Methods of Obtaining Consent
(1) Where a personal information controller intends to obtain the consent of the data subject (including his or her legal representative as stated in Article 22-2 (1); hereafter in this Article the same shall apply) to the processing of his or her personal information, the personal information controller shall present the request for consent to the data subject in a clearly recognizable manner where each matter requiring consent is distinctly presented, and obtain his or her consent thereto. In such cases, the personal information controller shall categorize the matters requiring consent falling under the following subparagraphs and obtain consent, respectively.
- Where consent shall be obtained under Article 15 (1) 1;
- Where consent shall be obtained under Article 17 (1) 1;
- Where consent shall be obtained under Article 18 (2) 1;
- Where consent shall be obtained under subparagraph 1 of Article 19;
- Where consent shall be obtained under Article 23 (1) 1;
- Where consent shall be obtained under Article 24 (1) 1;
- Where the personal information controller intends to obtain consent to the processing of personal information in order to promote goods or services or solicit purchase thereof;
- Other cases prescribed by Presidential Decree where it is necessary to obtain consent by categorizing the matters requiring consent to protect a data subject.
(2) Where a personal information controller obtains the consent under paragraph (1) in writing (including electronic documents under Article 2, subparagraph 1 of the Framework Act on Electronic Documents and Transactions), the personal information controller shall clearly specify important matters prescribed by Presidential Decree such as the purpose of collection and use of personal information and the items of personal information to be collected and used, in the manner prescribed by Notification of the Protection Commission, so as to make such matters easy to be understood.
(3) With respect to the personal information that can be processed without consent of the data subject, a personal information controller shall disclose the relevant items and legal basis for such processing under Article 30 (2) by separating such information from the personal information processed with consent of the data subject, or shall inform the data subject thereof by e-mail or any other means prescribed by Presidential Decree. In such cases, the burden of proof that personal information can be processed without consent shall be borne by the personal information controller.
(4) (deleted)
(5) A personal information controller shall not refuse to provide goods or services to a data subject on the grounds that the data subject would not consent to the matter eligible for selective consent, or would not consent pursuant to paragraph (1) 3 and 7.
(6) (deleted)
(7) Except as provided in paragraphs (1) through (5), matters necessary for detailed methods to obtain the consent of data subjects shall be prescribed by Presidential Decree, in consideration of the collection media of personal information and other factors.