Certification of Personal Information Protection
(1) The Protection Commission may certify whether the data processing and other data protection-related action of a personal information controller abide by this Act, etc.
(2) The certification provided for in paragraph (1) shall be effective for three years.
(3) In any of the following cases, the Protection Commission may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1:
- Where personal information protection has been certified by fraud or other improper means;
- Where follow-up management provided for in paragraph (4) has been denied or obstructed;
- Where the certification criteria provided for in paragraph (8) have not been satisfied;
- Where personal information protection-related statutes or regulations are breached, and the grounds for the violation are material.
(4) The Protection Commission shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.
(5) The Protection Commission may authorize the specialized institutions prescribed by Presidential Decree to perform the work related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).
(6) Any person who has obtained certification under paragraph (1) may indicate or promote the details of the certification, as prescribed by Presidential Decree.
(7) Qualifications of certification examiners who conduct the certification examination subject to paragraph (1), criteria for disqualification, and other related matters shall be prescribed by Presidential Decree, taking into account specialty, career, and other necessary matters.
(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and measures to ensure safety are based on this Act, shall be prescribed by Presidential Decree.