Notification of Divulgence of Personal Information
(1) When a personal information controller becomes aware of loss, theft, or divulgence (hereafter in this Article and Article 40 referred to as "divulgence, etc.") of personal information, the personal information controller shall notify data subjects of the matters specified in the subparagraphs of Article 34 (1) of the Act in writing, etc. within 72 hours: Provided, That notification may be given to data subjects without delay after the relevant cause ceases to exist in any of the following cases:
- Where urgent measures need to be taken to prevent widespread divulgence, etc. of personal information and any further divulgence, etc., such as blocking access routes, inspecting and addressing vulnerabilities, and recovering and deleting the relevant personal information;
- Where it is impracticable to give notification within 72 hours due to a natural disaster or any other unavoidable cause.
(2) Notwithstanding paragraph (1), where a personal information controller intends to give notification under paragraph (1) but fails to confirm the specific details of the matters prescribed in Article 34 (1) 1 or 2 of the Act, the personal information controller shall first give notification of the divulgence of personal information, the details that have already been confirmed, and the matters specified in Article 34 (1) 3 through 5 of the Act in writing, etc., and shall notify the details further confirmed immediately upon confirmation.
(3) Notwithstanding paragraphs (1) and (2), where the contact information of a data subject is unknown or any other good cause exists, a personal information controller shall post the matters provided in the subparagraphs of Article 34 (1) of the Act on its website for at least 30 days to ensure that the data subject can easily recognize such matters, in lieu of giving notification under paragraphs (1) and (2), pursuant to the proviso, with the exception of the subparagraphs, of Article 34 (1) of the Act: Provided, That in the case of a personal information controller that does not operate its website, the matters specified in the subparagraphs of Article 34 (1) of the Act may be posted at a conspicuous place of the workplace, etc. for at least 30 days in lieu of giving notification under paragraphs (1) and (2).
[Moved from Article 40; previous Article 39 moved to Article 40]