Obligation to Take Safety Measures for Pseudonymized Information
(1) In processing pseudonymized information under Article 28-2 or 28-3, a personal information controller shall take such technical, administrative, and physical measures as separately storing and managing additional information needed for restoration to the original state, which are necessary to ensure safety as prescribed by Presidential Decree to prevent personal information from being lost, stolen, divulged, forged, altered, or damaged.
(2) In processing pseudonymized information in accordance with Article 28-2 or 28-3, a personal information controller may separately determine the processing period of the pseudonymized information in consideration of the processing purpose, etc.
(3) A personal information controller who intends to process pseudonymized information under Article 28-2 or 28-3 shall prepare and retain records relating to matters prescribed by Presidential Decree including the purpose of processing the pseudonymized information, a recipient in cases pseudonymized information is provided to a third party, the processing period of pseudonymized information, etc. (limited to cases where the processing period is separately determined under paragraph (2)) to manage the details of the processing of pseudonymized information, and shall retain the records for at least three years from the date of destruction in the event of destruction of pseudonymized information.