The purpose of this Act is to protect the freedom and rights of individuals, and further, to realize the dignity and value of the individuals, by prescribing the processing and protection of personal information.
Chapter I (Art. 1 - 6) — General Provisions
The terms used in this Act are defined as follows:
- The term "personal information" means any of the following information relating to a living individual:
- (a) Information that identifies a particular individual by his or her full name, resident registration number, pictures, etc.;
- (b) Information which, even if it by itself does not uniquely identify an individual, may be easily combined with other information to uniquely identify an individual. In such cases, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured;
- (c) Information under items (a) or (b) above that is pseudonymized in accordance with subparagraph 1-2 below and thereby becomes incapable of uniquely identifying an individual without the use or combination of information for restoration to the original state (hereinafter referred to as “pseudonymized information”);
- The term “processing” means the collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, searching, output, correction, recovery, use, provision, disclosure, and destruction of personal information and other similar activities;
- The term “data subject” means an individual who is identifiable through the information processed and is the subject of that information;
- The term “personal information file” means a set or sets of personal information arranged or organized in a systematic manner based on a certain rule for easy search of the personal information;
- The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files as part of its work;
- The term "public institution" means any of the following institutions:
- (a) The administrative bodies of the National Assembly, the Courts, the Constitutional Court, and the National Election Commission; the central administrative agencies (including agencies under the Presidential Office and the Prime Minister’s Office) and their affiliated entities; and local governments;
- (b) Other national agencies and public entities prescribed by Presidential Decree;
- The term "fixed visual data processing device" means a device prescribed by Presidential Decree, which is installed at a certain place to continuously or regularly takes pictures of persons or things, etc. or transmits such pictures via a wired or wireless network;
7-2. The term "mobile visual data processing device" means a device prescribed by Presidential Decree, which a person can wear or carry or which can be attached to or mounted on a movable object to take pictures of persons or things, etc. or to transmit such pictures through a wired or wireless network; - The term “scientific research” means research that applies scientific methods, such as technological development and demonstration, fundamental research, applied research and privately funded research.
(1) The personal information controller shall specify explicitly the purposes for which personal information is processed; and shall collect personal information lawfully and fairly to the minimum extent necessary for such purposes.
(2) The personal information controller shall process personal information in an appropriate manner necessary for the purposes for which the personal information is processed, and shall not use it beyond such purposes.
(3) The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed.
(4) The personal information controller shall manage personal information safely according to the processing methods, types, etc. of personal information, taking into account the possibility of infringement on the data subject’s rights and the severity of the relevant risks.
(5) The personal information controller shall make public its Privacy Policy under Article 30 and other matters related to personal information processing, and shall guarantee the data subject’s rights, such as the right to request access to his or her personal information.
(6) The personal information controller shall process personal information in a manner to minimize the possibility of infringing the privacy of a data subject.
(7) If it is still possible to fulfill the purposes of collecting personal information by processing anonymized or pseudonymized personal information, the personal information controller shall endeavor to process personal information through anonymization, where anonymization is possible, or through pseudonymization, if it is impossible to fulfill the purposes of collecting personal information through anonymization.
(8) The personal information controller shall endeavor to obtain trust of data subjects by observing and performing such duties and responsibilities as provided for in this Act and other related statutes or regulations.
A data subject has the following rights in relation to the processing of his or her own personal information:
- The right to be informed of the processing of such personal information;
- The right to determine whether or not to consent and the scope of consent regarding the processing of such personal information;
- The right to confirm whether personal information is being processed and to request access (including the provision of copies; hereinafter the same applies) to and transmission of such personal information;
- The right to suspend the processing of, and to request correction, erasure, and destruction of such personal information;
- The right to appropriate redress for any damage arising out of the processing of such personal information through a prompt and fair procedure.
- The right to refuse to accept a decision made through a fully automated processing of personal information or to request an explanation thereof.
(1) The State and local governments shall formulate policies to prevent harmful consequences of beyondpurpose collection, abuse and misuse of personal information, indiscrete surveillance and tracking, etc. and to enhance the dignity of human beings and to ensure the protection of individual privacy.
(2) The State and local governments shall establish policy measures, such as improving statutes or regulations, necessary to protect the data subject's rights as provided in Article 4.
(3) The State and local governments shall formulate policies necessary for protecting the personal information of children under 14 years of age so that such children can clearly understand the effects of the processing of personal information and the rights of data subjects, etc.
(4) The State and local governments shall respect, promote, and support self-regulating data protection activities of personal information controllers to improve unreasonable social practices relating to the processing of personal information.
(5) When applying statutes or regulations or municipal ordinances regarding the processing of personal information, the State and local governments shall be in conformity with the principles of information protection to guarantee the rights of data subjects.
(1) Except as otherwise provided in other statutes, the processing and protection of personal information shall be governed by this Act.
(2) An enactment of other statutes or amendment to existing statutes regarding the processing and protection of personal information shall be made fit for the purpose and principles of this Act.