(1) A personal information controller may collect personal information in any of the following cases, and use it within the scope of the purpose of collection:
- Where consent is obtained from a data subject;
- Where special provisions exist in other statutes or it is unavoidable due to obligations under statutes or regulations;
- Where it is unavoidable for a public institution’s performance of work under its jurisdiction as prescribed by statutes or regulations, etc.;
- Where it is necessary to take measures at the request of a data subject in the course of performing a contract concluded with the data subject or concluding a contract;
- Where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
- Where it is necessary to attain the legitimate interests of a personal information controller, which such interest is manifestly superior to the rights of the data subject. In such cases, processing shall be allowed only to the extent the processing is substantially related to the legitimate interests of the personal information controller and does not go beyond a reasonable scope.
- Where it is urgently necessary for the public safety and security, public health, etc.
(2) A personal information controller shall inform a data subject of the following matters when it obtains consent under paragraph (1) 1. The same shall apply when any of the following is modified:
- The purpose of the collection and use of personal information;
- Particulars of personal information to be collected;
- The period for retaining and using personal information;
- The fact that the data subject is entitled to deny consent, and disadvantages, if any, resulting from the denial of consent.
(3) A personal information controller may use personal information without the consent of a data subject within the scope reasonably related to the initial purpose of the collection as prescribed by Presidential Decree, in consideration whether disadvantages have been caused to the data subject and whether necessary measures to ensure safety such as encryption have been taken.