Matters Subject to Notification, such as Sources of Personal Information Collected, and Methods and Procedures for Notification
(1) “Personal information controller satisfying the criteria prescribed by Presidential Decree” in the main clause of Article 20 (2) of the Act means any of the following personal information controllers; in such cases, the number of data subjects prescribed in the following shall be calculated based on the daily average during the immediately preceding three months as of the end of the previous year:
- A person who processes sensitive information defined in Article 23 of the Act (hereinafter referred to as “sensitive information”) or personally identifiable information defined in Article 24 (1) of the Act (hereinafter referred to as “personally identifiable information”) of at least 50 thousand data subjects;
- A person who processes personal information of at least one million data subjects.
(2) A personal information controller who falls under any subparagraph of paragraph (1) shall notify data subjects of the matters referred to in the subparagraphs of Article 20 (1) of the Act by any of the following methods within three months from the date of being provided with their personal information: Provided, that where the personal information controller is regularly provided with and processes personal information at least twice a year to the extent that the personal information controller has obtained consent from the data subjects under Article 17 (1) 1 of the Act about the matters prescribed in Article 17 (2) 1 through 4 of the Act, he or she shall notify the data subjects within three months from the date of being provided with their personal information, or at least once a year counting from the date of the consent:
- A method by which the data subjects can easily confirm the details of the notification, such as in writing, electronic mail, telephone, or text message;
- Giving notification in the course of providing goods or services through a notification window so that the data subjects can easily recognize the relevant matters.
(3) A personal information controller may notify the matters regarding the source of collected personal information, etc. pursuant to Article 20 (2) of the Act while notifying the details of the use and provision of personal information under Article 20-2 (1) of the Act.
(4) A personal information controller specified in any subparagraph of paragraph (1) who has made notification under paragraph (2) shall retain and manage the following matters until the relevant personal information is destroyed pursuant to Article 21 or 37 (5) of the Act:
- The fact that data subjects are notified;
- When notification is made; 3. How notification is made.