Designation of Assessment Institutions and Revocation of Designation
(1) The Protection Commission may designate a corporation that satisfies all of the following requirements as a privacy impact assessment institution (hereinafter referred to as “assessment institution”) pursuant to Article 33 (2) of the Act:
- A corporation whose total revenue derived from any of the following work is 200 million won or more during the last five years:
- (a) Privacy impact assessments or work similar thereto;
- (b) Data protection consulting (which means the analysis and assessment of information systems and the provision of corresponding countermeasures against electronic infringement incidents; hereinafter the same shall apply) among the work related to establishing information systems, as defined in subparagraph 13 of Article 2 of the Electronic Government Act (including the information protection system);
- (c) Data protection consulting among the work related to monitoring information systems, as defined in subparagraph 14 of Article 2 of the Electronic Government Act;
- (d) Data protection consulting among the work related to the information security industry defined in Article 2 (1) 2 of the Act on the Promotion of the Information Security Industry;
- (e) Work prescribed in Article 23 (1) 1 and 2 of the Act on the Promotion of the Information Security Industry;
- A corporation that employs at least 10 full-time experts who meet the qualification requirements determined and publicly notified by the Protection Commission, including work experience in the field related to privacy impact assessment;
- A corporation with the following offices and facilities:
- (a) An office with facilities for identification and access control;
- (b) Facilities for the safe management of records and materials.
(2) A person who intends to be designated as an assessment institution shall file an application for designation as an assessment institution, in the form prescribed by Notification of the Protection Commission, with the Protection Commission, along with the following documents (including electronic documents; hereinafter the same shall apply):
- The articles of incorporation;
- The representative’s name;
- Documents verifying the qualifications of the experts referred to in paragraph (1) 2;
- Other documents prescribed by Notification of the Protection Commission.
(3) Upon receipt of an application for designation as an assessment institution filed under paragraph (2), the Protection Commission shall verify the following documents through the sharing of administrative information pursuant to Article 36 (1) of the Electronic Government Act: Provided, That where the applicant does not give consent to the verification of subparagraph 2, the Protection Commission shall require the applicant to submit the relevant document:
- The corporation registration certificate;
- The certificate of alien registration issued under Article 88 (2) of the Immigration Act (applicable only to aliens).
(4) Upon designating an assessment institution pursuant to paragraph (1), the Protection Commission shall, without delay, issue a written designation to the relevant applicant, and provide Notification thereof in the Official Gazette. The same shall also apply to any revision to the Notification:
- The name, address, and telephone number of the assessment institution, and the name of its representative;
- Terms and conditions attached to the designation, if any.
(5) "Cases that fall under any ground prescribed by Presidential Decree" in Article 33 (7) 5 of the Act means any of the following cases:
- Where an assessment institution fails to comply with the obligation to submit a report under paragraph (6);
- Where an assessment institution has no records of privacy impact assessment for two consecutive years from the date of obtaining designation without good cause;
- Where an assessment institution divulges any information that it has obtained in the course of conducting privacy impact assessments, such as a privacy impact assessment report under the provisions, with the exception of the subparagraphs, of Article 38 (2);
- Other cases where an assessment institution breaches the duties under the Act or this Decree.
(6) An assessment institution designated under paragraph (1) shall, upon occurrence of any of the following events after designation, submit a report to the Protection Commission, as prescribed by Notification the Protection Commission, within 14 days from the date of occurrence: Provided, that it shall submit a report to the Protection Commission within 60 days from the date of occurrence in cases falling under subparagraph 3:
- Where any matter referred to in paragraph (1) is changed;
- Where any matter referred to in paragraph (4) 1 is changed;
- Where the transfer, acquisition, or merger of the assessment institution, or similar event occurs.
(7) (deleted).
[Moved from Article 37; previous Article 36 moved to Article 37 ]