Destruction of Personal Information
(1) A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, the expiry of the processing period of pseudonymized information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes or regulations.
(2) When a personal information controller destroys personal information pursuant to paragraph (1), measures necessary to prevent recovery and revival shall be taken.
(3) Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso of paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.
(4) Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.