(1) A personal information controller shall meet all of the following requirements when obtaining consent from a data subject to the processing of his or her personal information pursuant to Article 22 of the Act:
- The data subject shall be able to decide whether to give his or her consent based on his or her free will;
- Details requiring the consent of the data subject shall be specific and clear;
- The personal information controller shall use phrases that are easily readable and understandable for the relevant details;
- The personal information controller shall provide the data subject with the methods of clearly indicating whether to give consent.
(2) A personal information controller shall obtain consent from a data subject to the processing of his or her personal information pursuant to Article 22 of the Act by any of the following methods:
- To issue a document stating the matters requiring consent, either in person or by mail or facsimile, to the data subject, and obtain a written consent on which the data subject has affixed his or her signature or seal;
- To inform the data subject of the matters requiring consent, and confirm his or her intent of consent by telephone;
- To inform the data subject of the matters requiring consent by telephone, have the data subject confirm the matters requiring his or her consent posted on a designated website, etc.; and reconfirm his or her intent of consent by telephone;
- To post the matters requiring consent on a designated website, etc., and have the data subject express his or her consent thereto;
- To send an electronic mail containing the matters requiring consent to the data subject, and receiving an e-mail indicating his or her consent thereto;
- Other methods to inform the data subject of the matters requiring consent by a method similar to those referred to in subparagraphs 1 through 5 and confirm his or her intent of consent.
(3) “Important matters prescribed by Presidential Decree” in Article 22 (2) of the Act means the following:
- The fact that a data subject may be contacted to promote goods or services or solicit purchase thereof using the data subject’s personal information with respect to the purpose of collecting and using personal information;
- The following matters with respect to the particulars of personal information to be processed:
- (a) Sensitive information;
- (b) Passport numbers, driver’s license numbers, and alien registration numbers as set forth in subparagraphs 2 through 4 of Article 19;
- The period for retaining and using personal information (in the case of provision, meaning the period for retaining and using personal information by the recipient);
- The recipient of personal information and the purpose for which the recipient of the personal information uses such information.
(4) Where a personal information controller intends to obtain consent from a data subject under the subparagraphs of Article 22 (1) of the Act, he or she shall clearly indicate the fact that the data subject may choose whether to give consent.
(5) “Means prescribed by Presidential Decree” in the former part of Article 22 (3) of the Act means in writing, or by electronic mail, facsimile, telephone, or text message, or any other means equivalent thereto (hereinafter referred to as “in writing, etc.”).
(6) The head of a central administrative agency may establish the standards for appropriate methods of obtaining consent, out of the various methods of consent stated in paragraph (2), through the personal information protection guidelines under Article 12 (2) of the Act (hereinafter referred to as “personal information protection guidelines”), in consideration of the work of each personal information controller under his or her jurisdiction, the characteristics of their business, the number of data subjects, etc., and may encourage personal information controllers to obtain consent in accordance with such standards