a third party;
5. Processing period of pseudonymized information (limited to where the processing period of pseudonymized information is separately determined pursuant to Article 28-4 (2) of the Act);
6. Other matters prescribed by Notification of the Protection Commission as deemed necessary for the management of the processing of pseudonymized information.

"Means prescribed by Presidential Decree, such as electronic mail" in Article 28-8 (1) 3 (b) of the Act means in writing, etc.

(1) Where the Protection Commission intends to publicly notify certification under the provisions, with the exception of the items, of Article 28-8 (1) 4 of the Act, it shall complete all of the following procedures:

1. Evaluation by an institution specializing in certifying personal information protection under Article 34-6;
2. Evaluation by an expert committee for cross-border transfer of personal information under Article 5 (1) 1 (hereinafter referred to as "expert committee for cross-border transfer");
3. Consultation with the Policy Council.

(2) When the Protection Commission publicly notifies certification under the provisions, with the exception of the items, of Article 28-8 (1) 4 of the Act, it may determine and publicly notify its effective period of up to five years.

(3) Except as provided in paragraphs (1) and (2), matters necessary for the procedures, etc. for publicly notifying certification shall be determined and publicly notified by the Protection Commission.

(1) If the Protection Commission intends to recognize that a country or an international organization (hereinafter referred to as "recipient country, etc.") where personal information is provided (including inquired), processed under entrustment, or stored (hereafter in this Chapter referred to as "transfer") under Article 28-8 (1) 5 of the Act has a personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. at a level substantially equal to the level of personal information protection under this Act, it shall comprehensively take into account the following matters:

1. Whether the personal information protection system of the recipient country, etc., including its statutes, regulations, and rules, is in conformity with the principles of information protection under Article 3 of the Act and guarantees the rights of data subjects under Article 4 of the Act;
2. Whether the recipient country, etc. has an independent supervisory authority responsible for guaranteeing and implementing the personal information protection system;
3. Whether the public institutions (including institutions that conduct business affairs similar to those of public institutions) of the recipient country, etc. process personal information under statutes and whether means to protect data subjects, such as the procedures for damage relief, exist and are effectively guaranteed;
4. Whether the recipient country, etc. has the procedures for damage relief that are easily available to data subjects and whether such procedures effectively protect data subjects;
5. Whether the supervisory authority of the recipient country, etc. is able to facilitate mutual cooperation with the Protection Commission in protecting the rights of data subjects;
6. Other matters determined and publicly notified by the Protection Commission as necessary to recognize the personal information protection level of the recipient country, etc., such as the personal information protection system, the scope of guarantee of the rights of data subjects, the procedures for damage relief.

(2) If the Protection Commission intends to grant recognition under paragraph (1), it shall follow the following procedures:

1. Evaluation by an expert committee for cross-border transfer;
2. Consultation with the Policy Council.

(3) If necessary for the protection of the rights of data subjects, etc., the Protection Commission may, when granting recognition under paragraph (1), determine the scope of the personal information to be transferred to a recipient country, etc., the scope of the personal information controllers to which personal information is transferred, the recognition period, the conditions of cross-border transfer, and other relevant matters differently for each recipient country, etc.

(4) Upon granting recognition under paragraph (1), the Protection Commission shall examine whether a recipient country, etc. maintains its personal information protection level that is substantially equal to the level under this Act.

(5) Where any change is made to the personal information system, the scope of guarantee of the rights of data subjects, the procedures for damage relief, etc. of a recipient country, etc. that are recognized under paragraph (1), the Protection Commission may revoke the recognition of the recipient country, etc. or change the details of the recognition, after hearing its opinions.

(6) Where the Protection Commission grants recognition under paragraph (1) or revokes such recognition or changes the details thereof under paragraph (5), it shall give public notice of such fact in the Official Gazette and publish it on its website.

(7) Except as provided in paragraphs (1) through (6), matters necessary for the recognition of a recipient country, etc. shall be determined and publicly notified by the Protection Commission.

(1) Where a personal information controller makes a cross-border transfer of personal information under the proviso, with the exception of the subparagraphs, of Article 28-8 (1) of the Act, he or she shall take the following protective measures under Article 28-8 (4) of the Act:

1. Measures to ensure safety for protecting personal information under Article 30 (1);
2. Measures to handle grievances and resolve disputes with respect to personal information breach;
3. Other measures necessary to protect the personal information of data subjects.

(2) Where a personal information controller makes a cross-border transfer of personal information under the proviso, with the exception of the subparagraphs, of Article 28-8 (1) of the Act, it shall have a prior consultation with the recipient of the personal information on the matters specified in the subparagraphs of paragraph (1) and shall reflect the results of such consultation in the details of a contract, etc.

(1) Where the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall comprehensively consider the following matters:

1. The type and scale of personal information, the cross-border transfer of which has been made or any further cross-border transfer of which is expected;
2. The severity of a violation of Article 28-8 (1), (4), or (5) of the Act;
3. Whether any damage that occurs or is likely to occur to data subjects is material or irrecoverable;
4. Whether ordering the suspension of cross-border transfers obviously brings more benefits to data subjects than not doing so;
5. Whether it is possible to protect personal information and to prevent personal information breach with the measures taken under the subparagraphs of Article 64 (1) of the Act;
6. Whether the recipient of personal information or the recipient country, etc. to which personal information is transferred has effective means of relieving damage suffered by data subjects;
7. Whether there is any reason to deem that it is difficult to adequately protect personal information, such as that the recipient of personal information or the recipient country, etc. to which personal information is transferred suffers a serious personal information breach.

(2) If the Protection Commission orders the suspension of cross-border transfers of personal information under Article 28-9 (1) of the Act, it shall undergo the evaluation by the expert committee for cross-border transfer.

(3) When the Protection Commission orders the suspension of cross-border transfers of personal information pursuant to Article 28-9 (1) of the Act, it shall notify in writing the relevant personal information controller of the details of and the grounds for such order, the procedures and methods for filing objections, and other necessary matters.

(4) Except as provided in paragraphs (1) through (3), matters necessary for the standards, etc. for orders to suspend cross-border transfers of personal information shall be determined and publicly notified by the Protection Commission.

(1) A person who intends to file an objection pursuant to Article 28-9 (2) of the Act shall submit to the Protection Commission a written objection determined by the Protection Commission along with a document substantiating the grounds for the objection, within seven days from the date of receipt of an order to suspend cross-border transfer under Article 28-9 (1) of the Act.

(2) The Protection Commission shall notify in writing the relevant personal information controller of the results of processing a written objection submitted under paragraph (1) within 30 days from the date of receipt of the written objection.

(3) Except as provided in paragraphs (1) and (2), matters necessary for the procedures, etc. for filing an objection shall be determined and publicly notified by the Protection Commission.

