Reporting on Divulgence of Personal Information
(1) When a personal information controller becomes aware of divulgence, etc. of personal information in any of the following cases, the personal information controller shall, in writing, etc., file a report with the Protection Commission or a specialized institution prescribed in the former part of Article 34 (3) of the Act with regard to the matters provided in the subparagraphs of Article 34 (1) of the Act within 72 hours: Provided, That where it is impracticable to file a report within 72 hours due to a natural disaster or any other unavoidable cause, a report may be filed without delay after the relevant cause ceases to exist; and where the possibility of infringing on the rights and interests of data subjects is substantially reduced after the path of divulgence, etc. of personal information is confirmed and measures are taken such as the recovery and deletion of the relevant personal information, the personal information controller need not file a report thereon:
- Where divulgence, etc. of personal information of at least 1,000 data subjects occurs;
- Where divulgence, etc. of sensitive information or personally identifiable information occur;
- Where divulgence, etc. of personal information occurs due to illegal external access to personal information processing systems or information technology equipment used by personal information handlers for processing personal information.
(2) Notwithstanding paragraph (1), where a personal information controller intends to file a report pursuant to paragraph (1) but fails to confirm the specific details of the matters provided in Article 34 (1) 1 or 2 of the Act, the personal information controller shall first file a report on divulgence, etc. of personal information, the details that have already been confirmed, and the matters specified in Article 34 (1) 3 through 5 of the Act in writing, etc., and shall notify the details further confirmed immediately upon confirmation.
(3) "Specialized institution designated by Presidential Decree" in the former and latter parts of Article 34 (3) of the Act means the Korea Internet and Security Agency.
[Moved from Article 39; previous Article 40 moved to Article 39]