Administrative Fines
(1) Any of the following persons shall be subject to an administrative fine not exceeding 50 million won:
- A person who installs and operates a fixed visual data processing device, in violation of Article 25 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who takes photographs of a person or thing related to such person with a mobile visual processing device, in violation of Article 25-2 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)).
(2) Any of the following persons shall be subject to an administrative fine not exceeding 30 million won:
- A person who refuses to provide goods or services, in violation of Article 16 (3) or 22 (5) (including where it is applied mutatis mutandis pursuant to 26 (8));
- A person who fails to notify a data subject of the facts provided in the subparagraphs of Article 20 (1), in violation of paragraphs (1) or (2) of that Article;
- A person who fails to notify a data subject of the details of the use and provision of personal information or the method of accessing the information system through which such details can be confirmed, in violation of Article 20-2 (1);
- A person who fails to take necessary measures, such as destroying personal information, in violation of Article 21 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to take measures necessary to ensure safety, in violation of Article 23 (2), 24 (3), or 25 (6) (including where it is applied mutatis mutandis pursuant to Article 25-2 (4)), or Article 28-4 (1), or 29 (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to communicate to the data subject the possibility of disclosure of sensitive information and the method of selecting non-disclosure, in violation of Article 23 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who processes resident registration numbers, in violation of Article 24-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to take encryption measures, in violation of Article 24-2 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to provide data subjects with an alternative sign-up tool without using their resident registration numbers, in violation of Article 24-2 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who installs and operates a fixed visual data processing device, in violation of Article 25 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who takes photographs of a person or a thing related to such person, in violation of Article 25-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to notify a data subject of the matters he or she is required to notify, in violation of Article 26 (3);
- A person who fails to cease the use of, to retrieve or to destroy, information even if information that can uniquely identify an individual has been generated, in violation of Article 28-5 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to take protective measures, in violation of Article 28-8 (4) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
- A person who indicates or promotes the details of certification despite a failure to obtain such certification, in violation of Article 32-2 (6);
- A person who fails to conduct a privacy impact assessment or to submit the results thereof to the Protection Commission, in violation of Article 33 (1);
- A person who fails to notify a data subject of the facts provided in the subparagraphs of Article 34 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), in violation of that paragraph;
- A person who fails to file a report with the Protection Commission or a specialized institution prescribed by Presidential Decree, in violation of Article 34 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who limits or denies access, in violation of Article 35 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who performs work under Article 35-3 (1) 2 without obtaining designation under that paragraph;
- A person who violates Article 35-3 (3);
- A person who fails to take necessary measures, such as correction or erasure, in violation of Article 36 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to take necessary measures, such as destruction, in violation of Article 37 (3) or (5) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to comply with a request by a data subject without good cause, in violation of Article 37-2 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- Any person who fails to submit or falsely submits materials, including articles and documents related thereto under Article 63 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who refuses, obstructs, or evades an entry and inspection, in violation of Article 63 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to comply with an order to take corrective measures under Article 64 (1).
(3) Any of the following persons shall be subject to an administrative fine not exceeding 20 million won:
- A person who re-entrusts a third party with entrusted work without consent of the person entrusting, in violation of Article 26 (6);
- A person who fails to designate a domestic agent, in violation of Article 31-2 (1).
(4) Any of the following persons shall be subject to an administrative fine not exceeding 10 million won:
- A person who fails to submit materials without good cause or who submits false materials, in violation of Article 11-2 (2);
- A person who fails to separately store and manage personal information, in violation of Article 21 (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who obtains consent, in violation of Article 22 (1) through (3) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who, when entrusting work, fails to do so in a document stating the matters provided in Article 26 (1), in violation of that paragraph;
- A person who fails to disclose the entrusted work and the person entrusted in violation of Article 26 (2);
- A person who fails to notify the data subject of the fact of transfer of personal information, in violation of Article 27 (1) or (2) (including where it is applied mutatis mutandis pursuant to 26 (8));
- A person who fails to prepare and retain relevant records, in violation of Article 28-4 (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to establish or disclose, the Privacy Policy, in violation of Article 30 (1) or (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to designate a privacy officer, in violation of Article 31 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to notify a data subject of the matters he or she is required to notify, in violation of Article 35 (3) and (4), 36 (2) and (4), or 37 (4) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- A person who fails to submit materials provided in Article 45 (1) without good cause or who submits false materials;
- A person who refuses, obstructs, or evades an entry, inspection, or access under Article 45 (2), without good cause.
(5) The Protection Commission shall impose and collect administrative fines under paragraphs (1) through (4), as prescribed by Presidential Decree. In such cases, the Protection Commission may reduce or exempt administrative fines based on the degree of, motives for, and consequences of the violation, the size of the personal information controller, etc.