(1) Each personal information controller shall take the following measures to ensure safety pursuant to Article 29 of the Act:

1. Formulating, implementing, and examining an internal management plan that includes the following to safely process personal information:
   • (a) Matters regarding the management, supervision, and education of a personal information handler under Article 28 (1) of the Act (hereinafter referred to as "personal information handler");
   • (b) Matters regarding the composition and operation of an organization responsible for protecting personal information, including the designation of privacy officers, under Article 31 of the Act;
   • (c) Details necessary to implement the measures provided in subparagraphs 2 through 8;
2. The following measures to restrict access authority to personal information:
   • (a) Establishing and implementing the standards for granting, changing, or canceling access authority to a system systematically designed to process personal information including a database system (hereinafter referred to as "personal information processing system");
   • (b) Establishing and operating the standards for applying authentication means necessary to verify whether access is made by a person with legitimate authority;
   • (c) Other measures necessary to restrict access authority to personal information;
3. The following measures to control access to personal information:
   • (a) Measures necessary to detect and block intrusions into a personal information processing system;
   • (b) Blocking Internet access to and from computers satisfying the standards determined and publicly notified by the Protection Commission, such as the computers of personal information handlers accessing a personal information processing system: Provided, That this shall apply only to a personal information controller with an average of at least one million daily users defined in Article 2 (1) 4 of the Act on Promotion of Information and Communications Network Utilization and Information Protection whose personal information is stored and managed for the immediately preceding three months as of the end of the previous year;
   • (c) Other measures necessary to control access to personal information;
4. The following measures necessary to safely store and transmit personal information:
   • (a) Storing encrypted authentication information, including the storage of one-way encrypted passwords, or other measures equivalent thereto;
   • (b) Encrypting information determined and publicly notified by the Protection Commission for storage, including resident registration numbers, or other measures equivalent thereto;
   • (c) Where the personal information or authentication information of data subjects is transmitted or received through the information and communications network defined in Article 2 (1) 1 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, encrypting the relevant information or other measures equivalent thereto;
   • (d) Other measures to ensure security using encryption or other technologies equivalent thereto;
5. The following measures to retain the records of access and prevent such records from being forged or altered in case of a personal information breach incident:
   • (a) Storing, inspecting, confirming, and supervising the records of access, such as the date and time when persons access a personal information processing system, and the details of processing personal information;
   • (b) Safely storing the records of access to a personal information processing system;
   • (c) Other measures necessary to retain the records of access and prevent such records from being forged or altered;
6. Installing, operating, and periodically updating and inspecting programs that can detect at all times whether any malicious program, such as a computer virus, spyware, and ransomware, intrudes into a personal information processing system and an information technology equipment used by personal information handlers for processing personal information and that can delete such malicious program;
7. Preparing storage facilities and installing locking devices to safely store personal information, or taking other physical measures;
8. Other measures necessary to ensure safety of personal information.

(2) The Protection Commission may provide necessary assistance, such as building a system with which personal information controllers can take the measures to ensure safety pursuant to paragraph (1).

(3) Detailed standards for the measures to ensure safety under paragraph (1) shall be prescribed by Notification of the Protection Commission. <

(1) Pursuant to Article 29, a public institution which operates a personal information processing system meeting the standards publicly notified by the Protection Commission (hereafter in this Article referred to as "public system"), such as the scale of personal information processed and the number of personal information handlers granted access authority (hereafter in this Article referred to as "institution operating public systems"), shall take the following measures in addition to the measures to ensure safety under Article 30 of this Decree:

1. Including measures to ensure safety prepared for each public system in an internal management plan under Article 30 (1) 1;
2. Measures necessary to safely manage access authority, such as allowing an institution that accesses a public system to process personal information (hereafter in this Article referred to as "institution using public systems") to grant access authority to a personal information handler with legitimate authority and to change and cancel such authority;
3. Measures such as storage, analysis, inspection, and management of the records of access to public systems to prevent illegal access to personal information and personal information breach incidents.

(2) Where an institution operating public systems or an institution using public systems finds out access to personal information without authority or beyond authorized access thereto, it shall without delay notify data subjects of the relevant fact and matters necessary for the prevention of any damage, etc.; in such cases, notification shall be deemed given in any of the following cases:

1. Where data subjects are notified of loss, theft, or divulgence of personal information under Article 34 (1) of the Act;
2. Where data subjects are notified of access to their personal information and matters necessary for the prevention of any damage, etc. pursuant to other statutes or regulations.

(3) An institution operating public systems (where there is a separate public institution that develops and distributes a public system, such public institution shall be included; hereafter in this Article, the same shall apply) shall designate and operate a department dedicated to work related to the safe management of personal information or shall assign personnel dedicated to such work, taking into account the size and characteristics of the relevant public system, the number of institutions using the relevant public system, and other relevant factors.

(4) An institution operating public systems shall designate the head of a department responsible for the general management of the relevant public system as a manager for each public system: Provided, That where there is no such department, it shall designate a manager from among the heads of relevant departments in consideration of work-relatedness, work capabilities, and other relevant factors.

(5) An institution operating public systems shall establish and operate a public system operation council comprised of the following institutions for each public system to consult on matters related to examining the implementation of measures to ensure the safety of public systems and improving such systems: Provided, That where one public institution operates at least two public systems, an integrated public system operation council may be established and operated:

1. The institution operating public systems;
2. Where the operation of public systems is entrusted, the person entrusted;
3. An institution using public systems deemed necessary by the institution operating public systems.

(6) The Protection Commission may provide institutions operating public systems with support necessary to implement measures to ensure the safety of personal information.

(7) Except as provided in paragraphs (1) through (6), matters necessary for the measures to ensure the safety of personal information taken by institutions operating public systems, etc. shall be determined and publicly notified by the Protection Commission.

(1) “Matters prescribed by Presidential Decree” in Article 30 (1) 8 of the Act means the following:

1. Particulars of personal information to be processed;
2. (deleted);
3. Matters regarding measures to ensure the safety of personal information under Article 30.

(2) A personal information controller shall post continuously the Privacy Policy established or modified pursuant to Article 30 (2) of the Act on its website.

(3) Where it is impossible to post the Privacy Policy on the website as prescribed in paragraph (2), the personal information controller shall make public the established or modified Privacy Policy in at least one of the following manners:

1. Posting at easily noticeable location of the personal information controller’s workplace, etc.;
2. Publishing in the Official Gazette (only in cases the personal information controller is a public institution) or general daily newspaper, weekly newspaper, or online newspaper, as defined in subparagraphs 1 (a) and (c) and 2 of Article 2 of the Act on the Promotion of Newspapers circulating mainly over the City/Do where the personal information controller’s workplace, etc. is located;
3. Publishing at a periodical, newsletter, PR magazine, or invoice to be published under the same title at least twice a year and distributed to data subjects on a continual basis;
4. Stipulating in an agreement, etc. for the supply of goods or services executed between the personal information controller and the data subjects and providing a copy of the same to the data subject.

(1) Where the Protection Commission evaluates the Privacy Policy under Article 30-2 (1) of the Act, it shall select those subject to such evaluation, comprehensively considering the following matters:

1. The type and sales of a personal information controller;
2. The type and scale of personal information processed, such as sensitive information and personally identifiable information;
3. The legal grounds and methods for personal information processing;
4. Whether any statute is violated;
5. The characteristics of data subjects, such as children and youth.

(2) Upon selecting those subject to the evaluation of the Privacy Policy pursuant to paragraph (1), the Protection Commission shall notify the relevant personal information controller of an evaluation plan including the details, time schedule, procedures, etc. of the evaluation no later than 10 days before the commencement of the evaluation.

(3) Where necessary to evaluate the Privacy Policy under Article 30-2 of the Act, the Protection Commission may request the relevant personal information controller to present its opinion.

(4) The Protection Commission shall evaluate the Privacy Policy pursuant to Article 30-2 of the Act and notify the relevant personal information controller of the results of such evaluation without delay.

(5) Except as provided in paragraphs (1) through (4), the detailed standards and procedures for selecting those subject to the evaluation of the Privacy Policy shall be determined and publicly notified by the Protection Commission.

(1) “Work prescribed by Presidential Decree” in Article 31 (2) 7 of the Act means the following: 1. To establish, modify, and implement the Privacy Policy pursuant to Article 30 of the Act; 2. To manage materials related to the protection of personal information; 3. To destroy personal information whose purpose of processing is attained or retention period expires.

