(1) The Protection Commission may impose a penalty surcharge on the relevant personal information controller within the scope not exceeding 3/100 of the total sales, in any of the following cases: Provided, That a penalty surcharge not exceeding two billion won may be imposed in cases prescribed by Presidential Decree where no sales have been made or where it is impracticable to calculate the sales:
- Where the personal information controller processes personal information, in violation of Article 15 (1), 17 (1), 18 (1) and (2) (including where it is applied mutatis mutandis pursuant to Article 26 (8)), or 19;
- Where the personal information controller processes personal information of a child under 14 years of age without his or her legal representative’s consent, in violation of Article 22-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- Where the personal information controller processes sensitive information without the data subject’s consent, in violation of Article 23 (1) 1 (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- Where the personal information controller processes personally identifiable information or resident registration numbers, in violation of Articles 24 (1) and 24-2 (1) (including where it is applied mutatis mutandis pursuant to Article 26 (8));
- Where the personal information controller neglects its management, supervision, or education under Article 26 (4), thereby causing the person entrusted to violate this Act;
- Where the personal information controller processes information to uniquely identify an individual (including where it is applied mutatis mutandis pursuant to Article 26 (8)) in violation of Article 28-5 (1);
- Where the personal information controller makes cross-border transfers of personal information, in violation of Article 28-8 (1) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
- Failing to comply with an order to suspend a cross-border transfer, in violation of Article 28-9 (1) (including where it is applied mutatis mutandis pursuant to Articles 26 (8) and 28-11);
- Where the personal information processed by the personal information controller is lost, stolen, divulged, forged, altered, or damaged; Provided, That this shall not apply where a personal information controller has taken all measures necessary to ensure safety under Article 29 (including where it is applied mutatis mutandis pursuant to Article 26 (8)) to prevent personal information from being lost, stolen, divulged, forged, altered, or damaged.
(2) Where the Protection Commission intends to impose a penalty surcharge under paragraph (1), it shall calculate the penalty surcharge based on the gross sales net of the sales unrelated to the violation.
(3) Where the Protection Committee intends to impose a penalty surcharge pursuant to paragraph (1), it may calculate the sales based on the gross sales of the personal information controller if the personal information controller refuses to submit sales calculation data or submits false data without good case: Provided, That it may presume sales based on the scale of personal information retained, accounting data such as financial statements, prices of products and services, and other data regarding the business state of a personal information controller with a size similar to that of the relevant personal information controller.
(4) The Protection Commission shall, where it imposes a penalty surcharge under paragraph (1), take into account the following matters to ensure that the penalty surcharge shall be proportional to the violation and be effective in preventing breach:
- The details and degree of a violation;
- The duration and frequency of violations;
- Scale of profits derived from a violation;
- Efforts to take measures to ensure safety, such as encryption;
- Where the personal information is lost, stolen, divulged, forged, altered, or damaged, the relation to the violation and the scale of loss, theft, divulgence, forgery, alteration, or damage;
- Whether measures for recovering from damage and preventing the spread of damage have been taken;
- The type and volume of work of the personal information controller;
- Types of personal information processed by a personal information controller and the impact on data subjects;
- The amount of damage caused by the violation;
- Efforts for the protection of personal information, including the certification of personal information protection and autonomous protection activities;
- Whether measures have been taken to rectify violations, including cooperation with the Protection Commission.
(5) The Protection Commission need not impose a penalty surcharge in any of the following cases:
- Where the person subject to the penalty surcharge is objectively deemed unable to pay the penalty surcharge due to insolvency, suspension of payment, capital impairment, etc.;
- Where there is good cause for the person subject to the penalty surcharge to mistakenly believe that his or her conduct is not illegal;
- Where the details and degree of the violation are minor or where the assessed penalty surcharge is small;
- Where any ground prescribed by Presidential Decree exists, on which the data subject has suffered no or minor damage.
(6) Penalty surcharges under paragraph (1) shall be calculated in consideration of paragraphs (2) through (5), but the detailed calculation criteria and procedures shall be prescribed by Presidential Decree.
(7) If the person subject to the penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Protection Commission shall collect the additional charge equivalent to 6/100 per annum of the unpaid penalty surcharge from the date following the payment deadline. In such cases, the period for collecting of the additional charge shall not exceed 60 months.
(8) Where a person liable to pay a penalty surcharge under paragraph (1) fails to pay it by the payment deadline, the Protection Commission shall demand payment thereof within a specified period; and where the penalty surcharges and additional charges under paragraph (7) are not paid within the specified period, the Protection Commission shall collect such penalty surcharges in the same manner as national taxes are compulsorily collected.
(9) When the penalty surcharges imposed according to paragraph (1) are refunded for such reasons as a court’s decision, the Protection Commission shall make an additional refund in an amount calculated based on the interest rate prescribed by Presidential Decree in consideration of the deposit interest rates of financial companies, etc., for the period beginning on the date of payment of penalty surcharges and ending on the date of the refund.
(10) Notwithstanding paragraph (9), when a disposition to impose penalty surcharges is revoked due to a court’s decision and new penalty surcharges are imposed based on the reasoning of the decision, additional refunds shall be calculated and paid only with respect to the amount that remains after the newly imposed penalty surcharges are deducted from the penalty surcharges already paid.