Privacy Impact Assessment
(1) Where there is a risk of a personal information breach of data subjects due to the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze risk factors and to improve them (hereinafter referred to as “privacy impact assessment”), and submit the results thereof to the Protection Commission.
(2) The Protection Commission may designate a person who satisfies the requirements prescribed by Presidential Decree such as human resources and facilities as an institution that performs a privacy impact assessment (hereinafter referred to as "assessment institution"), and the head of a public institution shall request the assessment institution to conduct the privacy impact assessment.
(3) Privacy impact assessments shall take into account the following:
- The number of personal information being processed;
- Whether the personal information is provided to a third party;
- The probability to violate the rights of the data subjects and the degree of risks;
- Other matters prescribed by Presidential Decree.
(4) The Protection Commission may provide its opinion on the privacy impact assessment results submitted under paragraph (1).
(5) The head of a public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.
(6) The Protection Commission shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.
(7) The Protection Commission may revoke the designation of an assessment institution that has obtained designation under paragraph (2) in any of the following cases: Provided, That it shall revoke the designation in cases falling under subparagraph 1 or 2:
- Where the designated assessment institution has obtained its designation by fraud or other improper means;
- Where the designated assessment institution wants revocation of such designation or has closed its business;
- Where the designated assessment institution ceases to meet the requirements for designation provided in paragraph (2);
- Where the designated assessment institution has poorly performed its work either by intention or gross negligence, and is deemed incapable of duly performing its affairs;
- Other cases that fall under any ground prescribed by Presidential Decree.
(8) Where the Protection Commission revokes designation pursuant to paragraph (7), it shall hold a hearing in accordance with the Administrative Procedures Act.
(9) Matters necessary for the criteria, methods, procedures, etc. for privacy impact assessments under paragraph (1) shall be prescribed by Presidential Decree.
(10) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.
(11) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if there is a risk of a personal information beach of data subjects in operating the personal information files.