Those Subject to, and Procedures for, Evaluation of Privacy Policy
(1) Where the Protection Commission evaluates the Privacy Policy under Article 30-2 (1) of the Act, it shall select those subject to such evaluation, comprehensively considering the following matters:
- The type and sales of a personal information controller;
- The type and scale of personal information processed, such as sensitive information and personally identifiable information;
- The legal grounds and methods for personal information processing;
- Whether any statute is violated;
- The characteristics of data subjects, such as children and youth.
(2) Upon selecting those subject to the evaluation of the Privacy Policy pursuant to paragraph (1), the Protection Commission shall notify the relevant personal information controller of an evaluation plan including the details, time schedule, procedures, etc. of the evaluation no later than 10 days before the commencement of the evaluation.
(3) Where necessary to evaluate the Privacy Policy under Article 30-2 of the Act, the Protection Commission may request the relevant personal information controller to present its opinion.
(4) The Protection Commission shall evaluate the Privacy Policy pursuant to Article 30-2 of the Act and notify the relevant personal information controller of the results of such evaluation without delay.
(5) Except as provided in paragraphs (1) through (4), the detailed standards and procedures for selecting those subject to the evaluation of the Privacy Policy shall be determined and publicly notified by the Protection Commission.