Restriction on Processing of Personally Identifiable Information
(1) A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes or regulations (hereinafter referred to as "personally identifiable information"), except in any of the following cases:
- Where the personal information controller informs a data subject of the matters provided for in Article 15 (2) or 17 (2), and obtains the consent of the data subject apart from the consent to the processing of other personal information;
- Where other statutes or regulations specifically require or permit the processing of unique identification information.
(2) (deleted)
(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.
(4) The Protection Commission shall regularly inspect whether a personal information controller meeting the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., has taken the measures necessary to ensure safety pursuant to paragraph (3), as prescribed by Presidential Decree.
(5) The Protection Commission may authorize specialized institutions prescribed by Presidential Decree to conduct the inspection referred to in paragraph (4).