Criteria, Method, and Procedure for Certification of Personal Information Protection
(1) The Protection Commission shall determine and publicly notify the criteria for certification referred to in Article 32-2 (1) of the Act, including the establishment of managerial, technical, and physical safeguards to protect personal information, taking into account the matters provided in the subparagraphs of Article 30 (1).
(2) A person who intends to obtain certification of personal information protection pursuant to Article 32- 2 (1) of the Act (hereafter in this Article and Article 34-3, referred to as “applicant”), shall submit an application (including an electronic application) for certification of personal information protection which includes the following matters to an institution specializing in the certification of personal information protection referred to in Article 34-6 (hereinafter referred to as “certification institution”):
- A list of personal information processing systems subject to certification;
- Methods and procedures for establishing and operating the personal information protection system;
- A list of documents related to the personal information protection system and the implementation of safeguards.
(3) Upon receipt of an application for certification pursuant to paragraph (2), a certification institution shall consult with the applicant regarding the scope, time schedule, etc. of certification.
(4) An examination to certify personal information protection under Article 32-2 (1) of the Act shall be either a paper-based examination or an on-site examination conducted by the certification examiners for personal information protection subject to Article 34-8.
(5) Each certification institution shall establish and operate a certification committee comprised of members with extensive knowledge and experience in information protection to deliberate on the results of examinations for certification conducted pursuant to paragraph (4).
(6) Except as provided in paragraphs (1) through (5), detailed matters necessary for certification of personal information protection, including filing an application for certification, examination for certification, establishment and operation of the certification committee, and issuance of certificates, shall be prescribed by Notification of the Protection Commission.