Every personal information controller shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving access records, etc. that are necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.
Chapter IV (Art. 29 - 34) — Safeguard of Personal Information
(1) A personal information controller shall establish a personal information processing policy including the following matters (hereinafter referred to as "Privacy Policy"). In such cases, public institutions shall establish the Privacy Policy for the personal information files to be registered pursuant to Article 32:
- The purposes for which personal information is processed;
- The period for processing and retaining personal information;
- Provision of personal information to a third party (if applicable);
3-2. Procedures and methods for destroying personal information (if personal information shall be preserved according to the proviso of Article 21 (1), this shall include the basis of preservation and particulars of personal information to be preserved);
3-3. The possibility of disclosure of sensitive information and the method of selecting non-disclosure under Article 23 (3) (if applicable); - Entrusting personal information processing (if applicable);
4-2. Matters relating to processing, etc. of pseudonymized information under Articles 28-2 and 28-3 (if applicable); - The rights and obligations of data subjects and legal representatives, and how to exercise such rights;
- Contact information, such as the name of a privacy officer designated under Article 31 or the name, telephone number, etc. of the department which performs the work related to personal information protection and handles related grievances;
- Installation and operation of an automatic collection tool for personal information, including Internet access data files, and the denial thereof (if applicable);
- Other matters prescribed by Presidential Decree regarding the processing of personal information.
(2) Upon establishing or modifying the Privacy Policy, a personal information controller shall disclose the content so that data subjects may easily recognize it in such a way as prescribed by Presidential Decree.
(3) Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, the terms that are beneficial to the data subjects shall prevail.
(4) The Protection Commission may prepare the Privacy Policy Guidelines and encourage the personal information controllers to comply with such Guidelines.
(1) The Protection Commission shall evaluate the following with respect to the Privacy Policy and may recommend that the relevant personal information controller improve the policy pursuant to Article 61 (2), if it is deemed necessary to improve the policy based on the evaluation results:
- Whether the matters that shall be included in the Privacy Policy pursuant to this Act are appropriately determined;
- Whether the Privacy Policy has been prepared in an easily understandable manner;
- Whether the Privacy Policy is disclosed in such a way that the data subject can easily confirm.
(2) Matters necessary for those subject to the evaluation of the Privacy Policy, criteria and procedures therefor, etc. shall be prescribed by Presidential Decree.
(1) A personal information controller shall designate a privacy officer who shall have general supervision and control of the work regarding personal information processing: Provided, That a personal information controller whose number of employees, turnover, etc. meet the criteria prescribed by Presidential Decree need not designate a privacy officer.
(2) Where a privacy officer is not designated under the proviso of paragraph (1), the business owner or representative of the personal information controller shall become the privacy officer.
(3) A privacy officer shall perform the following work:
- To establish and implement a personal information protection plan;
- To conduct a regular survey of the status and practices of personal information processing, and to improve shortcomings;
- To handle grievances and remedial compensation in relation to personal information processing;
- To build the internal control system to prevent the divulgence, abuse, and misuse of personal information;
- To prepare and implement an education program about personal information protection;
- To protect, control, and manage the personal information files;
- Other work prescribed by Presidential Decree for the appropriate processing of personal information.
(4) In performing the work provided in the subparagraphs of paragraph (3), a privacy officer may occasionally inspect the current status of personal information processing, processing systems, etc. if necessary, and may request a report thereon from the relevant parties.
(5) Where a privacy officer becomes aware of any violation of this Act or other relevant statutes or regulations in relation to the protection of personal information, he or she shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organization to which he or she belongs, if necessary.
(6) A personal information controller shall not allow the privacy officer to give or be subject to disadvantages without good cause while performing the affairs provided in the subparagraphs of paragraph (3), and shall guarantee the independent performance of work by the privacy officer.
(7) A personal information controller may organize and operate a council of privacy officers comprised of the privacy officers provided in paragraph (1) so as to safely process and protect personal information, exchange information, and conduct other joint projects prescribed by Presidential Decree.
(8) The Protection Commission may provide support necessary for the activities of the council of privacy officers under paragraph (7).
(9) Matters necessary for the qualification requirements for a privacy officer under paragraph (1), the work under paragraph (3), the guarantee of independence under paragraph (6), and other relevant matters, shall be prescribed by Presidential Decree, taking into consideration sales, the scale of personal information retained, etc.
