29-5
Measures to Ensure Safety of Pseudonymized Information
(1) A personal information controller shall implement the following safety measures for pseudonymized information and additional information to restore pseudonymized information to the original state (hereinafter in this Article referred to as “additional information”) in accordance with Article 28-4 (1) of the Act:
- Measures to ensure safety under Article 30;
- Separate storage of pseudonymized information and additional information: Provided, That any unnecessary additional information shall be destroyed;
- Separation of access rights to pseudonymized information and additional information: Provided, That if the personal information controller finds it difficult to separate access rights due to good reason such as the personal information controller being a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises which cannot afford an additional employee to handle pseudonymized information, it shall manage and control access rights by granting the minimum degree of access necessary to do the work and recording the status of access rights granted.
(2) “Matters prescribed by Presidential Decree” in Article 28-4 (3) of the Act mean any of the following:
- Purpose of processing pseudonymized information;
- Items of pseudonymized personal information;
- Use history of pseudonymized information;
- Recipient of pseudonymized information provided by a third party;
- Processing period of pseudonymized information (limited to where the processing period of pseudonymized information is separately determined pursuant to Article 28-4 (2) of the Act);
- Other matters prescribed by Notification of the Protection Commission as deemed necessary for the management of the processing of pseudonymized information.