Article 30
Measures to Ensure Safety of Personal Information
(1) Each personal information controller shall take the following measures to ensure safety pursuant to Article 29 of the Act:
- Formulating, implementing, and examining an internal management plan that includes the following to safely process personal information:
- (a) Matters regarding the management, supervision, and education of a personal information handler under Article 28 (1) of the Act (hereinafter referred to as "personal information handler");
- (b) Matters regarding the composition and operation of an organization responsible for protecting personal information, including the designation of privacy officers, under Article 31 of the Act;
- (c) Details necessary to implement the measures provided in subparagraphs 2 through 8;
- The following measures to restrict access authority to personal information:
- (a) Establishing and implementing the standards for granting, changing, or canceling access authority to a system systematically designed to process personal information including a database system (hereinafter referred to as "personal information processing system");
- (b) Establishing and operating the standards for applying authentication means necessary to verify whether access is made by a person with legitimate authority;
- (c) Other measures necessary to restrict access authority to personal information;
- The following measures to control access to personal information:
- (a) Measures necessary to detect and block intrusions into a personal information processing system;
- (b) Blocking Internet access to and from computers satisfying the standards determined and publicly notified by the Protection Commission, such as the computers of personal information handlers accessing a personal information processing system: Provided, That this shall apply only to a personal information controller with an average of at least one million daily users defined in Article 2 (1) 4 of the Act on Promotion of Information and Communications Network Utilization and Information Protection whose personal information is stored and managed for the immediately preceding three months as of the end of the previous year;
- (c) Other measures necessary to control access to personal information;
- The following measures necessary to safely store and transmit personal information:
- (a) Storing encrypted authentication information, including the storage of one-way encrypted passwords, or other measures equivalent thereto;
- (b) Encrypting information determined and publicly notified by the Protection Commission for storage, including resident registration numbers, or other measures equivalent thereto;
- (c) Where the personal information or authentication information of data subjects is transmitted or received through the information and communications network defined in Article 2 (1) 1 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, encrypting the relevant information or other measures equivalent thereto;
- (d) Other measures to ensure security using encryption or other technologies equivalent thereto;
- The following measures to retain the records of access and prevent such records from being forged or altered in case of a personal information breach incident:
- (a) Storing, inspecting, confirming, and supervising the records of access, such as the date and time when persons access a personal information processing system, and the details of processing personal information;
- (b) Safely storing the records of access to a personal information processing system;
- (c) Other measures necessary to retain the records of access and prevent such records from being forged or altered;
- Installing, operating, and periodically updating and inspecting programs that can detect at all times whether any malicious program, such as a computer virus, spyware, and ransomware, intrudes into a personal information processing system and an information technology equipment used by personal information handlers for processing personal information and that can delete such malicious program;
- Preparing storage facilities and installing locking devices to safely store personal information, or taking other physical measures;
- Other measures necessary to ensure safety of personal information.
(2) The Protection Commission may provide necessary assistance, such as building a system with which personal information controllers can take the measures to ensure safety pursuant to paragraph (1).
(3) Detailed standards for the measures to ensure safety under paragraph (1) shall be prescribed by Notification of the Protection Commission. <