Liability for Damages
(1) A data subject who suffers damage by reason of a violation of this Act by a personal information controller is entitled to claim compensation from the personal information controller for such damage. In such cases, the said personal information controller may not be released from responsibility for compensation if it fails to prove the absence of intention or negligence.
(2) (deleted)
(3) Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his or her own personal information, caused by intention or negligence of a personal information controller, the Court may determine the amount of compensation for damage not exceeding five times such damage: Provided, That the same shall not apply to the personal information controller who has proved the absence of intention or negligence.
(4) The Court shall take into account the following when determining the amount of compensation for damage under paragraph (3):
- The degree of intention or expectation of damage;
- The amount of loss caused by the violation;
- Economic benefits the personal information controller gained in relation to the violation;
- A fine and a penalty surcharge to be levied subject to the violation;
- The duration, frequency, etc. of violations;
- The property of the personal information controller;
- The personal information controller’s efforts to retrieve the affected personal information after the loss, theft, or divulgence of personal information;
- The personal information controller’s efforts to remedy damage suffered by the data subject.