(2) A personal information controller shall designate a privacy officer pursuant to Article 31 (1) of the Act according to the following classifications:

1. Public institutions: Public officials, etc. who satisfy the below standards:
   • (a) The administrative bodies of the National Assembly, the Court, the Constitutional Court, and the National Election Commission; and central administrative agencies: A member of the Senior Executive Service (hereinafter referred to as “senior executive”) or equivalent public official;
   • (b) Other national agencies than item (a), headed by a public official in political service: A public official of Grade III or higher (including a senior executive) or equivalent thereto;
   • (c) Other national agencies than items (a) and (b), headed by a senior executive, a Grade III or higher public official, or an equivalent public official: A public official of Grade IV or higher or equivalent thereto;
   • (d) Other national agencies than items (a) through (c) (including their affiliated bodies): The head of a department in charge of the work related to personal information processing in the relevant agency;
   • (e) City/Do, City/Do Offices of Education: A public official of Grade III or higher or equivalent thereto;
   • (f) Si/Gun or autonomous Gu: A public official of Grade IV or equivalent thereto;
   • (g) Schools of each level referred to in subparagraph 5 of Article 2: A person who takes overall control of the administrative affairs of the relevant school;
   • (h) Other public institutions than items (a) through (g): The head of a department in charge of the work related to personal information processing in the relevant institution: Provided, That, where the heads of at least two departments are in charge of the work related to personal information processing, the head of the relevant institution shall designate the privacy officer from among them;
2. An institution other than public institutions: Any of the following persons:
   • (a) The business owner or representative;
   • (b) An executive officer (or the head of a department in charge of the work related to personal information processing, if no executive officer exists).

(3) Notwithstanding paragraph (2), if the personal information controller is a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises, it shall be deemed that the enterprise owner or representative has been designated as the privacy officer without separate designation: Provided, that this shall not apply if the personal information controller has separately designated a privacy officer.

(4) The Protection Commission may provide necessary assistance, such as developing and providing educational programs for privacy officers so that they may efficiently perform the work provided for in Article 31 (2) of the Act.

(1) “Who is prescribed by Presidential Decree” in the former part, with the exception of the subparagraphs, of Article 31-2 (1) of the Act means any of the following persons:

1. A person whose total sales for the previous year (referring to the previous business year in the case of a corporation) is at least one trillion won;
2. A person who has an average of at least one million domestic data subjects whose personal information is stored and managed for the immediately preceding three months as of the end of the previous year;
3. A person who is requested to submit relevant materials, such as articles and documents, pursuant to Article 63 (1) of the Act and for whom the Protection Commission deliberates and resolves on the need to designate a domestic agent.

(2) The total sales under paragraph (1) 1 shall be based on the amount converted into Korean won by applying the average exchange rate for the previous year.

(1) “Matters prescribed by Presidential Decree” in Article 32 (1) 7 of the Act means the following:

1. The name of the public institution that operates personal information files;
2. The number of data subjects whose personal information is retained in personal information files;
3. The department in charge of the work related to personal information processing in the relevant public institution;
4. The department that receives and processes requests for access to personal information pursuant to Article 41;
5. The scope of personal information to which access can be limited or denied pursuant to Article 35 (4) of the Act, among personal information in personal information files, and the grounds for limitation or denial.

(2) "Personal information files prescribed by Presidential Decree" in Article 32 (2) 4 of the Act means any of the following information files:

1. Personal information files that are operated to perform simple work, such as paying allowances for attending meetings, sending data and goods, and settling money, and that have little need for continuous management;
2. Personal information files that are urgently necessary for the public safety and security, public health, etc., and that are processed temporarily;
3. Other personal information files that are collected to handle one-off work and that are not stored or recorded.

(1) The head of a public institution that operates personal information files (excluding the personal information files under Article 32 (2) of the Act and Article 33 (2) of this Decree; hereafter in this Article, the same shall apply) shall file for registration of the matters provided in Article 32 (1) of the Act and Article 33 (1) of this Decree (hereinafter referred to as “registered matters”) with the Protection Commission within 60 days from the date it starts operating the personal information files, as prescribed by Notification of the Protection Commission. The same shall also apply to any modification of registered matters.

(2) The Protection Commission shall post the status of personal information files registered pursuant to Article 32 (4) of the Act on the website established by the Protection Commission.

(3) The Protection Commission may build and operate a system so that the registration or modification of the registered matters, referred to in paragraph (1), of personal information files may be electronically processed.

(1) The Protection Commission shall determine and publicly notify the criteria for certification referred to in Article 32-2 (1) of the Act, including the establishment of managerial, technical, and physical safeguards to protect personal information, taking into account the matters provided in the subparagraphs of Article 30 (1).

(2) A person who intends to obtain certification of personal information protection pursuant to Article 32- 2 (1) of the Act (hereafter in this Article and Article 34-3, referred to as “applicant”), shall submit an application (including an electronic application) for certification of personal information protection which includes the following matters to an institution specializing in the certification of personal information protection referred to in Article 34-6 (hereinafter referred to as “certification institution”):

1. A list of personal information processing systems subject to certification;
2. Methods and procedures for establishing and operating the personal information protection system;
3. A list of documents related to the personal information protection system and the implementation of safeguards.

(3) Upon receipt of an application for certification pursuant to paragraph (2), a certification institution shall consult with the applicant regarding the scope, time schedule, etc. of certification.

(4) An examination to certify personal information protection under Article 32-2 (1) of the Act shall be either a paper-based examination or an on-site examination conducted by the certification examiners for personal information protection subject to Article 34-8.

(5) Each certification institution shall establish and operate a certification committee comprised of members with extensive knowledge and experience in information protection to deliberate on the results of examinations for certification conducted pursuant to paragraph (4).

(6) Except as provided in paragraphs (1) through (5), detailed matters necessary for certification of personal information protection, including filing an application for certification, examination for certification, establishment and operation of the certification committee, and issuance of certificates, shall be prescribed by Notification of the Protection Commission.

(1) Each applicant shall pay a fee incurred in examining certification of personal information protection to the certification institution.

(2) The Protection Commission shall provide Notification of the detailed standards for calculating fees referred to in paragraph (1), based upon the number of certification examiners required for examining certification of personal information protection, number of days necessary to examine certification, and other relevant matters.

(1) A certification institution that intends to revoke certification of personal information protection pursuant to Article 32-2 (3) of the Act shall submit the case for deliberation and resolution by the certification committee established under Article 34-2 (5).

(2) Upon revoking certification pursuant to Article 32-2 (3) of the Act, the Protection Commission or the certification institution shall notify the affected party of such revocation; and shall publicly announce or post the same in the Official Gazette or on the certification institution’s website.

(1) An examination for follow-up management subject to Article 32-2 (4) of the Act shall be either a paper-based examination or an on-site examination.

(2) Where a certification institution discovers any of the causes provided for in Article 32-2 (3) of the Act through its follow-up management pursuant to paragraph (1), the certification institution shall submit the case for deliberation by the certification committee established under Article 34-2 (5) for deliberation; and shall notify the Protection Commission of the results of such deliberation.

(1) “Specialized institutions prescribed by Presidential Decree” in Article 32-2 (5) of the Act means the following:

1. The Korea Internet and Security Agency;
2. A corporation or an organization or institution designated by Notification of the Protection Commission among the corporations, organizations or institutions that satisfy all of the following requirements:
   • (a) To have at least five certification examiners for personal information protection referred to in Article 34-8;
   • (b) To have been qualified by the Protection Commission through an examination of requirements and capacity for performing its work.

(2) Detailed criteria, etc. necessary for designating a corporation, organization or institution referred to in paragraph (1) 2 and revocation of such designation shall be determined by Notification of the Protection Commission.

Where a person who has obtained certification pursuant to Article 32-2 (6) of the Act intends to indicate or promote the certification, the person may use the personal information protection mark prescribed by Notification of the Protection Commission. In such cases, the person shall also indicate the scope and term of validity of the certification in the personal information protection mark.

(1) A certification institution shall qualify persons with expertise in personal information protection, who pass an examination after having completed a specialized educational program necessary for certification examinations, as certification examiners for personal information protection (hereinafter referred to as “certification examiners”) pursuant to Article 32-2 (7) of the Act.