(1) A personal information controller with no address or place of business in the Republic of Korea who is prescribed by Presidential Decree in consideration of the sales, the scale of personal information retained, and other factors shall designate a person who acts as an agent for the following (hereinafter referred to as "domestic agent"). In such cases, the domestic agent shall be designated in writing:
- Work of a privacy officer under Article 31 (3);
- Notification and reporting of the personal data under Article 34 (1) and (3);
- Submission of materials such as articles and documents under Article 63 (1).
(2) A domestic agent shall have an address or business office in Korea.
(3) The personal information controller shall include the following in the Privacy Policy if he or she designates a domestic agent pursuant to paragraph (1):
- Name of the domestic agent (in cases of a corporation, referring to its name and the name of its representative);
- Address (in cases of a corporation, referring to the location of a business office), telephone number, and e-mail address of the domestic agent.
(4) If a domestic agent violates this Act in relation to the subparagraphs of paragraph (1), the personal information controller shall be deemed to have committed such a violation.
[Moved from Article 39-11]
(1) Upon operating personal information files, the head of a public institution shall register the following matters with the Protection Commission. The same shall also apply where the registered matters are modified:
- The titles of the personal information files;
- The grounds and purposes for the operation of the personal information files;
- Particulars of personal information that are recorded in the personal information files;
- The method of processing personal information;
- The period for retaining personal information;
- The recipient of personal information, if it is provided routinely or repetitively;
- Other matters prescribed by Presidential Decree.
(2) Paragraph (1) shall not apply to any of the following personal information files:
- Personal information files that record national security, diplomatic secrets, and other matters relating to grave national interests;
- Personal information files that record the investigation of crimes, institution and maintenance of a prosecution, punishment, and probation and custody, corrective orders, protective orders, security observation orders, and immigration;
- Personal information files that record the investigations of violations of the Punishment of Tax Offenses Act and the Customs Act;
- Personal information files prescribed by Presidential Decree, which are recognized as having little need for continuous management, such as ephemeral files;
- Classified personal information files pursuant to other statutes or regulations.
(3) The Protection Commission may, if necessary, review where personal information files are registered and the content thereof under paragraph (1), and may recommend that the head of a relevant public institution make improvements.
(4) If necessary to guarantee the rights of data subjects, the Protection Commission shall make public the status of registered personal information files under paragraph (1) so that anyone may access them with ease.
(5) Matters necessary for the registration referred to in paragraph (1), the method, scope, and procedure of public disclosure referred to in paragraph (4), shall be prescribed by Presidential Decree.
(6) The registration and public disclosure of the personal information files retained by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.
(1) The Protection Commission may certify whether the data processing and other data protection-related action of a personal information controller abide by this Act, etc.
(2) The certification provided for in paragraph (1) shall be effective for three years.
(3) In any of the following cases, the Protection Commission may revoke the certification granted under paragraph (1), as prescribed by Presidential Decree: Provided, That it shall be revoked in cases falling under subparagraph 1:
- Where personal information protection has been certified by fraud or other improper means;
- Where follow-up management provided for in paragraph (4) has been denied or obstructed;
- Where the certification criteria provided for in paragraph (8) have not been satisfied;
- Where personal information protection-related statutes or regulations are breached, and the grounds for the violation are material.
(4) The Protection Commission shall conduct follow-up management at least once annually to maintain the effectiveness of the certification of personal information protection.
(5) The Protection Commission may authorize the specialized institutions prescribed by Presidential Decree to perform the work related to certification under paragraph (1), revocation of certification under paragraph (3), follow-up management under paragraph (4), management of certification examiners under paragraph (7).
(6) Any person who has obtained certification under paragraph (1) may indicate or promote the details of the certification, as prescribed by Presidential Decree.
(7) Qualifications of certification examiners who conduct the certification examination subject to paragraph (1), criteria for disqualification, and other related matters shall be prescribed by Presidential Decree, taking into account specialty, career, and other necessary matters.
(8) Other matters necessary for the certification criteria, method, procedure, etc. subject to paragraph (1), including whether the personal information management system, guarantee of data subjects’ rights, and measures to ensure safety are based on this Act, shall be prescribed by Presidential Decree.
