Designation of Privacy Officers
(1) A personal information controller shall designate a privacy officer who shall have general supervision and control of the work regarding personal information processing: Provided, That a personal information controller whose number of employees, turnover, etc. meet the criteria prescribed by Presidential Decree need not designate a privacy officer.
(2) Where a privacy officer is not designated under the proviso of paragraph (1), the business owner or representative of the personal information controller shall become the privacy officer.
(3) A privacy officer shall perform the following work:
- To establish and implement a personal information protection plan;
- To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;
- To handle grievances and remedial compensation in relation to personal information processing;
- To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;
- To prepare and implement an education program about personal information protection;
- To protect, control, and manage the personal information files;
- Other work prescribed by Presidential Decree for the appropriate processing of personal information.
(4) In performing the work provided in the subparagraphs of paragraph (3), a privacy officer may occasionally inspect the current status of personal information processing, processing systems, etc. if necessary, and may request a report thereon from the relevant parties.
(5) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes or regulations in relation to the protection of personal information, he or she shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he or she belongs, if necessary.
(6) A personal information controller shall not allow the privacy officer to give or be subject to disadvantages without good cause while performing the affairs provided in the subparagraphs of paragraph (3), and shall guarantee the independent performance of work by the privacy officer.
(7) A personal information controller may organize and operate a council of privacy officers comprised of the privacy officers provided in paragraph (1) so as to safely process and protect personal information, exchange information, and conduct other joint projects prescribed by Presidential Decree.
(8) The Protection Commission may provide support necessary for the activities of the council of privacy officers under paragraph (7).
(9) Matters necessary for the qualification requirements for a privacy officer under paragraph (1), the work under paragraph (3), the guarantee of independence under paragraph (6), and other relevant matters, shall be prescribed by Presidential Decree, taking into consideration sales, the scale of personal information retained, etc.