Procedures for Access to Personal Information
(1) A data subject who intends to request access to his or her own personal information processed by a personal information controller pursuant to Article 35 (1) of the Act shall submit a request, stating the information that he or she intends to access among the following information, in the manner and following the procedure determined by the personal information controller;
- Particulars and substance of personal information;
- The purpose of collecting and using personal information;
- The period for retaining and using personal information;
- Status of personal information provided to a third party;
- The fact that the data subject has given consent to the processing of his or her personal information and the content thereof.
(2) To determine the manner and procedure for requesting access under paragraph (1), a personal information controller shall comply with the following to ensure that such manner and procedure are not more difficult than the manner and procedure that the personal information controller uses to collect the relevant personal information:
- To provide the requested personal information in a data subject-friendly manner, such as in writing, by telephone or electronic mail, or via the Internet;
- To allow data subjects to request access to their own personal information at least through the same window or in the same manner that the personal information controller uses to collect such personal information, unless good cause exists, such as difficulty in continuously operating such window;
- To post on a website the manner and procedure for requesting access if the personal information controller operates the website.
(3) A data subject who intends to request access to his or her own personal information via the Protection Commission pursuant to Article 35 (2) of the Act shall submit to the Protection Commission a Personal Information Access Request specifying the information to access among the information referred to in paragraph (1), as prescribed by Notification of the Protection Commission. In such cases, the Protection Commission shall forward the Personal Information Access Request to the relevant public institution without delay.
(4) “Period prescribed by Presidential Decree” in the former part of Article 35 (3) of the Act means 10 days.
(5) Where a personal information controller allows a data subject to access the relevant personal information within 10 days from the receipt of the Personal Information Access Request under paragraph (1) or (3), or limits access to the relevant person information under Article 42 (1), the personal information controller shall serve the data subject with the Access Notice, stating the accessible personal information, date and time, venue, etc. for access (in the case of partial access pursuant to Article 42 (1), the ground therefor and how to appeal shall be included), in the form prescribed by Notification of the Protection Commission: Provided, That where he or she allows immediate access, the Access Notice may be omitted.