Criteria for Privacy Impact Assessment
(1) The criteria for privacy impact assessments (hereinafter referred to as "assessment criteria") under Article 33 (9) of the Act shall be as follows:
- The type and nature of personal information contained in the relevant personal information files, the number of data subjects, and the possibility of subsequent personal information breach;
- The level of measures to ensure safety taken under Articles 23 (2), 24 (3), 24-2 (2), 25 (6) (including cases applied mutatis mutandis in Article 25-2 (4)), and 29 of the Act, and the subsequent possibility of personal information breach;
- Countermeasures against risk factors of personal information breach, if any;
- Other necessary measures subject to the Act or this Decree, or any factor affecting breach of duties.
(2) An assessment institution requested to conduct a privacy impact assessment under Article 33 (2) of the Act shall, in accordance with the assessment criteria, analyze and assess the risk factors of personal information breaches that result from the operation of personal information files, and shall prepare a privacy impact assessment report based on the results of the evaluation that includes the following and send such report to the head of the relevant public institution, who shall submit the report to the Protection Commission before operating and changing personal information files falling under the subparagraphs of Article 35:
- Those subject to the privacy impact assessment and the scope thereof;
- Fields and items of the evaluation;
- Analysis and assessment of the risk factors of personal information breaches in accordance with the assessment criteria;
- The details of measures taken based on the results of the analysis and evaluation under subparagraph 3 and a plan for improvement;
- The results of the privacy impact assessment;
- A summary of the matters prescribed in subparagraphs 1 through 5.
(3) The Protection Commission or the head of a public institution may disclose the details of a summary of a privacy impact assessment report prescribed in paragraph (2) 6.
(4) Except as provided in the Act and this Decree, the Protection Commission may determine and publicly notify the detailed standards for designating assessment institutions, procedures for privacy impact assessments, etc.