Notification and Reporting of Divulgence of Personal Information
(1) A personal information controller shall notify data subjects of the following matters without delay when the personal information controller becomes aware of loss, theft, or divulgence (hereafter in this Article referred to as "divulgence, etc.") of personma information: Provided, That if the contact information of the data subject is unknown or if any other good cause exists, a measure may be taken in lieu of giving notice, as prescribed by Presidential Decree:
- Particulars of divulgence, etc. of personal information;
- When and how divulgence, etc. of personal is made;
- Any information about how the data subjects can minimize the risk of damage from divulgence, etc.;
- Countermeasures taken by the personal information controller and remedial procedure;
- Help desk and contact points for the data subjects to report damage.
(2) A personal information controller shall prepare countermeasures to minimize the risk of damage in the case of divulgence, etc. of personal information and take necessary measures.
(3) Upon becoming aware of divulgence, etc. of personal information, the personal information controller shall, without delay, file a report with the Protection Commission or a specialized institution designated by Presidential Decree with respect to the matters provided in the subparagraphs of paragraph (1), as prescribed by Presidential Decree in consideration of the types of personal information, the process and scale of divulgence, etc., and other factors. In such cases, the Protection Commission and the specialized institution designated by Presidential Decree may provide technical assistance for the prevention of the spread of damage, recovery from damage, and other purposes.
(4) Matters necessary for notifying divulgence, etc. under paragraph (1) and timing, methods, and procedures for reporting breach, etc. under paragraph (3) shall be prescribed by Presidential Decree.