Work of Privacy Officer and Requirements for Designation
(1) “Work prescribed by Presidential Decree” in Article 31 (2) 7 of the Act means the following: 1. To establish, modify, and implement the Privacy Policy pursuant to Article 30 of the Act; 2. To manage materials related to the protection of personal information; 3. To destroy personal information whose purpose of processing is attained or retention period expires.
(2) A personal information controller shall designate a privacy officer pursuant to Article 31 (1) of the Act according to the following classifications:
- Public institutions: Public officials, etc. who satisfy the below standards:
- (a) The administrative bodies of the National Assembly, the Court, the Constitutional Court, and the National Election Commission; and central administrative agencies: A member of the Senior Executive Service (hereinafter referred to as “senior executive”) or equivalent public official;
- (b) Other national agencies than item (a), headed by a public official in political service: A public official of Grade III or higher (including a senior executive) or equivalent thereto;
- (c) Other national agencies than items (a) and (b), headed by a senior executive, a Grade III or higher public official, or an equivalent public official: A public official of Grade IV or higher or equivalent thereto;
- (d) Other national agencies than items (a) through (c) (including their affiliated bodies): The head of a department in charge of the work related to personal information processing in the relevant agency;
- (e) City/Do, City/Do Offices of Education: A public official of Grade III or higher or equivalent thereto;
- (f) Si/Gun or autonomous Gu: A public official of Grade IV or equivalent thereto;
- (g) Schools of each level referred to in subparagraph 5 of Article 2: A person who takes overall control of the administrative affairs of the relevant school;
- (h) Other public institutions than items (a) through (g): The head of a department in charge of the work related to personal information processing in the relevant institution: Provided, That, where the heads of at least two departments are in charge of the work related to personal information processing, the head of the relevant institution shall designate the privacy officer from among them;
- An institution other than public institutions: Any of the following persons:
- (a) The business owner or representative;
- (b) An executive officer (or the head of a department in charge of the work related to personal information processing, if no executive officer exists).
(3) Notwithstanding paragraph (2), if the personal information controller is a micro enterprise defined in Article 2 of the Framework Act on Micro Enterprises, it shall be deemed that the enterprise owner or representative has been designated as the privacy officer without separate designation: Provided, that this shall not apply if the personal information controller has separately designated a privacy officer.
(4) The Protection Commission may provide necessary assistance, such as developing and providing educational programs for privacy officers so that they may efficiently perform the work provided for in Article 31 (2) of the Act.