(2) A certification institution may disqualify a certification examiner pursuant to Article 32-2 (7) of the Act in any of the following cases: Provided, that the certification examiner must be disqualified in cases falling under subparagraph 1:

1. Where the certification examiner has been qualified by fraud or other unjust means;
2. Where the certification examiner has received money, goods, or other profits in relation to the examination for certification of personal information protection;
3. Where the certification examiner has divulged any information acquired in the course of examining the certification of personal information protection, or has used such information for other than the purpose for work without good cause.

(3) Detailed matters concerning completion of the specialized educational programs, qualification and disqualification as certification examiners, and other relevant matters under paragraphs (1) and (2) shall be prescribed by Notification the Protection Commission.

“Personal information files meeting the criteria prescribed by Presidential Decree” in Article 33 (1) of the Act means any of the following personal information files that can be processed electronically:

1. Personal information files that will be established, operated, or modified, and contain sensitive information or personally identifiable information of at least 50 thousand data subjects for processing;
2. Personal information files that is established and operated, and will be matched with other personal information files being established and operated inside or outside the relevant public institution, and, as a result of matching, will contain the personal information of at least 500 thousand data subjects;
3. Personal information files that will be established, operated, or modified, and contain the personal information of at least one million data subjects;
4. Personal information files whose operating system, including the data retrieval system, will be changed after the privacy impact assessment under Article 33 (1) of the Act (hereinafter referred to as “privacy impact assessment”). In such cases, the privacy impact assessment shall be limited to the changed system.

(1) The Protection Commission may designate a corporation that satisfies all of the following requirements as a privacy impact assessment institution (hereinafter referred to as “assessment institution”) pursuant to Article 33 (2) of the Act:

1. A corporation whose total revenue derived from any of the following work is 200 million won or more during the last five years:
   • (a) Privacy impact assessments or work similar thereto;
   • (b) Data protection consulting (which means the analysis and assessment of information systems and the provision of corresponding countermeasures against electronic infringement incidents; hereinafter the same shall apply) among the work related to establishing information systems, as defined in subparagraph 13 of Article 2 of the Electronic Government Act (including the information protection system);
   • (c) Data protection consulting among the work related to monitoring information systems, as defined in subparagraph 14 of Article 2 of the Electronic Government Act;
   • (d) Data protection consulting among the work related to the information security industry defined in Article 2 (1) 2 of the Act on the Promotion of the Information Security Industry;
   • (e) Work prescribed in Article 23 (1) 1 and 2 of the Act on the Promotion of the Information Security Industry;
2. A corporation that employs at least 10 full-time experts who meet the qualification requirements determined and publicly notified by the Protection Commission, including work experience in the field related to privacy impact assessment;
3. A corporation with the following offices and facilities:
   • (a) An office with facilities for identification and access control;
   • (b) Facilities for the safe management of records and materials.

(2) A person who intends to be designated as an assessment institution shall file an application for designation as an assessment institution, in the form prescribed by Notification of the Protection Commission, with the Protection Commission, along with the following documents (including electronic documents; hereinafter the same shall apply):

1. The articles of incorporation;
2. The representative’s name;
3. Documents verifying the qualifications of the experts referred to in paragraph (1) 2;
4. Other documents prescribed by Notification of the Protection Commission.

(3) Upon receipt of an application for designation as an assessment institution filed under paragraph (2), the Protection Commission shall verify the following documents through the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act: Provided, That where the applicant does not give consent to the verification of subparagraph 2, the Protection Commission shall require the applicant to submit the relevant document:

1. The corporation registration certificate;
2. The certificate of alien registration issued under Article 88 (2) of the Immigration Act (applicable only to aliens).

(4) Upon designating an assessment institution pursuant to paragraph (1), the Protection Commission shall, without delay, issue a written designation to the relevant applicant, and provide Notification thereof in the Official Gazette. The same shall also apply to any revision to the Notification:

1. The name, address, and telephone number of the assessment institution, and the name of its representative;
2. Terms and conditions attached to the designation, if any.

(5) "Cases that fall under any ground prescribed by Presidential Decree" in Article 33 (7) 5 of the Act means any of the following cases:

1. Where an assessment institution fails to comply with the obligation to submit a report under paragraph (6);
2. Where an assessment institution has no records of privacy impact assessment for two consecutive years from the date of obtaining designation without good cause;
3. Where an assessment institution divulges any information that it has obtained in the course of conducting privacy impact assessments, such as a privacy impact assessment report under the provisions, with the exception of the subparagraphs, of Article 38 (2);
4. Other cases where an assessment institution breaches the duties under the Act or this Decree.

(6) An assessment institution designated under paragraph (1) shall, upon occurrence of any of the following events after designation, submit a report to the Protection Commission, as prescribed by Notification the Protection Commission, within 14 days from the date of occurrence: Provided, that it shall submit a report to the Protection Commission within 60 days from the date of occurrence in cases falling under subparagraph 3:

1. Where any matter referred to in paragraph (1) is changed;
2. Where any matter referred to in paragraph (4) 1 is changed;
3. Where the transfer, acquisition, or merger of the assessment institution, or similar event occurs.

(7) (deleted).
[Moved from Article 37; previous Article 36 moved to Article 37 ]

“Matters prescribed by Presidential Decree” in Article 33 (3) 4 of the Act means the following:

1. Whether sensitive information or personally identifiable information will be processed;
2. The retention period of personal information.

[Moved from Article 36; previous Article 37 moved to Article 36]

(1) The criteria for privacy impact assessments (hereinafter referred to as "assessment criteria") under Article 33 (9) of the Act shall be as follows:

1. The type and nature of personal information contained in the relevant personal information files, the number of data subjects, and the possibility of subsequent personal information breach;
2. The level of measures to ensure safety taken under Articles 23 (2), 24 (3), 24-2 (2), 25 (6) (including cases applied mutatis mutandis in Article 25-2 (4)), and 29 of the Act, and the subsequent possibility of personal information breach;
3. Countermeasures against risk factors of personal information breach, if any;
4. Other necessary measures subject to the Act or this Decree, or any factor affecting breach of duties.

(2) An assessment institution requested to conduct a privacy impact assessment under Article 33 (2) of the Act shall, in accordance with the assessment criteria, analyze and assess the risk factors of personal information breaches that result from the operation of personal information files, and shall prepare a privacy impact assessment report based on the results of the evaluation that includes the following and send such report to the head of the relevant public institution, who shall submit the report to the Protection Commission before operating and changing personal information files falling under the subparagraphs of Article 35:

1. Those subject to the privacy impact assessment and the scope thereof;
2. Fields and items of the evaluation;
3. Analysis and assessment of the risk factors of personal information breaches in accordance with the assessment criteria;
4. The details of measures taken based on the results of the analysis and evaluation under subparagraph 3 and a plan for improvement;
5. The results of the privacy impact assessment;
6. A summary of the matters prescribed in subparagraphs 1 through 5.

(3) The Protection Commission or the head of a public institution may disclose the details of a summary of a privacy impact assessment report prescribed in paragraph (2) 6.

(4) Except as provided in the Act and this Decree, the Protection Commission may determine and publicly notify the detailed standards for designating assessment institutions, procedures for privacy impact assessments, etc.

(1) When a personal information controller becomes aware of loss, theft, or divulgence (hereafter in this Article and Article 40 referred to as "divulgence, etc.") of personal information, the personal information controller shall notify data subjects of the matters specified in the subparagraphs of Article 34 (1) of the Act in writing, etc. within 72 hours: Provided, That notification may be given to data subjects without delay after the relevant cause ceases to exist in any of the following cases:

1. Where urgent measures need to be taken to prevent widespread divulgence, etc. of personal information and any further divulgence, etc., such as blocking access routes, inspecting and addressing vulnerabilities, and recovering and deleting the relevant personal information;
2. Where it is impracticable to give notification within 72 hours due to a natural disaster or any other unavoidable cause.

