Article 35
Object of Privacy Impact Assessment
“Personal information files meeting the criteria prescribed by Presidential Decree” in Article 33 (1) of the Act means any of the following personal information files that can be processed electronically:
- Personal information files that will be established, operated, or modified, and contain sensitive information or personally identifiable information of at least 50 thousand data subjects for processing;
- Personal information files that is established and operated, and will be matched with other personal information files being established and operated inside or outside the relevant public institution, and, as a result of matching, will contain the personal information of at least 500 thousand data subjects;
- Personal information files that will be established, operated, or modified, and contain the personal information of at least one million data subjects;
- Personal information files whose operating system, including the data retrieval system, will be changed after the privacy impact assessment under Article 33 (1) of the Act (hereinafter referred to as “privacy impact assessment”). In such cases, the privacy impact assessment shall be limited to the changed system.