Restriction on Processing of Sensitive Information
(1) A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as “sensitive information”), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, and other personal information that is likely to markedly threaten the privacy of any data subject: Provided, That this shall not apply in any of the following circumstances:
- Where the personal information controller informs the data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;
- Where other statutes or regulations require or permit the processing of sensitive information.
(2) Where a personal information controller processes sensitive information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety pursuant to Article 29 so that the sensitive information may not be lost, stolen, divulged, forged, altered, or damaged.
(3) Where a personal information controller deems that there is a risk of privacy invasion because sensitive information of the data subject is included in the information disclosed in the course of the provision of goods or services, the personal information controller shall communicate to the data subject the possibility of disclosure of sensitive information and the method of selecting non-disclosure in an easily understandable manner before providing the goods or services.