(2) Notwithstanding paragraph (1), where a personal information controller intends to give notification under paragraph (1) but fails to confirm the specific details of the matters prescribed in Article 34 (1) 1 or 2 of the Act, the personal information controller shall first give notification of the divulgence of personal information, the details that have already been confirmed, and the matters specified in Article 34 (1) 3 through 5 of the Act in writing, etc., and shall notify the details further confirmed immediately upon confirmation.

(3) Notwithstanding paragraphs (1) and (2), where the contact information of a data subject is unknown or any other good cause exists, a personal information controller shall post the matters provided in the subparagraphs of Article 34 (1) of the Act on its website for at least 30 days to ensure that the data subject can easily recognize such matters, in lieu of giving notification under paragraphs (1) and (2), pursuant to the proviso, with the exception of the subparagraphs, of Article 34 (1) of the Act: Provided, That in the case of a personal information controller that does not operate its website, the matters specified in the subparagraphs of Article 34 (1) of the Act may be posted at a conspicuous place of the workplace, etc. for at least 30 days in lieu of giving notification under paragraphs (1) and (2).

[Moved from Article 40; previous Article 39 moved to Article 40]

(1) When a personal information controller becomes aware of divulgence, etc. of personal information in any of the following cases, the personal information controller shall, in writing, etc., file a report with the Protection Commission or a specialized institution prescribed in the former part of Article 34 (3) of the Act with regard to the matters provided in the subparagraphs of Article 34 (1) of the Act within 72 hours: Provided, That where it is impracticable to file a report within 72 hours due to a natural disaster or any other unavoidable cause, a report may be filed without delay after the relevant cause ceases to exist; and where the possibility of infringing on the rights and interests of data subjects is substantially reduced after the path of divulgence, etc. of personal information is confirmed and measures are taken such as the recovery and deletion of the relevant personal information, the personal information controller need not file a report thereon:

1. Where divulgence, etc. of personal information of at least 1,000 data subjects occurs;
2. Where divulgence, etc. of sensitive information or personally identifiable information occur;
3. Where divulgence, etc. of personal information occurs due to illegal external access to personal information processing systems or information technology equipment used by personal information handlers for processing personal information.

(2) Notwithstanding paragraph (1), where a personal information controller intends to file a report pursuant to paragraph (1) but fails to confirm the specific details of the matters provided in Article 34 (1) 1 or 2 of the Act, the personal information controller shall first file a report on divulgence, etc. of personal information, the details that have already been confirmed, and the matters specified in Article 34 (1) 3 through 5 of the Act in writing, etc., and shall notify the details further confirmed immediately upon confirmation.

(3) "Specialized institution designated by Presidential Decree" in the former and latter parts of Article 34 (3) of the Act means the Korea Internet and Security Agency.

[Moved from Article 39; previous Article 40 moved to Article 39]

“Specialized institution designated by Presidential Decree” in Article 34-2 (2) of the Act means the Korea Internet and Security Agency.

(1) A data subject who intends to request access to his or her own personal information processed by a personal information controller pursuant to Article 35 (1) of the Act shall submit a request, stating the information that he or she intends to access among the following information, in the manner and following the procedure determined by the personal information controller;

1. Particulars and substance of personal information;
2. The purpose of collecting and using personal information;
3. The period for retaining and using personal information;
4. Status of personal information provided to a third party;
5. The fact that the data subject has given consent to the processing of his or her personal information and the content thereof.

(2) To determine the manner and procedure for requesting access under paragraph (1), a personal information controller shall comply with the following to ensure that such manner and procedure are not more difficult than the manner and procedure that the personal information controller uses to collect the relevant personal information:

1. To provide the requested personal information in a data subject-friendly manner, such as in writing, by telephone or electronic mail, or via the Internet;
2. To allow data subjects to request access to their own personal information at least through the same window or in the same manner that the personal information controller uses to collect such personal information, unless good cause exists, such as difficulty in continuously operating such window;
3. To post on a website the manner and procedure for requesting access if the personal information controller operates the website.

(3) A data subject who intends to request access to his or her own personal information via the Protection Commission pursuant to Article 35 (2) of the Act shall submit to the Protection Commission a Personal Information Access Request specifying the information to access among the information referred to in paragraph (1), as prescribed by Notification of the Protection Commission. In such cases, the Protection Commission shall forward the Personal Information Access Request to the relevant public institution without delay.

(4) “Period prescribed by Presidential Decree” in the former part of Article 35 (3) of the Act means 10 days.

(5) Where a personal information controller allows a data subject to access the relevant personal information within 10 days from the receipt of the Personal Information Access Request under paragraph (1) or (3), or limits access to the relevant person information under Article 42 (1), the personal information controller shall serve the data subject with the Access Notice, stating the accessible personal information, date and time, venue, etc. for access (in the case of partial access pursuant to Article 42 (1), the ground therefor and how to appeal shall be included), in the form prescribed by Notification of the Protection Commission: Provided, That where he or she allows immediate access, the Access Notice may be omitted.

(1) Where any information to which a personal information controller receives a request for access pursuant to Article 41 (1) falls under Article 35 (4) of the Act, the personal information controller may limit access to such information; and shall allow the data subject to access other personal information than the restricted part.

(2) Where a personal information controller intends to postpone a data subject’s access to his or her own personal information pursuant to the latter part of Article 35 (3) of the Act, or to deny the access pursuant to Article 35 (4) of the Act, the personal information controller shall serve the data subject with the Access Postponement or Denial Notice, stating the grounds for postponement or denial and how to appeal, in the form prescribed by Notification of the Protection Commission within 10 days from the receipt of the access request.

(1) A data subject who intends to request a personal information controller to correct or erasure his or her own personal information pursuant to Article 36 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the correction or erasure of personal information; and “access” shall be construed as “correction or erasure”.

(2) Upon receipt of a request to correct or erasure personal information pursuant to Article 36 (1) of the Act, a personal information controller who processes personal information files provided by other personal information controller shall correct or erase the relevant personal information as requested; or shall, without delay, notify the personal information controller who has provided the relevant personal information of the request to correct or erasure the personal information, and take necessary measures based on the result of such processing.

(3) A personal information controller shall inform the relevant data subject of the fact that he or she has duly corrected or erased the relevant personal information pursuant to Article 36 (2) of the Act within 10 days from the receipt of a request to correct or erasure personal information under paragraph (1) or (2); otherwise, if the erasure of personal information is denied because it falls under the proviso of Article 36 (1) of the Act, the personal information controller shall serve the data subject with the Personal Information Correction or erasure Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form determined and publicly notified by prescribed by Notification of the Protection Commission.

(1) A data subject who intends to request a personal information controller to suspend the processing of his or her own personal information pursuant to Article 37 (1) of the Act shall submit a request in the manner and following the procedure determined by the personal information controller. In such cases, Article 41 (2) shall apply mutatis mutandis where the personal information controller determines the manner and procedure for requesting the suspension of processing personal information; and “access” shall be construed as “suspension of processing”.

(2) A personal information controller shall inform the relevant data subject of the fact that it has duly suspended the processing of personal information pursuant to the main clause of Article 37 (2) of the Act within 10 days from the receipt of a request to suspend the processing of personal information made under paragraph (1); otherwise, if the suspension of processing personal information is denied because it falls under the proviso of Article 37 (2) of the Act, the personal information controller shall serve the relevant data subject with the Personal Information Processing Suspension Outcome Notice, stating the fact and grounds for the denial and how to appeal, in the form prescribed by Notification of the Protection Commission.