(1) Where there is a risk of a personal information breach of data subjects due to the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze risk factors and to improve them (hereinafter referred to as “privacy impact assessment”), and submit the results thereof to the Protection Commission.
(2) The Protection Commission may designate a person who satisfies the requirements prescribed by Presidential Decree such as human resources and facilities as an institution that performs a privacy impact assessment (hereinafter referred to as "assessment institution"), and the head of a public institution shall request the assessment institution to conduct the privacy impact assessment.
(3) Privacy impact assessments shall take into account the following:
- The number of personal information being processed;
- Whether the personal information is provided to a third party;
- The probability to violate the rights of the data subjects and the degree of risks;
- Other matters prescribed by Presidential Decree.
(4) The Protection Commission may provide its opinion on the privacy impact assessment results submitted under paragraph (1).
(5) The head of a public institution shall register the personal information files in accordance with Article 32 (1), for which the privacy impact assessment has been conducted pursuant to paragraph (1), with the results of the privacy impact assessment attached thereto.
(6) The Protection Commission shall take necessary measures, such as fostering relevant specialists, and developing and disseminating criteria for the privacy impact assessment, to promote the privacy impact assessment.
(7) The Protection Commission may revoke the designation of an assessment institution that has obtained designation under paragraph (2) in any of the following cases: Provided, That it shall revoke the designation in cases falling under subparagraph 1 or 2:
- Where the designated assessment institution has obtained its designation by fraud or other improper means;
- Where the designated assessment institution wants revocation of such designation or has closed its business;
- Where the designated assessment institution ceases to meet the requirements for designation provided in paragraph (2);
- Where the designated assessment institution has poorly performed its work either by intention or gross negligence, and is deemed incapable of duly performing its affairs;
- Other cases that fall under any ground prescribed by Presidential Decree.
(8) Where the Protection Commission revokes designation pursuant to paragraph (7), it shall hold a hearing in accordance with the Administrative Procedures Act.
(9) Matters necessary for the criteria, methods, procedures, etc. for privacy impact assessments under paragraph (1) shall be prescribed by Presidential Decree.
(10) Matters regarding the privacy impact assessment conducted by the National Assembly, the Court, the Constitutional Court and the National Election Commission (including their affiliated entities) shall be prescribed by the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, and the National Election Commission Regulations.
(11) A personal information controller other than public institutions shall proactively endeavor to conduct a privacy impact assessment, if there is a risk of a personal information beach of data subjects in operating the personal information files.
(1) A personal information controller shall notify data subjects of the following matters without delay when the personal information controller becomes aware of loss, theft, or divulgence (hereafter in this Article referred to as "divulgence, etc.") of personma information: Provided, That if the contact information of the data subject is unknown or if any other good cause exists, a measure may be taken in lieu of giving notice, as prescribed by Presidential Decree:
- Particulars of divulgence, etc. of personal information;
- When and how divulgence, etc. of personal is made;
- Any information about how the data subjects can minimize the risk of damage from divulgence, etc.;
- Countermeasures taken by the personal information controller and remedial procedure;
- Help desk and contact points for the data subjects to report damage.
(2) A personal information controller shall prepare countermeasures to minimize the risk of damage in the case of divulgence, etc. of personal information and take necessary measures.
(3) Upon becoming aware of divulgence, etc. of personal information, the personal information controller shall, without delay, file a report with the Protection Commission or a specialized institution designated by Presidential Decree with respect to the matters provided in the subparagraphs of paragraph (1), as prescribed by Presidential Decree in consideration of the types of personal information, the process and scale of divulgence, etc., and other factors. In such cases, the Protection Commission and the specialized institution designated by Presidential Decree may provide technical assistance for the prevention of the spread of damage, recovery from damage, and other purposes.
(4) Matters necessary for notifying divulgence, etc. under paragraph (1) and timing, methods, and procedures for reporting breach, etc. under paragraph (3) shall be prescribed by Presidential Decree.
(1) A personal information processor shall make sure to prevent personal information such as personally identifiable information, account information, and credit card information from being exposed to the public through information and communications networks.
(2) With respect to personal information exposed to the public, if requested by the Protection Commission or a specialized institution designated by Presidential Decree, the personal information controller shall take necessary measures such as erasing or blocking the relevant information.