Measures to Ensure Safety of Personally Identifiable Information
(1) Article 30 shall apply mutatis mutandis to measures to ensure the safety of personally identifiable information under Article 24 (3) of the Act. In such cases, “Article 29 of the Act” shall be construed as “Article 24 (3) of the Act”; and “personal information” as “personally identifiable information”, respectively.
(2) “Personal information controller meeting the criteria prescribed by Presidential Decree” in Article 24 (4) of the Act means any of the following personal information controllers:
- A public institution;
- A person who processes personally identifiable information of at least 50 thousand data subjects.
(3) The Protection Commission shall inspect, at least once every two years, whether the personal information controllers who falls under any subparagraph of paragraph (2) have taken measures necessary to ensure safety pursuant to Article 24 (4) of the Act.
(4) The inspection referred to in paragraph (3) shall be conducted by requiring the personal information controllers provided for in paragraph (2) to submit necessary material online or in writing.
(5) “Specialized institutions prescribed by Presidential Decree” in Article 24 (5) of the Act means any of the following institutions:
- The Korea Internet and Security Agency established under Article 52 of the Act on Promotion of Information and Communications Network Utilization and Information Protection. (hereinafter referred to as the “Korea Internet and Security Agency”);
- A corporation, organization, or institution determined and prescribed by Notification of the Protection Commission as deemed to have technical and financial capacity and equipment to conduct the inspection pursuant to Article 24 (4) of the Act.