(1) A person who can represent a data subject under Article 38 of the Act shall be any of the following: 1. A legal representative of the data subject; 2. A person delegated by the data subject.

(2) A representative referred to in paragraph (1), representing a data subject pursuant to Article 38 of the Act, shall submit a power of attorney of the data subject, in the form prescribed by Notification of the Protection Commission, to the personal information controller.

(1) Upon receipt of a request for access under Article 41 (1), correction or erasure of personal information under Article 43 (1), suspension of processing of personal information or withdrawal of consent under Article 37 (1) of the Act (hereafter in this Article and Articles 47 and 48 referred to as “request for access, etc.”), a personal information controller shall confirm whether the person who has submitted the request for access, etc. is the principal or the duly authorized representative.

(2) Any personal information controller, which is a public institution eligible for the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act, shall confirm as provided in paragraph (1) through the sharing of administrative information: Provided, that this shall not apply where the public institution is unable to share administrative information or the data subject does not consent to such confirmation.

(1) The amounts of fees and postage provided for in Article 38 (3) of the Act shall be determined by the relevant personal information controller within the actual expenses necessary for the processing of the request for access, etc.: Provided, that where a personal information controller is a local government, they shall be prescribed by ordinance of the relevant local government.

(2) A personal information controller shall not demand any fee or postage if the cause for submitting the request for access, etc. lies with the personal information controller.

(3) Any fee and postage provided in Article 38 (3) of the Act shall be paid as follows: Provided, that a personal information controller, which is the National Assembly, the Court, the Constitutional Court, the National Election Commission, a central administrative agency, or its affiliated body (hereafter in this Article referred to as “national agency”) or a local government, may claim such fee and postage by the electronic payment means defined in subparagraph 11 of Article 2 of the Electronic Financial Transactions Act, or telecommunications billing services defined in Article 2 (1) 10 of the Act on Promotion of Information and Communications Network Utilization and Information Protection:

1. Where the fee or postage is paid to a personal information controller that is a national agency: Revenue stamp;
2. Where the fee or postage is paid to a personal information controller that is a local government: Revenue certificate;
3. Where the fee and postage is paid to other personal information controller than a national agency or local government: In the manner determined by the relevant personal information controller.

(1) A personal information controller may establish and operate a support system that enables the request for access, etc. to be processed and notified electronically, and determine other work procedures.

(2) The Protection Commission may establish and operate a system to support the public institutions which are personal information controllers efficiently process the request for access, etc. for personal information they possess and notify the results thereof.

(1) A provider of information and communications services meeting all of the following requirements (referring to those who fall under Article 2 (1) 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection; hereafter in this Article, the same shall apply) and a person who is provided by such provider with the personal information of users (referring to those who fall under Article 2 (1) 4 of that Act; hereafter in this Article, the same shall apply) under Article 17 (1) 1 of the Act shall purchase insurance or join a mutual aid organization or accumulate reserves pursuant to Article 39-9 (1) of the Act:

1. The Information and Communications Service Providers, etc. whose sales revenue for the previous business year (the previous business year for a corporation) was 50 million won or more;
2. The Information and Communications Service Providers, etc. who stored and managed personal information of one thousand users or more on average per day during the three-month period immediately preceding the end of the previous year.

(2) The standards for the minimum insurance subscription amount (referring to a minimum reserve amount in cases of accumulating reserves; hereafter in this Article the same shall apply) applicable to the Subject Personal Information Controllers (referring to a provider of information and communications services meeting all of the requirements specified in the subparagraphs of paragraph (1) and a person who is provided by such provider with the personal information of users under Article 17 (1) 1 of the Act; hereafter in this Article, the same shall apply) in cases of purchasing insurance, joining a mutual aid organization or accumulating reserves shall be as set forth in attached Table 1-4: Provided, that if any Subject Personal Information Controller purchases insurance or joins a mutual aid organization, and accumulates reserves at the same time, the sum of the insured or mutual aid amount and reserves shall be equal to or exceed the minimum insurance subscription amount set forth in attached Table 1-4.

(3) If a Subject Personal Information Controller purchases insurance, joins a mutual aid organization or accumulates reserves which guarantee the performance of the damage liabilities under Articles 39 and 39- 2 of the Act in accordance with other statutes, the Subject Business Entity shall be deemed to have purchased insurance, joined a mutual aid organization or accumulated reserves pursuant to Article 39-9 (1) of the Act.

The ex officio members of the Dispute Mediation Committee shall be appointed by the Chairperson of the Protection Commission from among members in general service of the Senior Executive Service of the Protection Commission, who are in charge of the work related to the protection of personal information.

[Moved from Article 48-2 ]

(1) The mediation panel referred to in Article 40 (6) of the Act (hereinafter referred to as “mediation panel”) shall be comprised of up to five members appointed by the chairperson of the Dispute Mediation Committee, and one of whom shall be a commissioner with an attorney-in-law license.

(2) The chairperson of the Dispute Mediation Committee shall convene the meetings of the mediation panel.

(3) The chairperson of the Dispute Mediation Committee shall notify each member of the mediation panel of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency.

(4) The presider of the mediation panel shall be elected by and from among its members.

(5) Except as provided in paragraphs (1) through (4), matters necessary for the composition and operation of the mediation panel, and other necessary matters, shall be determined by the chairperson of the Dispute Mediation Committee subject to the resolution of the Dispute Mediation Committee.

(1) The Dispute Mediation Committee may establish a specialized committee for each field (hereinafter referred to as "specialized committee for dispute mediation") to conduct a specialized examination of the matters related to mediation of disputes regarding personal information.

(2) Each specialized committee for dispute mediation shall be composed of up to 10 members, including one chairperson.

(3) Members of each specialized committee for dispute mediation shall be appointed or commissioned by the chairperson of the Dispute Mediation Committee from among the following persons, and the chairperson of each specialized committee for dispute mediation shall be designated by the chairperson of the Dispute Mediation Committee from among the members of the relevant specialized committee for dispute mediation:

1. A member of the Dispute Mediation Committee;
2. A relevant public official of a central administrative agency who is responsible for work related to personal information protection;
3. A person who holds or has held the position of assistant professor or higher in a university or college in the field of personal information protection;
4. A person who has at least five years’ research experience at an accredited research institute in the field related to personal information protection;
5. A person who has at least one year’s work experience in the field related to personal information protection after being qualified as an attorney-at-law;
6. Other persons with extensive expertise and experience in personal information protection and dispute mediation.

(4) Except as provided in paragraphs (1) through (3), matters necessary for the composition, operation, etc. of specialized committees for dispute mediation shall be determined by the chairperson of the Dispute Mediation Committee following its resolution.

(1) The secretariat of the Protection Commission shall conduct administrative affairs necessary for dispute mediation, such as receiving dispute mediation cases and fact-finding pursuant to Article 40 (8) of the Act.

(2) The secretariat may establish and operate a dispute mediation system in order to electronically process the business affairs required for dispute mediation, including receiving dispute mediation requests, advancing the dispute mediation process and providing notifications to the parties.

(1) The chairperson of the Dispute Mediation Committee shall convene and preside over meetings of the Dispute Mediation Committee.

(2) The chairperson of the Dispute Mediation Committee shall notify each member of the Dispute Mediation Committee of the date, time, venue, and agenda no later than seven days prior to the meeting: Provided, That this shall not apply in case of emergency.

(3) The meetings of the Dispute Mediation Committee and the mediation panel shall not be open to the public: Provided, That attendance of the parties or interested parties is allowed by the resolution of the Dispute Mediation Committee, if deemed necessary.

Where a personal information controller intends not to respond to dispute mediation due to any compelling reason under Article 43 (3) of the Act, the personal information controller shall notify the Dispute Mediation Committee of such intention specifying the grounds therefor within 10 days from the date of being notified of dispute mediation.

