Establishment and Disclosure of Privacy Policy
(1) A personal information controller shall establish a personal information processing policy including the following matters (hereinafter referred to as "Privacy Policy"). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32:
- The purposes for which personal information is processed;
- The period for processing and retaining personal information;
- Provision of personal information to a third party (if applicable);
3-2. Procedures and methods for destroying personal information (if personal information shall be preserved according to the proviso of Article 21 (1), this shall include the basis of preservation and particulars of personal information to be preserved);
3-3. The possibility of disclosure of sensitive information and the method of selecting non-disclosure under Article 23 (3) (if applicable); - Entrusting personal information processing (if applicable);
4-2. Matters relating to processing, etc. of pseudonymized information under Articles 28-2 and 28-3 (if applicable); - The rights and obligations of data subjects and legal representatives, and how to exercise such rights;
- Contact information, such as the name of a privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the work related to personal information protection and handles related grievances;
- Installation and operation of an automatic collection tool for personal information, including Internet access data files, and the denial thereof (if applicable);
- Other matters prescribed by Presidential Decree regarding the processing of personal information.
(2) Upon establishing or modifying the Privacy Policy, a personal information controller shall disclose the content so that data subjects may easily recognize it in such a way as prescribed by Presidential Decree.
(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, the terms that are beneficial to the data subjects shall prevail.
(4) The Protection Commission may prepare the Privacy Policy Guidelines and encourage the personal information controllers to comply with such Guidelines.