Standards on Additional Use and Provision of Personal Information
(1) If a personal information controller uses or provides personal information (hereinafter referred to as “additional use or provision of personal information”) without the consent of the data subject in accordance with Article 15 (3) or Article 17 (4) of the Act, the personal information controller shall consider the following matters:
- Whether it is reasonably related to the original purpose for which the personal information was collected;
- Whether additional use or provision of personal information is foreseeable in light of the circumstances under which the personal information was collected and processing practices;
- Whether additional use or provision of personal information does not unfairly infringe on the interests of the data subject;
- Whether the measures required to ensure safety such as pseudonymization or encryption have been taken.
(2) Where additional use or provision of personal information continues to take place, a personal information controller shall disclose the criteria for assessing the matters referred to in the subparagraphs of paragraph (1) in the Privacy Policy under Article 30 (1) of the Act, and a privacy officer under Article 31 (1) of the Act shall check whether the personal information controller is using or providing additional personal information in accordance with the relevant criteria.