(1) "Secretariat prescribed by Presidential Decree" in the former part of Article 45 (2) of the Act means the secretariat of the Protection Commission, which is in charge of conducting administrative affairs necessary for dispute mediation pursuant to Article 50 (1).

(2) Where the Dispute Mediation Committee intends to conduct an investigation or inspection pursuant to Article 45 (2) of the Act, it shall notify a person subject to such investigation or inspection of the following matters in writing no later than seven days before the investigation or inspection: Provided, That where the purpose of the investigation or inspection is likely to be compromised, prior notification need not be given:

1. The purpose of the investigation and inspection;
2. The period and place of the investigation and inspection;
3. The position and name of a person who conducts the investigation or inspection;
4. The scope and details of the investigation and inspection;
5. The fact that the person may refuse the investigation or inspection, where there is good cause;
6. The details of disadvantageous measures, where the person refuses, obstructs, or evades the investigation or inspection without good cause;
7. Other matters necessary for the investigation or inspection for dispute mediation.

(3) When the Dispute Mediation Committee conducts an investigation or inspection pursuant to Article 45 (2) of the Act, it may request disputing parties or persons designated by the disputing parties to be present during the investigation or inspection or to present their opinions.

(4) To hear the opinions of disputing parties or relevant witnesses pursuant to Article 45 (5) of the Act, the Dispute Mediation Committee shall determine the date, time, and place of a meeting and notify the disputing parties or relevant witnesses thereof no later than 15 days before the meeting is held.

(1) When the Dispute Mediation Committee presents each party with a proposal of mediation pursuant to Article 47 (2) of the Act, it shall notify him or her of the fact that the proposal of mediation is deemed accepted unless he or she notifies the Dispute Mediation Committee of his or her acceptance or denial within 15 days from the date of being presented with the decision pursuant to paragraph 47 (3) of the Act.

(2) Where each party presented with a proposal of mediation pursuant to Article 47 (2) of the Act intends to reject the proposal of mediation, he or she shall notify the Dispute Mediation Committee of his or her intention by a person, registered mail, or electronic mail within 15 days from the date of being presented with the decision.

“Incident is prescribed by Presidential Decree” in Article 49 (1) of the Act means any incident that satisfies all of the following conditions:

1. The number of data subjects suffering from damage or infringement on their rights shall be not less than 50 persons, except the following:
   • (a) Data subjects who have agreement with the personal information controller on the dispute settlement or compensation for damage;
   • (b) Data subjects whose dispute is based on the same cause and is dealt with by a dispute mediation body established by other statutes or regulations;
   • (c) Data subjects who have filed a lawsuit with a court regarding damages from the relevant personal information breach;
2. Major issues of the incident are common factually or legally.

(1) “Period prescribed by Presidential Decree” in the latter part of Article 49 (2) of the Act means a period of at least 14 days.

(2) Public announcement of commencing the collective dispute mediation proceedings referred to in the latter part of Article 49 (2) of the Act shall be posted on the website of the Dispute Mediation Committee or a general daily newspaper circulating nationwide under the Act on the Promotion of Newspapers.

(1) A data subject or personal information controller, other than the parties to collective dispute mediation subject to Article 49 of the Act (hereinafter referred to as “collective dispute mediation”), who intends to participate in such collective dispute mediation additionally as a party pursuant to Article 49 (3) of the Act, shall file a written application during the notice period subject to the latter part of Article 49 (2) of the Act.

(2) Upon receiving a written application for collective dispute mediation as a party pursuant to paragraph (1), the Dispute Mediation Committee shall inform the applicant of whether it has accepted his or her application within 10 days from the expiry of the application period referred to in paragraph (1).

(1) After the collective dispute mediation proceedings commence, a data subject who falls under any of subparagraph 1 (a) through (c) of Article 52 shall be excluded from participation as a party.

(2) Once the collective dispute mediation proceedings of the case which satisfies the conditions referred to in Article 52 commence, such proceedings shall not be suspended even if the conditions referred to in subparagraph 1 of Article 52 are not satisfied because a data subject falls under any of subparagraph 1 (a) through (c) of that Article.

Members, etc. who attend a meeting of the Dispute Mediation Committee, the mediation panel, or a specialized committee for dispute mediation may be paid allowances and travel expenses within the budget: Provided, that this shall not apply where a public official attends any meeting in direct relation to his or her work.

Except as provided in the Act and this Decree, matters necessary for the operation of the Dispute Mediation Committee and collective dispute mediation, such as the procedures for dispute mediation and dealing with dispute mediation, shall be determined by the chairperson of the Dispute Mediation Committee following its resolution.

(1) An advice for improvement under Article 61 (2) and (3) of the Act and an advice for disciplinary action under Article 65 (2) and (3) of the Act shall be made in writing that explicitly state the matters to be advised, grounds therefor, outcomes of the action, reply period, etc.

(2) A person who has received an advice under paragraph (1) shall take necessary measures as advised, and notify the Protection Commission or the head of the related central administrative agency of the outcome in writing: Provided, That special circumstances, in which it is deemed impracticable to take measures as advised, shall be explained in the notice.

The Protection Commission shall designate the Korea Internet and Security Agency as a specialized institution to efficiently receive and handle the claim reports on infringements on personal informationrelated rights or interests pursuant to Article 62 (2) of the Act.

(1) “Cases prescribed by Presidential Decree” in Article 63 (1) 3 of the Act means circumstances in which a case or incident which infringes on data subject’s right or interest related to personal information, such as a divulgence of personal information, has occurred or is likely to occur.

(2) The Protection Commission may request the head of the Korea Internet and Security Agency to provide necessary assistance, including technical advice, in order to request materials and to conduct inspections, etc. pursuant to Article 63 (1) and (2) of the Act.

(3) (deleted).

(4) (deleted).

(5) (deleted).

(6) (deleted).

(7) (deleted).

(1) The total sales under the main clause, with the exception of the subparagraphs, of Article 64-2 (1) of the Act shall be the average annual sales of the relevant personal information controller for three business years immediately preceding the business year in which any violation is committed (hereafter in this Article referred to as the "relevant business year"): Provided, That where three years have not elapsed since the date of commencement of business as of the first day of the relevant business year, the total sales shall be the amount calculated by converting the sales from the date of commencement of business to the end of the immediately preceding business year into the average annual sales; and where business commences in the relevant business year, the total sales shall be the amount calculated by converting the sales from the date of commencement of business to the date a violation is committed into the average annual sales.

(2) “Cases prescribed by Presidential Decree” in the proviso, with the exception of the subparagraphs, of Article 64-2 (1) of the Act means any of the following cases:

1. Where there is no sales records due to any of the following reasons:
   • (a) No commencement of business;
   • (b) Suspension of business;
   • (c) Any other reason equivalent to those specified in items (a) and (b), such as no engagement in profit-making business;
2. Where it is impracticable to objectively calculate the sales because sales calculation data are lost or damaged due to a disaster, etc.

(3) Sales unrelated to a violation under Article 64-2 (2) of the Act shall be any of the following amounts of the total sales specified in paragraph (1):

1. Sales of goods or services which are unrelated to personal information processing;
2. Sales recognized by the Protection Commission as not the sales of goods or services directly or indirectly affected by a violation, based on the data, etc. submitted pursuant to paragraph (4).

(4) Where the Protection Commission needs financial statements or other data for the calculation of sales, etc. under paragraphs (1) through (3), it may request the relevant personal information controller to submit the relevant data within a specified period not exceeding 20 days.

(5) "Ground prescribed by Presidential Decree" in Article 64-2 (5) 4 of the Act means where the relevant personal information controller rectifies a violation and meets the criteria determined and publicly notified by the Protection Commission.

(6) The criteria and procedures for calculating penalty surcharges under Article 64-2 (6) of the Act shall be as specified in attached Table 1-5.

(1) Where the Protection Commission intends to impose a penalty surcharge under Article 64-2 of the Act, it shall investigate and verify the relevant violation and shall give the person subject to the penalty surcharge written notification specifying the violation, the amount imposed, the methods and period of filing an objection, etc.

(2) A person notified under paragraph (1) shall pay the relevant penalty surcharge to a financial institution designated by the Protection Commission within 30 days from the date of being notified.

(3) Upon receipt of a penalty surcharge under paragraph (2), a financial institution shall issue a receipt to the person who has paid the penalty surcharge.

(4) Upon receipt of a penalty surcharge pursuant to paragraph (2), a financial institution shall notify the Protection Commission of such fact without delay.

(1) Where the Protection Commission extends the payment deadline for penalty surcharges specified in Article 64-2 (1) of the Act pursuant to Article 29 of the Framework Act on Administration and Article 7 of the Enforcement Decree of that Act, an extended payment period shall not exceed two years from the date of expiry of the initial payment deadline.

(2) Where the Protection Commission allows a penalty surcharge under Article 64-2 (1) of the Act to be paid in installments pursuant to Article 29 of the Framework Act on Administration and Article 7 of the Enforcement Decree of that Act, the interval between each deadline for payment in installments shall not exceed six months and the number of installments shall not exceed six times.

(3) Except as provided in paragraphs (1) and (2), matters necessary for an extension of the payment deadline for penalty surcharges, an application for payment in installments, etc. shall be determined and publicly notified by the Protection Commission.

“Interest rate prescribed by Presidential Decree” in Article 64-2 (9) of the Act means the interest rate prescribed in the main clause of Article 43-3 (2) of the Enforcement Decree of the Framework Act on National Taxes.

(1) The Protection Commission may publish the following matters by posting them on its website, etc. under Article 66 (1) of the Act:

1. The details of violations;
2. The violators;
3. Recommendations for improvement, orders to take corrective measures, the imposition of penalty surcharges, accusations, and recommendations for disciplinary actions, and the details and outcomes of imposition of administrative fines.

(2) The Protection Commission may order a person subject to a recommendation for improvement, an order to take corrective measures, the imposition of a penalty surcharge, an accusation, a recommendation for a disciplinary action, the imposition of an administrative fine, etc. under Article 66 (2) of the Act (hereafter in this Article referred to as "disposition, etc.") to publish the following matters; in such cases, the Protection Commission shall, when issuing such order, determine the details, frequency, media of such publication, the size of pages, etc., and may consult with the person subject to the disposition, etc. on the text of the publication, etc.:

1. The details of violations;
2. The violators;
3. The fact that the person is subject to the disposition, etc.

(3) Where the Protection Commission intends to make the publication under paragraph (1) or to issue an order for publication under paragraph (2), it shall take into account the details, severity, period, and frequency of a violation, the scope and consequences of the damage caused by such violation, and other relevant matters.

(4) The Protection Commission shall provide a person subject to a disposition, etc. with an opportunity to submit explanatory materials or to present his or her opinion before deliberating and resolving on publication or an order for publication.

(1) (deleted).

(2) The Protection Commission may entrust the work to support the provision of alternative sign-up tool subject to Article 24-2 (4) of the Act to the following institutions under Article 68 (1) of the Act:

1. The Korea Local Information Research and Development Institute established under Article 72 (1) of the Electronic Government Act;
2. The Korea Internet and Security Agency;
3. A corporation, institution, or organization prescribed by Notification of the Protection Commission after being recognized as having technical and financial capacity and facilities to develop, provide, and manage the alternative sign-up tool safely.

(3) The Protection Commission may entrust the following business affairs to an institution provided in paragraph (4), under Article 68 (1) of the Act:

1. Exchange and cooperation with international organizations and foreign personal information protection agencies for the protection of personal information under subparagraph 5 of Article 7-8 of the Act;
2. Surveys and research on statutes and regulations, policies, systems, actual conditions, etc. related to the protection of personal information under subparagraph 6 of Article 7-8 of the Act;
3. Support for and dissemination of technology development for the protection of personal information under subparagraph 7 of Article 7-8 of the Act;
4. Education and public relations regarding the protection of personal information under subparagraph 1 of Article 13 of the Act;
5. Promotion of and support for agencies and organizations related to the protection of personal information under subparagraph 2 of Article 13 of the Act;
6. Training of relevant specialists and development of criteria for privacy impact assessments under Article 33 (6) of the Act;
7. Receipt and processing of access requests under Article 35 (2) of the Act; 8. Requests for materials and inspections under Article 63 of the Act that are related to the following matters:
   • (a) Technical assistance for reporting under the former part of Article 34 (3) of the Act;
   • (b) Receipt and processing of, and counseling on, reports received by the Privacy Call Center pursuant to Article 62 of the Act; 9. Receipt of applications for designating an assessment institution under Article 36 (2) and receipt of reports under Article 37 (6).

(4) The institutions to which the Protection Commission may entrust its work regarding the matters specified in the subparagraphs of paragraph (3) shall be as follows:

1. The Korea Internet and Security Agency;
2. A corporation, institution, or organization determined and publicly notified by the Protection Commission as having expertise in the field of personal information protection.

(5) Where the Protection Commission entrusts its work pursuant to paragraphs (2) through (4), it shall publicly announce the institutions to be entrusted with the affairs and details of the entrusted affairs in the Official Gazette or on its website.

(1) The Protection Commission (including persons entrusted with the authority of the Protection Commission under Article 62 (3)) may process sensitive information and data that contain resident registration numbers, passport numbers, driver’s license numbers, or alien registration numbers referred to in Article 19, if inevitable to perform the following business affairs:

1. Business affairs regarding deliberation and resolution on any matter under Article 7-9 (1) 4 through 6 of the Act;
2. Business affairs regarding preparing for and supporting the establishment of systems providing alternative sign-up tools under Article 24-2 (4) of the Act;
3. (deleted).
4. Business affairs regarding work of the Privacy Call Center established pursuant to Article 62 (3) of the Act;
5. Business affairs regarding submission of materials and inspections under Articles 63 (1) and (2);
6. Business affairs regarding preliminary fact-finding inspections conducted under Article 63-2 of the Act;
7. Business affairs regarding imposing and collecting penalty surcharges under Article 64-2 of the Act.

(2) The Dispute Mediation Committee may process sensitive information and data that contain resident registration numbers, passport numbers, driver’s license numbers, or alien registration numbers referred to in Article 19, if inevitable to perform the business affairs related to personal information dispute mediation under Articles 45, 47, and 49 of the Act.

(1) The Protection Commission shall examine the appropriateness of the following matters every three years, counting from each base date specified in the following (referring to the period that ends on the day before the base date of every third year), and shall take measures, such as making improvements:

1. Those eligible to be designated as assessment institutions, the requirements for revocation of designation, and the grounds for reporting changes under Article 36: January 1, 2022;
2. Scope of the persons required to be notified of the details of the use and provision of personal information, the types of information required to be notified, and the frequency and method of notification under Article 15-3: September 15, 2023;
3. Scope and standards of the parties required to purchase an insurance, etc. for performance of damage compensation responsibilities under Article 48-7: August 5, 2020.

(2) The Protection Commission shall examine the appropriateness of the following matters every two years, counting from each base date specified in the following (referring to the period that ends on the day before the base date of every second year), and shall take measures, such as making improvements:

1. Combination of pseudonymized information processed by different personal information controllers under Article 29-3: January 1, 2022;
2. Details, and method of disclosure, of the Privacy Policy under Article 31: January 1, 2015;
3. (deleted);
4. (deleted);
5. (deleted).

(3) (deleted).

The criteria for the imposition of administrative fines under Article 75 of the Act shall be as specified in attached Table 2.